One Milestone Completed, More to come...
Finally!! It’s been a year since I officially stepped my foot into the InfoSec world! Keeping all my workload and projects aside, at this point, I wish to pen down everything that my heart pours about this wonderful journey. Looking almost a year back, I see myself as a confused boy who had lost his way towards his goal. Today, had it not been for a few amazing people to guide me through it, I would have been still standing there. Avkash Sir, Neelu ma’am and Dhiraj have always showed me the path by giving proper guidance be it related to any InfoSec topic or even my career. I started off by attending the amazing null Mumbai sessions, and as time passed, my passion also grew. Had this been a movie, the award for the best Supporting actor would be given to many, as the entire Null Mumbai team has played a significant role in my life.
Along the same time, I was hired as an intern in SecureLayer7 a year ago. I clearly remember my first few months where I was reading various blogs, watching many tutorials to get myself acquainted with web app security. It was during that period, where I wrote my first blog post on CSV Injection. That was the period where I learnt a lot many things. As Albert Einstein quotes-“Play is the highest form of Research”, I spent my time mainly in enhancing my skills on mobile (iOS and android) and web application pen-testing by practicing on different vulnerable apps. Another platform that helped me elevate my skills was CTF’s by rootme.org, bugcrowd etc. In the remaining time, I prepared the VA/PT reports and read them to understand different attack vectors. Meanwhile I also started reading the Web Application Hacker’s Handbook which is an amazing resource for beginners who want to get thorough with the different concepts related to web application security. As my skills enhanced, I started participating in bug bounty programs and was acknowledged by ESET security for reporting a security vulnerability in their website.
It was after completing 3 months in SecureLayer7, I was assigned my first on-site project. It was in this project I learnt that projects do make you learn many things as there is so much pressure about maintaining the application status or managing reports. Being an intern here, I was never treated like one, because the challenges I was exposed made me literally go out of my way to get them solved. The struggles I went through to solve 1 problem made me learn hundreds more solutions of the same. I will always be thankful to Sandeep Sir for giving me this amazing opportunity. Not to forget, Shravan who has always imparted his lessons to me for learning. Out of his so many teachings, I will always remember,” Always try your best to resolve a problem, before asking it to someone”. This is one advice which I sincerely follow and I cannot measure as to how much it has benefited me. By being in SecureLayer7, I not only learnt to deal with technical things but learnt a major deal about trial and errors. Today, whoever I am or whatever I have accomplished, SL7 has a major part in it because had it not been for those challenges, I would have never known struggle and would have never tried to find a solution to them. For all these lessons and too many more to come, I will always be grateful to the entire team of SL7. Coming back to think of this journey as a movie, the best stuntman award should go to Sandeep Sir for performing an amazing stunt of assigning me to an onsite project in a span of 3 months. It was during this project where I learnt Network Vulnerability Assessment and Configuration Audit. Apart from this, I mastered one ability which is common and a part of life of every security consultant which is learning to find way around excel sheets. Another major learning apart from all technical issues is I learnt how to handle clients and communicate our requirements and solve their queries. Soon, I joined the Hackersday Rajasthan community as well, where I got to meet some really cool people like Nikhil and Atul who have always been passionate about security.
It was after all this time I realized that my goal was set, but my approach was not certain. This phase was an eye-opener phase for me because here I did realize that I had made some mistakes. Out of many, the biggest mistake I committed was that I was jumping around various random topics and wasting time. Instead, had I stuck to one topic and mastered it properly, it would have proved more fruitful. But as the saying goes, “Don’t waste a good mistake. Learn from it”, it was time for me to make up for these mistakes and set some matters straight. I am strangely reminded of a seminar that was held in my college, wherein the speaker was asked as to how he achieved many things in a very short span to which he replied, “I just set a goal and pushed my body towards it, with a lot of ups and downs things fell into place”. At that time I really did not understand what this meant but now I can have it embossed on my desk. At this point, apart from my everyday work, I am also working on finally achieving my first certification (after a year) which is OSCP. I started planning about it long back and simultaneously started collecting resources for the same. Jumping around random topics might have cost me some time, but I did get some quality learning from it too. When I received my first web app project, I could use these fundamental applications and navigate myself throughout the pen-testing of a web applications by identifying some good vulnerabilities and also making a good and detailed report about it.
It was in the last quarter of this year where I was acknowledged by Eduonix for reporting a security vulnerability in their website. After manually hunting for bugs in an application, it was time to switch over to automation. Folks, automation has completely taken over this field. For the same purpose, it became important for me to get my hands on Python and BASH scripting. Here, I would like to highlight a very important point, to everyone who are turning to this field just because they hate programming and don’t want to deal with it, YOU HAVE TO! Information Security has never been, is not and will never be a field which is void of programming. Not only in coding automated scripts to save time and reduce effort, programming knowledge has one more major benefit. To talk in the most generalized terms, one can break a chain only when he understands how it was made. Similarly, to break a web or a mobile application it is very important to understand how it was made and this is possible only by understanding the source code of the application which will come only from programming. Another happy moment for me was when we were working on a web application which was using some pretty good technologies like (OpenAM), PostgreSQL etc. and I found some good vulnerabilities and was awarded bounty for it by Securelayer7!! YAY!!! After all this time, it was just my passion which kept me going. The fact that I liked what I was doing kept me working harder to solver bigger problems.
Last, but not the least I would like to also include my sister Aishwarya here for always being there when I needed, be it solving a challenge or trying to make this blogpost look good.
I started solving machines which were on hackthebox to hone my skills even more. With course of time, now I am trying to set up my own Pentest Lab on Active Directory and trying to get well versed with Post Exploitation Techniques. Slowly and steadily I am also trying to get acquainted with Assembly Programming as well. For the past year I have learnt so many things from my seniors, colleagues, friends, and juniors (Prakash and Saumitra) also.
As I conclude writing this blog post, I would put forth some precious leanings:
- Always be updated about the latest happenings. Know what is going on around the world. Learn about new technologies and also try them. Lot of things are becoming obsolete, come out of it.
- Get your Fundamentals right. There is no excuse for skipping the basics at all. Without basics, going for advanced topics is pointless.
- Choose one area and stick to it. As a Security Consultant, yes! You will be exposed to multiple domains but always stick to one domain and practice it thoroughly.
- Never be under an impression that degree/certifications will lead you to a job. I had no certification/nor a degree when I was hired. Your passion in this field, your devotion towards your research and hard work will help you move forward here. There really is no degree/ certification in the world that can teach you what a real life experience can. As far as my personal experiences are concerned, I have seen many people who have a great job without possessing any specific degree or a certificate. In case, you are not finding a job, settle for an internship and get yourself properly skilled for a full-time job.
- And lastly, move forward with a positive outlook. Never give up. In case such thoughts come to your mind; always think as to why you started in the first place. Things will be tough sometimes it can get out of control. Happens. It happens with everyone. Just be calm, focus on your goals and things will set right for you.