DEV Community

Anirudh
Anirudh

Posted on

I'm 18 and I do systems security, Ask Me Anything!

Hey guys, I'm a systems security engineer at a local startup. I've been into infosec since 8th grade. I'm (obviously) still learning, and gearing towards an OSCP. Ask me anything!

Top comments (30)

Collapse
 
ijlee2 profile image
Isaac Lee

Hello. From your experience, what advice would you give to people at young age (say, 13-18 years old) who want to get into tech industry?

Collapse
 
icyphox profile image
Anirudh

The "tech industry" is an extremely generic term. What field in tech, specifically?

Collapse
 
ijlee2 profile image
Isaac Lee

Indeed, my bad. Can you give us advice on getting into information security? Thanks!

Thread Thread
 
icyphox profile image
Anirudh

Getting started with infosec would require a basic understanding of how a computer itself functions at a primitive level, networking and protocols (and how they tie together), operating systems, web technologies. Some programming knowledge wouldn't hurt either; scripting in Python, Ruby, shell.
I love telling people that you should learn to make stuff, before learning to break stuff :)

Above all, security and hacking, in general, requires a creative mindset with out-of-the-box thinking. There is no single checklist to be followed, ever!

Thread Thread
 
avasconcelos114 profile image
Andre Vasconcelos

I love telling people that you should learn to make stuff, before learning to break stuff

That is actually a great way to look at it! Thank you for sharing your experiences with us :)

Collapse
 
kostassar profile image
Kostas Sar

I would really like to look into this part of the industry and networks are my weakest point, so I should start from there.

But out of curiosity do you have any books or courses to begin with the "and how they tie together" part of your answer?

Thread Thread
 
icyphox profile image
Anirudh

I didn't really follow any book/course to learn that bit, mostly just hands-on. But, I actually liked the RITx Network Security course on edX. YMMV, though.

Collapse
 
peter profile image
Peter Kim Frank

Were there any key moments or fun stories that specifically drew you towards security?

Have you made any independent security findings/disclosures that you're able to share?

Collapse
 
icyphox profile image
Anirudh • Edited

What drew me towards security would probably be my love for computers, paired with my love for breaking things. Taking stuff apart and messing with their internals :D

I sadly, do not have any 0-days/CVEs under my name, but I have made some disclosures. One of them was particularly interesting.

I'd been asked to pentest an incubation centre's website. Essentially, where startups submit their pitch and get funding/materials etc.

Browsing through the site for a while, and I instantly found an SQL injection vulnerability, threw the vulnerable URL into sqlmap and within 15mins, dumped the entire database containing user credentials, personal data, and most importantly, the startup ideas themselves. I reported this to the team behind the website. The devs being the lazy bums they were, figured they'd fix it later and just push the site to prod (the absolute madmen). Within a week of having deployed to public, they got hacked, and the hackers were selling the startup ideas on campus!

Collapse
 
peter profile image
Peter Kim Frank

It's incredible that you were asked to pentest the website, and then they ignored your findings! Insane.

Thread Thread
 
icyphox profile image
Anirudh • Edited

It's understandable, because it was management that had asked me to pentest and the devs weren't really prepared. They already had a lot on their plate, as they were getting ready to go live.

They could've taken more time though, and ironed out the issues with the site. Maybe a week extra. Would've saved them all the trouble.

Thread Thread
 
vitalcog profile image
Chad Windham

Yeah, but a security vulnerability on that scale should not be ignored no matter what. People just never seem to learn.

Thread Thread
 
haikal00 profile image
haikal00

Sometimes people choose earlier launching to not lose the business.

Thread Thread
 
vitalcog profile image
Chad Windham

I understand the balance act from the business side, as I work in the real world for large company. But given what happened, it is a go to example of why you shouldn't ignore large and obvious security flaws for any length of time. In the context of the story. The company hired security testers. Found out there was a huge (and relatively simple) problem. Did not fix it and experienced a worse case scenario. Which doesn't help in the "not lose business" side of things. You point is very valid and those business decisions can be difficult at times. But in the context of the story shared it is a prime example of the wrong choice.

Collapse
 
deth18837514 profile image
deth

Do you have good resources you can share with us ? I'm a newbie and I try to find some trusted sources posting news, tutorials or whatever is intersting about security. I'm interested to know how things work (in-depth) and it's not gonna help at all if the stuffs I find online aren't reliable.

Collapse
 
juliavii profile image
juliavii

Hello, I am also starting with infosec, most specifically secure development. About automatized security test (static code analisys, for example), the biggest problem I found was high number of false-positive result generated by commercial tools. Any advise of how deal with this?

Collapse
 
icyphox profile image
Anirudh

Ah I don't think I can answer this one. I haven't ever done code analysis, and I probably never will. Sorry!

Collapse
 
seankilleen profile image
Sean Killeen

Hey! I've noticed that in this post you use "guys" as a reference to the entire community, which is not made up of only guys but a variety of community members.

I'm running an experiment and hope you'll participate. Would you consider changing "guys" to a more inclusive term? If you're open to that, please let me know when you've changed it and I'll delete this comment.

For more information and some alternate suggestions, see dev.to/seankilleen/a-quick-experim....

Thanks for considering!

Collapse
 
andy profile image
Andy Zhao (he/him)

What are the first few things you check for on a website? Anything that most websites should always have, but usually don't?

Collapse
 
icyphox profile image
Anirudh

First thing I do is enumerate all the API endpoints that are being hit, on all pages of the website. I then take a look at the requests themselves, what headers are being sent, the response from the server, etc. I try messing around with these.

Most websites, from what I've seen, always tend to overlook the possibility of CSRF or Cross-Site Request Forgery. You can read more about it here.

Collapse
 
extracat profile image
extracat

Can you hack iOS?

Collapse
 
icyphox profile image
Anirudh

I'm not sure if you're being serious :')

Collapse
 
extracat profile image
extracat

No, I wasn’t )
But, however, I wonder if it is really so secure as thay say. Compared to android, ms, mac, linux and so on. I’m interested in you opinion as professional.

Thread Thread
 
icyphox profile image
Anirudh

Well, nothing is ever completely secure or "unhackable". iOS has had its fair share of vulnerabilities, just like every other OS out there.

Collapse
 
rapidnerd profile image
George

I've been wanting to get into infosec for a while, where would you suggest starting?

Collapse
 
icyphox profile image
Anirudh

I've answered a similar question here in this thread. Perhaps that's what you're looking for too? If not, feel free to clarify.

Collapse
 
juankortiz profile image
juankOrtiz

What is your main workflow and which tools do you use?

Collapse
 
icyphox profile image
Anirudh

I first do basic recon, nmap scanning, Shodan.io, and the usual OSINT techniques. Note down whatever I find in a Markdown doc. Most of my engagements so far have been on web based applications, so Burp Suite is the go-to tool for that. I automate (potential) SQLi using sqlmap.
Actual exploitation of services and such, I use Metasploit. Which in my experience, has been quite rare.
Otherwise, most of my work is just ops, monitoring our systems, logs etc.

Collapse
 
mamhaidly profile image
mamhaidly

Where would you recommend a complete beginner to start and where can you get better (like solving real world scenarios)?
I am trying to break into this domain..
Best of luck with your startup!

Collapse
 
icyphox profile image
Anirudh • Edited

Answer for the complete beginner, here. With regard to solving real world scenarios, I'd definitely suggest trying out some CTFs on platforms like HackTheBox and RootMe.

And thank you!