TL;DR: Woah! What an exciting ride it was :)
Hello everyone, I’m not sure how I should start writing this post. It’s been one amazing ride these last few years at Appsecco. I believe all good stories need to be told, so here’s me writing about my journey as one of the earliest core team member of an amazing company with an even more amazing team!
An unbelievable opportunity
It all started when I was about to quit my previous job and was thinking of moving outside India for sometime. Given that I had worked with Akash before, I sought his opinion and ended up accepting an offer to work with him at Appsecco. Back then, I was just excited to work with him and Riyaz, but little did I know that it would become one of the most fulfilling adventures of my life. It is here that I began my journey to fulfill my goals and (many a times, items from a bucket list that I did not even know existed) in both as part of my professional and personal career.
I have always tried to build myself as a T-shaped individual at Appsecco, focusing on depth in security as my primary area and breadth of everything including building training programs, consulting, individual personality and adding to our amazing company culture. It wouldn’t be fair if I don’t give credit to the amazing people I have had the opportunity to work with in these last few years.
If you haven’t read how I joined Appsecco and what my first month looked like, I highly recommend you read this :D
I can’t believe it’s been a month already @ Appsecco!
The first year
I cannot believe that I did so many cool things in my first year itself. I started working on opensource platforms, created solutions to manage the company’s operations while breaking and pwning applications and servers whenever I could with Riyaz and his team.
I started preparing myself to OSCP (offensive security certified professional) as a way to challenge my self and to sharpen my attacker skills with help of Riyaz Walikar (aka wincmdfu) in early December 2016. I have nothing but immense respect for Riyaz for his patience and explaining concepts to someone who doesn’t have much knowledge about that topic. The way he visualises targets and application features to identify where the vulnerabilities could be, sometimes even without actually making any HTTP requests, is just mind-boggling. I wish there was a Brain-as-a-Service thingy so that I could utilise his skills and attacker mindset. I was able to successfully complete my OSCP and it helped me gain a lot of confidence in the approach to testing for security and finding cool bugs.
As part of my to-do checklist at @appseccouk I completed my #OSCP certification 😀09:39 AM - 19 Jan 2017
In my time at Appsecco, I had lots of opportunities to perform security testing for applications and servers for variety of clients across industry verticals and I did use them to find some amazing vulnerabilities.
One of the best things I learnt while performing security assessments at Appsecco, is that it’s not only important to show what cool vulnerability you found, but it is far more ubercool to explain the vulnerability and it’s mitigation in a friendly language that developers can consume and fix their stuff.
As time progress, I started creating research talks, trainings and workshops that I liked to present. I toured a bunch of industry notable conferences around the world like DEFCON, All Day DevOps, nullcon, DevSecCon, at the null community etc. This also allowed me to travel around the world in my first year itself!
By the end of my first year, I was able to work on a given problem statement and come up with pragmatic solution (with automation as the key). I started working with the 3 largest cloud providers (AWS, Azure and GCP) and opensource software platforms like HashiCorp Stack (Vagrant, Terraform, Packer, etc). I ended up writing numerous automation playbooks using Ansible and custom scripts as well.
While trying out some OpenSource products and platforms, I found critical vulnerabilities in GitLab CI/CD private build system, SaaS based malware analysis platform, etc. that could be additional visibility in the security community, which was very cool.
As part of building stuff internally, I created an in-house infrastructure security monitoring system using Elastic Stack and Beats with ElastAlert for detecting attacks and alerting our teams.
I can surely say that I have never before coming to Appsecco, built these many Proof of Concepts on multiple open source tools and technologies on Monitoring, CI/CD, Version Control, Scanning, Auditing, etc. which helped me to explore even more wide variety of platforms, products and stacks. Using all of the collective knowledge, I built an automated markdown based documentation, knowledge base system using Raneto, MkDocs, Gitbooks with help of pipelines, containers and Kubernetes.
I can go on and on about all the cool technical things I did, but this post would be incomplete if I don’t talk about the people I worked with and with whom I started my journey at Appsecco.
Here is my 1 year working at Appsecco blogpost. It’s fun read about things I have done over a year with an amazing team :)
As time flew by
We have always been a small team of people doing amazing and cool work and that kept us busy. So I started working on more and more operational work to use Docker containers and Kubernetes clusters to help other teams streamline their work, which helped us to automate most of our deployments using CI/CD pipelines, resulting in lots of time saved to do more cool things and do research.
Over the years, I also kept my promise of giving back to the community by teaching and sharing my work at multiple conferences including BlackHat, OWASP Appsec, USENIX LISA, All Day DevOps, DevSecCon, nullcon, null and many more.
With our experience of doing automation using Ansible, Akash Mahajan suggested that we can share what we learnt with everyone to perform their daily security tasks. So we ended up writing a book on Security Automation using Ansible2, which is also referenced as a technical resource by RedHat Ansible itself. This fulfilled a life goal of mine without me realising I wanted it. The feedback about the book was very heartwarming from friends, the community and total strangers on the Internet.
I haven’t met or worked with anyone in my entire career and personal life who shares the same attitude towards life like Akash. A quote that I will always remember that he said to me was “Knowledge is noble”. This keeps me motivating and will continue to do so to keep learning new things and trying them out. One thing he explained was about fatigue that if you continue to do the same thing for too long there are chances that I would get bored. However, as I picked up several different technologies and got better at many new things rapidly, Akash helped me automate several things that would leave my time for cool new things that I would like to pickup. As a mentor, Akash also worked with me to figure out what makes me happy and what new exciting things we could work at so that Appsecco could benefit from my energy levels while I would develop my career and technical skills at a personal level.
As we moved forward, we started working with more and more challenges in automation and cloud native technologies. At this point, Akash suggested that I become a Certified Kubernetes Administrator by appearing for the CKA exam. This aligned perfectly with my personal interest as well, as I was on my way to digging deeper into container and orchestration security. As most of our workloads ran on Kubernetes, it was easy to get started and prepare for the exam. I learnt a LOT in the next few months as I realised that the more deeper I got into understanding about cluster specific operations like API Server and troubleshooting etc. I got better at identifying potential security pitfalls and how we could secure clusters and what could be the potential attack surface as well.
Did I tell you that I have passed @linuxfoundation and @CloudNativeFdn Certified @kubernetesio Administrator exam with 95%?
Thanks @makash for motivation me to take the exam. @appseccouk team you are amazing & always helped me to achieve my goals!
#CKA #Kubernetes15:18 PM - 01 May 2019
The certification and my personal interest pushed me into learning more about containers, Kubernetes and the ever evolving cloud native landscape. So I started giving more time to research and ended up building an amazing training focusing on both attackers and defenders perspectives in container security. I eventually had an opportunity to present my research and training at a wide variety of my dream conferences including USENIX :D
While presenting at multiple conferences, I realised that I wanted to build my leadership and management skills as well. I have been lucky enough to moderate one of the worlds largest DevOps conference (30k+ audience) called All Day DevOps for the past 4 years. I moderate their DevSecOps track which not only helped me build my leadership and communication skills, also gave me a lot of friends, connections and community involvement.
If you haven’t read about how I speak and moderate AllDayDevOps conference for the past 4 years, I suggest you must read this :D
Moderating and Presenting at All Day DevOps
Appsecco provided me with a lot of opportunity to travel the world. In my stint here, I have done some amazing trips to some of the most beautiful cities in the world.
One of the things I will take back with me is the support and ever learning culture that Appsecco provides that helps it’s employees to achieve their dreams and put their progress in the right direction.
To spice things up at work and to break some monotony that had started to develop, I suggested that we should do team hackthons in office. So one Friday a month would be when there was no client work assigned but pure hacking and breaking. We ended up doing lots of cool hacking and gulping down copious amounts of Coke Zero and Pizzas :) Our internal Hackathons have not only helped the team think of edge cases and create out of the box attack scenarios but also helped build team spirit and get better at collaboration.
Some of the @appseccouk team decided today was a day to participate in a #hackathon today. 😃😃😃
Cc @abh1sek @0xbharath @madhuakula @_riddhishree @riyazwalikar @suneshgovind04:40 AM - 15 Nov 2019
A very simple responsibility I picked up was to send a daily quote to everyone in the company, first thing in the morning. This allowed me to read up on so much motivational stuff, figure out what would be applicable to Appsecco and keep my energy levels going throughout the day.
Here’s an example quote that I have shared with the team
In my last year at Appsecco, I was fortunate to work with Abhisek Datta to build internal automation platform using Kubernetes and cloud native technologies. This platform helps our Security Testing team to hasten up their process of discovery of low hanging fruits while the team can work on attacking the bigger bits.
Abhisek Datta or Datta sir as he is lovingly addressed by most of us, has an insane amount of patience. His experience across domains like attack, defense, automation and development is something I have never see. His trolling capabilities are next level too!
Working with Abhisek has taught me the most important parts of my work. My approach towards any task that I pick up was to dive right into it because of my hunger for knowledge, but working with him allowed me to focus on the thought process and figure out the most simple, yet elegant solutions to the problem statement in question.
When not working, most of my time spent in office was hanging out with my cool colleagues and having fun with them. Bharath, Riddhi and Sunesh are always up for coffee break and random discussions (which would eventually come back to something technical), making me realise that Appsecco is a company of people with amazingly common interest towards same goal with the hunger to achieve it.
Our Friday lunches was an amazing break from work and we have tried a variety of restaurants and cuisine in Indiranagar. My favourite has been Bombay Brasserie and my favourite food has been Kashmiri Naan Kebab and Amritsari Kulfa.
The last month
Last month I decided to tell Akash, Abhisek and Gwil about my plans for the future and how I wanted to move on to my next adventure. It has been the most difficult thing I have had to do. It was like telling your family you are leaving them and not knowing how they would react or feel.
But when I told them, for reasons I did not fully understand, they were happy for me! This was very weird in my head as I had not anticipated them to be happy.
They said that I have done so much at Appsecco and put in all the effort I could to ensure the company and community progresses that they had nothing but good luck for me. It’s a good sign, they said, as my career is still growing (and being young :D) now would be a good time to explore.
When it came to transition and handing over of responsibilities, access and data, it could not have been smoother. Apart from doing all of that, we had the most fun, I think in recent times, this month.
We had fun outings, cool lunches and dinners, secret santa, bowling, go-karting, games, eating, drinking, etc. to name a few, mostly thanks to our new Fun Committee in-charge — Shruthi Kamath.
I have had really great time working at Appsecco. My time year has nothing been short of a movie. A blockbuster, not the flop types. The people, the culture, the learning, the fun, the trolling, the acceptance of new tech, the embracing of failures, the celebration of success and the ever constant push to do more than you are capable of. I will always be thankful for the opportunity given to me and I believe that very few companies out there will match my experience of Appsecco.
5 key things I learnt at Appsecco
To end this looooooong blogpost, here’s 5 cool things I picked up at Appsecco as part of my non-technical learning
- Don’t assume anything. As the quote goes — Never ASSUME, because when you ASSUME, you make an ASS out of U and ME
- The company is as strong as the team
- Set your dream goals and work towards them
- Communication is the key to everything
- It’s okay to fail and learn from failures
What is next for me
Alas, all good stories need a sequel. My journey has just begun in the world of security of Cloud, Containers, Kubernetes and Cloud native landscape. I’m moving on to a different place, to get a taste of a different culture and to try something new and hopefully as exciting as my time here.
If I want to leave you all with just one thought, remember
Great things happen to those who don’t stop believing, trying, learning, and being grateful.
— Roy Bennett
Thank you so much Riyaz Walikar for reviewing my blogpost, you are awesome as always :)
Top comments (0)