Note: This summary is AI-generated and may contain inaccuracies, errors, or omissions. If you spot any issues, please contact the site owner for corrections. Errors or omissions are unintended.
This podcast interview from Horangi CyberSecurity’s “Ask a CISO” series features Anant Shrivastava discussing his journey into information security, the move to DevSecOps, quantifying defense, and software supply chain security.
Guest Background
Anant Shrivastava: 15+ years in information security industry
Experience: Network security, networking technologies, mobile application security, Linux security
Open Source: Avid open source supporter, runs multiple open source projects
Communities: NULL (Garage for Hackers), helped establish local chapters (NULL Bopal, OWASP Bopal)
Key Topics Discussed
Journey into Information Security:
Early Years:
Computers since 2000: Started with Linux more as curiosity and challenge
School teacher: Said “This is something lot of people don’t know about, but those who know about it are sort of intelligent people in community” - that was challenge where started with Linux
2008: Graduated
Before that: More focused around server administration, management of systems, Linux admin aspects
First role: Server administration profile
Bottlenecks: Most stuff in India was managing US servers or servers for US/UK clients - do late night jobs, overnight jobs
Started thinking: What are other options?
Most folks around: Moving into programming or leaving IT, moving into non-IT
Couldn’t leave IT: “It is sort of in my blood, I can’t leave IT”
Programming: Didn’t want to jump right away as professional career point
Realization:
Secured servers: Have secured servers, configured servers, worked towards making sure people can’t attack it
Another side: Around 2010 started popping up - “Hey there is professional requirement of people to break things”
Interesting: “I’ve been securing, so how can I start breaking things?”
Started looking: Job opportunities
Initially: Did not directly start with pentesting as security field
Joined company: Doing log review and log monitoring
5,000 assets: All sending logs (database servers, firewalls, systems sending firewall logs)
Job: Ensure nothing bad is going on
Encountered correlation: Very interesting aspect - able to successfully correlate things like by looking at web firewall log, can tell which machine is infected with malware or trojan
2010-2011: First moved into pentesting role
Mobile Security:
Developed as skill: On own as side hobby
2010: Got first Android device - “Okay this is fun device to have”
Backtrack: At that time Backtrack used to be there
First person: To port Backtrack image - Backtrack at that point released version for only specific Motorola Android device, no other Android device supported
Very minor configurational flaw: Was first person who corrected that flaw, got it working on mobile devices/normal phones
Point onwards: Fun journey with pentesting, breaking systems
2015-2017: Started pivoting - “Hey I’m not only going to break things, but I also want to secure things, I also want to help people get security angle right”
Journey Summary:
Started: Dipped toe in blue (defense)
Moved: Right into red (offense)
Backtracked: Back and became purple (both)
Move into DevSecOps:
Starting Point:
Fun coincidence: Back in previous role doing lot of pentesting work, also delivering training sessions
NotSoSecure: One of prominent Black Hat trainers - used to teach infrastructure, web application, cloud security trainings
Stuff that irritated: Pentester basically tells you there are problems, would not have clear-cut solution to problem
Most reports: More of around “Hey you need to read your documentation” or “You need to figure out company policy how you want to fix that thing” - “We are not going to give you recommendation”
Gap looking at: “It does not sit well with me that hey why can’t I actually be in position where I help people actually fixing this also”
Hollow Flake Quote:
Hollow Flake: Another prominent personality in infosec did keynote in Black Hat Asia
Quote resonated: “The offensive problems are technical in nature, the defensive problems are political in nature”
So true: Pentesters find technical problems, say “Okay well you need to make these changes in these configurations” - once ask for permission, someone says “Well it works way it is, don’t change it” or “We will accept risk, just don’t change way it is”
DevSecOps Should Not Exist:
In one of talks: About DevSecOps, this is how actually started - “DevSecOps is term that should never have existed”
Should never exist: Because DevOps should be secure, should be secure by default
Goes back: To another buzzword “secure by design”
Market cycle: Market needs new buzzword every few years (Generative AI right now)
Quantifying Defense - The Battle for Budget:
Another Angle:
Lot of people miss: There’s another angle
Offense is measurable: Defense is not
Measuring lack of something: Exactly
Offense has done brilliant job: Marketing has done brilliant job of conveying fact around that “If you see that you are not hacked, you just don’t know that you are not hacked”
Brings whole curtain down: On defense part
Stock market: Does not care about security - prices go down for 2 days, come back up, companies still functioning
Can keep quoting: Companies that shut down, but very small percentage of companies big enough that got shut down because security incident
Cost Calculations:
Other problem: “Hey worst case scenario if have to pay fine, if have to pay all customers something, what is that cost?”
Sat through calculations: People like “Okay what is total cost of breach that can happen?” then calculate “What’s cost of investment in defensive tooling?” then “Yeah we’re okay paying that cost”
Or they’ll say: “I’ll just get cyber insurance”
Things started to change: With insurance also mandating and saying “Hey if breach is because of negligence, we are not going to compensate”
Quantifying Defense:
Problem trying to solve: How do you quantify? How do you put number to situation?
Our generation: Who have come up through ranks are just now picking up problem
Optimistic: Sometime in next 5 years someone among us will figure out how to communicate it better
Mindset Change:
Analogy: Painting versus medical profession
Medical is science: Because there’s method to whole madness, set procedure everyone has to follow
Painting is art: Everyone does it way they want to do it
Infosec right now: Sits more in art category than science category
More move infosec: From art to science, more will be in position to measure something
Software Supply Chain Security:
Why Worry About It:
Non-software example: If food to be made at house, all ingredients have to be bought from market
Whole chain: Goes in
COVID example: When COVID struck, people not able to find stuff at local shops because transportation not working
80% Import Statements:
About 80%: Of what call software products right now are basically import statements which are calling in stuff other people have done
Modularization: Of programming language gave flexibility where can write something, everyone else can use it
How to Secure Supply Chain:
Three Aspects:
Need to know what using: There has to be way to track what is it that constitute as components in environment - points to keyword “SBOM” (Software Bill of Material)
Should be able to query database: Which has list of vulnerabilities
Put money where mouth is: Because product giving value, should be taking portion of that value (not talking about huge percentages, maybe 2% of profit), put that as push back to open source communities
US Government Initiatives:
2021 end: US president gave declaration/statement saying “US government needs to be cautious about software supply chain”
SSDF framework: Came into picture - NIST developed SSDF because of that
Very interesting line: “It’s not responsibility of open-source developer to ensure code is secure, rather it’s responsibility of party which is getting benefit out of it to ensure components are secure”
Supply Chain is More Than Modules:
It’s the IDE: Using
It’s third party SaaS library: Using
It’s person sitting: Somewhere in distant country managing IAM policies for you
SolarWinds example: Chain of event - breach at JetBrains led to implant in one of their code software, deployed into SolarWinds, allowed attacker to plant backdoor into Orion servers, planted into other Fortune 500 companies
Goes back: To original point - there is no upper limit to what breach could cost
Last Thought:
For offensive people: Start toning down expectations, start looking at other side
For developers: Start ranking up bugs
Meet in middle: That’s last thought
Key Insights:
Journey: Blue → Red → Purple (defense → offense → both)
DevSecOps should never have existed - DevOps should be secure by default
Offense is measurable, defense is not - major challenge
Offensive problems are technical, defensive problems are political
Need to move infosec from art to science
80% of software products are import statements
Supply chain is more than modules - includes IDEs, SaaS libraries, IAM policies
Need to quantify defense and communicate value better
Open source tools made security more accessible
SSDF has teeth - can’t be US government contractor without it
Actionable Takeaways:
Offense is measurable, defense is not - need to figure out how to quantify
Move infosec from art to science - need metrics and procedures
Offensive problems are technical, defensive problems are political
80% of software is dependencies - need SBOM
Supply chain includes more than code - IDEs, SaaS, IAM policies
Put money where mouth is - support open source developers (2% of profit)
Reserve employee time to contribute to open source projects
SSDF has teeth - cascading requirement for US government contractors
Meet in middle - offensive people tone down expectations, developers rank up bugs
Need better communication of security value to leadership
