Anant Shrivastava

Join Anant Srivastava, Founder of Cyfinoid as he sheds light on AI’s transformative role in cybersecurity, explores the vital contributions of open-source, and emphasizes the importance of community involvement for strategic advancement Follow Anant: https://www.linkedin.com/in/anantshri/

00:00 Introduction to the Podcast
01:21 Evolution of Cybersecurity and Changes in Information Security Roles
07:15 Breaking into the InfoSec Industry: Tips and Strategies
11:23 The Power of Community: Investing in CEH and Networking Benefits
14:15 Anant’s most Memorable Talks and Interactions
18:10 The Impact of Open Source on Cybersecurity
30:18 Mobile Development Pitfalls: Overlooked High-Risk Vulnerabilities
35:23 Behind the Scenes: Crafting Topics for a Cybersecurity Blog
38:59 The Future of AI in Cybersecurity: Enhancing or Replacing Critical Thinking?
44:23 The Evolving Role of Security Engineers in an AI-Dominant Future
51:43 Closing Thoughts and Podcast Conclusion

AI Generated Summary

AI Generated Content Disclaimer

Note: This summary is AI-generated and may contain inaccuracies, errors, or omissions. If you spot any issues, please contact the site owner for corrections. Errors or omissions are unintended.

This comprehensive podcast discussion covers the evolution of cybersecurity, community involvement, open source contributions, mobile security, blogging, and the future of AI in cybersecurity.

Key Topics Discussed

Evolution of Cybersecurity Industry:

Major shift: “We used to be chased because we were finding bugs” (with court orders) → “Now we are getting paid to find bugs”
Hacking vs InfoSec: Hacking is fun and exploration; InfoSec is what you get paid to do
Shift from convincing people why security is needed → People now proactively asking for security help
Field has matured from hobby to professional career, but still not fully structured like medicine

Security Implementation Spectrum:

Companies range from bare minimum compliance to proactive security implementation
Security decisions should be based on audience level:
- 4 people playing Ludo game → minimal security needed
- Governments of different nations → maximum security, including nation-state attacks
Company size matters: 2-person company (trust), 10-person (reference-based trust), 50+ (public hiring, need EDR/XDR)
Different security levels for different roles: Receptionist/HR (full security) vs Pentester (trust building, minimal security initially)

Entering Cybersecurity:

Universities now offer cybersecurity degrees (entry-level but provide foundation)
Industry moves fast - by graduation, technology may have changed
Recommended pathways: CTF events, Bug Bounty programs, Google Summer of Code
Team Bios (university team) - people from this team have shown exceptional trajectory
CTF participation helps build network and skills before entering industry

Community Involvement:

Communities provide collaborative learning and crystallized/distilled information
CEH certification value: Not for practical info, but ensures you’ve heard every keyword in infosec space once
NULL meets, OWASP meets - hear 3-4 different researchers share learnings
Small Discord channels also valuable for networking and growth
Important to “show up and make your presence felt” - not just be part of 200-500 people crowd

Memorable Talk Learnings:

Don’t use Wikipedia as official source (can be edited in real-time)
Always cite references - if source is inaccurate, you’re inaccurate double times
Sessions are for audience, not for presenter - make assumptions clear
Presentations should be useful after the session (PDFs, slides should make sense standalone)
Example: IPPSec always starts from scratch, documents videos on i.r website

Open Source Projects:

Android Tamer (now Tamer Platform):

Started 2011 - unified environment for Android security tools
Problem: Tools fragmented across different languages/versions (Java 1.7, 1.8, Ruby 1.5, 1.6, etc.)
Solution: Cohesive environment where all tools coexist and cooperate
Allows VM setup, apt-get updates, tool installation without version conflicts

Code Vigilant:

Started at NULL meets 2014 with Prajal Khar (now CISO at Groww)
Target: WordPress themes and plugins
2014: Found ~300 bugs, reported and got fixed
Paused until 2021, restarted with Semgrep (more structured searches)
2021: Found another ~100 SQL injections
Current workflow: Semgrep → Defect Dojo → Validate → Report to vendors
Provides internship opportunities for people from small towns
Philosophy: “I helped you, you help two others” - pay it forward

Open Source Philosophy:

Don’t do open source expecting returns - do it because you want to
Open source is “medium of expression” - I did something, I want to share it
Not recommended to make living solely from open source (Red Hat is exception, not rule)
Projects are personal - “These are my projects, I’m doing them for myself. Want a feature? Fork it.”

Mobile Security:

Mobile is “fully hostile territory” - device may be hacked, owner may be hostile
Beyond API vulnerabilities (which are web app testing), mobile apps face unique challenges
Defense in depth approach: SSL pinning → Request signing → Validation layers
Each layer raises attacker skill requirement (0-3 → 5-6 → higher)
No 100% security, but increase complexity to make attacks harder
Give debugging app to VAP vendor, but production app should have all security layers

Blogging:

Blogging for 15 years - started when blogging was for fun
Blog is personal journey documentation, not focused on one topic
Evolution: Blog → Myspace/Orkut → Facebook → Twitter/X
Moving back to blog due to social media instability (Twitter→X, Facebook changes, Reddit API closures)
Blog serves as personal reference - “5 years later I search my own blog”
Current split: Company blog (mobile, decentralized web, supply chain) vs Personal blog (PKM, automation)

AI in Cybersecurity:

LLM analogy: Child born in library, taught alphabets, read all books by age 18, no human interaction
AI identifies patterns and repeats them - not actually “thinking”
Can help go from 0-60% proficiency; 60-100% still requires human intuition
Example: Feed all bug bounty reports to AI → Get list of most commonly exploited parameters for XSS
Jason Haddix created Burp plugin doing exactly this (manually, before AI)
AI helps with repetitive patterns; humans needed for novel scenarios and gut intuition

Future of Security Engineers with AI:

Comparison: Finance person when calculators came → They didn’t lose jobs, they “babysat computers”
AI will automate repetitive tasks (dealing with XSS on CVSS 9.8 internally deployed machines)
Humans will be freed for more useful tasks
Medicine is science (documented procedures); InfoSec is still art (no one knows what they’re doing)
AI might help structure InfoSec field, but refinement comes from human inputs
Decision-making still requires humans - AI can’t predict social outcomes
Research example: AI couldn’t predict children’s future (marriage, arrests) based on habits

Key Insights:

“Show up and make your presence felt” - critical for community involvement
Many people hired before graduation because they showed skills in communities
Code Vigilant provides internship opportunities for people from small towns
Mobile security requires defense in depth - no single solution
Blogging is personal knowledge management and reference tool
AI is pattern recognition, not critical thinking replacement

Important Projects and Tools Mentioned:

Android Tamer/Tamer Platform - Unified Android security tool environment
Code Vigilant - WordPress security research project
Semgrep - Code review software
Defect Dojo - Bug tracking and management
Team Bios - University CTF team with exceptional trajectory

Actionable Takeaways:

Participate in CTF events, bug bounties, Google Summer of Code
Join communities (NULL, OWASP) and make your presence felt
Document learnings in blog posts
Contribute to open source projects
For mobile security, implement defense in depth (SSL pinning, signing, validation)
Use AI for repetitive pattern recognition, but rely on humans for novel scenarios
Show skills in communities - many get hired before graduation
Open source should be done for passion, not expecting returns

BugGyaan Podcast

Chat with Dhruva Goyal

09 November 2023

AI Generated Summary

Key Topics Discussed