Panel - Breaking into Information Security

I hope you enjoyed your lunch.

Let's start. Good afternoon ladies and ladies and gentlemen. It's an honor to be able to acknowledge such a grand event at such a beautiful level. Today I Puja will be your host for the evening. Are you guys excited for the panel session?

Okay, let's start. We are here to witness our first boardroom discussion for the table. It is pretty interesting to note debates on is breaking into information security and for this boardroom discussion at will tickle your little gel we have with us our moderator Mr. Hitney Pikin he is a solution architect at Sneck. We welcome you sir. So now our panelists panelist for the discussion are m Mr. Saga Parmar. [Applause] He is senior information security researcher at Aldar PJSC Abu Dhabi. Next we have with us Miss Kinat Kamal. She is advanced service security engineer at Honeyville. Next we have with us Miss Kavisha seat. [Applause] She is Versuza security consultant at Standard Chartered Bank. Next we have

with us Mr. Sawan Gary [Applause] he is technical director at the sacops group. Finally we have with us Takar.

He is core penetration tester at gobal.io. On the behalf of besite Ahmedabad team I welcome each one of you. Thank you. Welcome is all right. Hey, how you doing everyone? We're going to get started. So, this is about breaking into security, cyber security. We all know it's not the easiest thing to do all the time. So, one of the first things that I wanted to ask you and anyone can answer it is, you know, it's hard to break in into cyber security, right? So, the thing is for someone that doesn't have experience, okay, like no experience at all, but they want to get into it. What's the best way to start to get experience to

get into to break into cyber security? Hello everyone. I hope you guys are enjoying here. My name is Sagar Parmar and uh I'll live in Abu Dhabi working in information securities researcher from last six years and um working in one of government entities in Abu Dhabi. I'm also in um Kobal as a lead. uh so as is uh uh how to how to start the in the cyber security career. So basically like everyone came from the uh no background like everyone has to start from the beginning right. So no one are like expert and no one is like uh we all are like it's like um you need to start from somewhere. So if you want to like um information

securityities like whenever you uh focus on target and uh like if you have for example like you if you have no background of personally like I I have completed my graduation in BECOM I was no having experience nothing but still like I'm in researcher I do bug bounties I do information um securities. So, so for starting career path like it's a it's all about self-arning. It's not like I have seen like many people like uh they do some CS certifications and some certifications and all. So people are like saying uh if I do this certifications can I get a job? I uh I can say no. Certifications will help to after the job if you want to go grow for

some certain some like positions or something then might be certification can help but getting into the information securityities is all about uh self-arning. So you say self-arning right? It's all about self-arning. So what what are some uh things that they could use like to self-learn? Like what are some resources for example that they can use to self-learn? Like is there like any websites they can go to or as you know guys Google is our father everything is there whatever you search everything. So for a starting like uh for a research just follow some researcher their blogs how they uh find a bugs and uh just get their methodology how exactly they are uh breaking into the targets how and uh

I I just wanted to say one thing like um you guys are not at all late. I have seen many people like they uh they said like uh whenever they choose a target they said like oh my god like um people like Nikil and Hney and like all our top researchers so people thought like every all targets are already they have finds bugs so you won't find no you are wrong you can still find the bugs you can find Just like you just focus what exactly you're doing. So just whenever you choose a target uh just see the target carefully what exactly you need to do just do complete recon be don't like blindly like I've seen people

like whenever open a target they keep on doing like accesses finding excesses skill injections and all no that's all are wrong methodology. Yeah, that's a good you need to read the program carefully deep and dive recon. After that you have to do your own methodologies and once you find for example you find accesses you just report it. No after the accesses what can be you you done. So those all things you need to be make a chain attack. Yeah that's a good idea is uh following other researchers especially on Twitter is a really good idea. I wonder what he said because you can learn a lot from them. Is there any other good tips you

guys would have? Yeah, I think hi all I'm S. So yeah, Saga said the right thing that um there is no background required to start the security field or something like that. That is very true. Uh he is become and like started in security after like self-arning and everything. So uh to start the security like you first need to decide what what what are you looking for like which field are you do are do you want to do right there are vast variety of fields like appsac like in appsec you can say the web application network mobile so these are cloud and so many IoT source code review so I would say that uh if you have source code like

if you have developer backgrounds then you can definitely start looking at source codes and uh you can you and check the like what vulnerabilities are there in OPS top 10 and first of all like in any of these particular fields you need to uh start with OASP and OASP is the basic source and the the most uh trustable source I think uh for like to start with start learning and uh everything with this this particular things. Uh the second like if you want to do practical stuffs so you can definitely check at uh Burpuit labs that is a very good resource we have right. So uh I I believe that for web applications you can definitely look at

these particular sources and uh you can start with this uh these things and you can definitely become a web application like you can you can you can start learning web application testing. So when you when you start this particular area what you what you need to do and how you can do. So in uh my opinion like uh you can start with OS and uh just start uh doing the research and learning on this particular like on first thing I will say that you will not understand anything because it's not a like it's it's it's a it's a book or it's a it's a material which which is like already written by some good security consultant

security researchers. So you will not get a good points. I will not say like you will not get anything but yeah you will you will get like 10% and then if you realize like after reading it again and again you can you can start with like 30% 40% and something like that. So in my belief what is more important is like uh when you start just try to sync up the things like uh in Oops like there are most vulnerabilities so you can just identify I have identified the vulnerable like this particular vulnerability like SQL injection SSRF is described over here and if I found any instances during the testing like if if I'm doing the testing or something like

that then you need to go there and uh search for that particular areas like what what what is the like you you will not get an idea of like uh if you have found SSRF or you are looking at the web application and uh you are seeing that there is a SSRF vulnerability or a screen injection vulnerability then you may you might you might like check the single code and normal things right and you will get the error or not get error or it's a blind screen injection or something like that so yeah this this kind of stuffs will really help yeah so the top 10 oas is a good framework to follow um I I mean it's

always evolving but it's still the fundamentals so it's very good. You were going to say something. Oh it's not working. I can take the mic. You can take the mic. Yeah. Hello. Am I audible? Right. So from if I uh share my point of view uh like what I see if anyone uh get into cyber security okay pick up one topic and see what can go wrong. And how can you uh prevent it? What can you do about? For example, I have diverse background. Okay. Uh when I was in bachelor's, I was not that sure that okay, I want to be in cyber security and hacking and all these things. Okay. I fascinated by that. Okay. I heard one

guy who uh play around with the Google server at least for two seconds. I was fascinated by that. But I was not that clear. Okay, I want to be in. So I was pretty clear with okay I like the cryptography I like the mathematics I was sure that my problem solving capabilities are up to the mark I won't like struggle with that so later on I take the call and uh when even with I started my journey with Oracle so uh that time uh I was not only doing the security part I supposed to do the uh QA part also okay which uh you have to do functional fun tasting okay uh so they don't ask you to

only security part so in functional testing also so if there any QA right right you can also switch to all you have to do see what can go wrong understand product you will find so I'll give you I was able to find accesss okay and authentication bypass but more impactful the business logic I was finding why because I was having the hold of okay what can get go wrong same approach helped me to moving around any field. Okay, I quickly learned the cloud security also. So yeah, good resource uh much required. So you can uh communicate with uh like who has the experience around obviously you do Google but I get overwhelmed okay there are so much

resources out there what to pick up right so take some direction okay I'm seeing this much resources what are the appropriate one because when I started I was following uh few blogs and they was talking about just okay this is how you find the accesss okay they are not talking about why access is what could be possible fix. Okay, same thing if you are in ML or any even if you are communicating with human uh this like uh psychology perspective. Okay. So even doctor can come into picture, psychologist can provide the inputs uh even AI right that more uh so people uh the AI bit right so you can see code side but if you realize AI is more

toward your neurons and NLP part so you have to understand the human mind so to understand that also so like cyber is vast like it's not only application cloud Right. So I would say problem solving and see what can go wrong. Yeah that's and how can you that's a good thought process actually like what can go wrong like it really helps with embracing errors cuz sometimes when you're working on something you get an error message it becomes very like just you know you feel kind of bad that you got an error and you don't know what to do. But when you start embracing errors like she said it actually helps you for other things as

well cuz when you get stuck you know how to get out of it. you know, you don't want to stay stuck forever. So, that's a good that's a good practice to have. And, you know, another thing is too is, you know, there's a talk about hard skills and soft skills. Like hard skills being like the technical things and the soft skills being like the interpersonal things. Uh, personality because there's other aspects too. When you go a corporation, you have to know how to have a personality too because typically tech people are are considered to be strange, you know, but we also have a personality too. So what are your thoughts about um soft skills versus

versus hard skills? What's more important? What's less or what's good to have? Hello everyone, I'm Kat. Uh so yeah, as you mentioned, uh soft skills are also important, but yeah, we have seen the geekiest of geeks in the hacker industry, right? So yeah, the hackers don't need the soft skills. Yeah, everyone agrees, right? they are just going to drop one P on a Saturday evening or no on a Friday evening. Okay, you will be partying and they'll be dropping. So yeah, but if you are like you know you want to be on the ethical side of things and uh you want people to fix stuff, right? Because as ethical hackers we we want to protect the

companies. So for that we need to communicate and communication you need to have the soft skills. That's true. Right. Yeah. I this is a very good point you know because you have to consider like there's a business side of it too that you're helping so you have to be able to communicate what you're trying to do what's important um you have any thoughts about the business itself hi I'm so uh we are discussing the breaking into information security right so uh for me there is uh like you if you don't know the hard skill there is nothing matter and if you don't know the programming skill also doesn't matter. Just you uh have to be good at

understanding the application first of all and all the possibilities like how the application exactly works what are the business behind it and what is the core function of the application like if it is a a banking application or data sharing application social application. So first of all you have to be good at to create all of the test cases like uh if I'll do something like this then what will happen? So you have to create as much possible test cases and you have to uh try after one by one by one. So there is no need to programming with this just you have to basic knowledge uh to uh see the traffic how the traffic goes and if you modify the

traffic then what will be the output. M okay that's good that's good information that's good it's a different perspective to have which is good um any of you have certifications okay so no noerts I think what what's your thoughts about certifications do you need them do you necessary see I told you guys so I'm not sure see certifications doesn't matter if you are in security field whatever you know knowledge is more important uh if you compare with the certifications. So certifications is matter when to growing in certain certain leveling that uh starting a career I have seen people are like saying like uh how to start a career I don't have a certifications and all no you don't

require actually to getting into the securities you don't require any certifications just okay something about the certification So uh for my point of view regarding the certification is like certification is a completely a course. So other companies already know about that the this guy is certified this then the guy must have to knowledge about all these things. So why the companies are required certification. So they already know like he already cleared this exam. So the uh he have already all of this knowledge. Second is your talent. If you don't have certification but you still can prove yourself like breaking all the stuff like CTF and others. So there is no need to sec uh security any kind of security

certification in that case. So it depends on company like sometimes it's valid sometimes not valid. If you have talent then there is no need for certification. Yeah it's a it's a hit or miss. It's a hit or miss. Let's say for example though um you know you don't have any experience right but they requiring the certification you know what are some things that you can do to basically um balance that you don't have the certification and you don't have like the actual you know experience what are some things uh so like first of all I like I totally agree with the and they have told okay certification is not required it's whole curriculum that you take up you

need to take the certification when your company ask for like that is that is non-negotiable like yeah sometime actually like you are supposed to you can show them uh I give you reasoning behind it uh so you can show them skills right but the company itself presenting uh that company to customer now customer want their professional to be certified at least few of them right so company will ask you correct like in Europe like whenever you have to do something for a uh testing or something company is a for a compliance perspective right they have to be people who is penetrate or who is uh doing the testing for those person should be certified for

uh search certifications or any OCPS or whatever certifications is required so sometime it's required well hold on say finish yeah so uh keep it mic close yeah Sorry you keep a close here. Okay. This is okay. So uh what I'm saying if you are starting it's not okay you have done. So I have communicating with like I'm engaging with my college students also. So they were saying if we are CH certified it's pretty sorted. No I like no you have to done the hands-on part. You do certification where your company do sponsor and they ask you to do then only you are supposed to do it. Other than you can take the whole curriculum and learn it, it will

eventually help you, right? Uh but it doesn't make sense if u for example there is product security engineer who is dealing with the fixing the code and you ask him to do the C or the OCP that doesn't make sense. he should have the knowledge of the vulnerabilities not the doing the red timing part right so that's like uh how it's co-aligning everything but yeah again I think the certification like both aspect like non-negotiable at some point it's not negotiable you know okay oh yeah some say yeah yeah so I would just add like yeah certifications add initiate initiating factor right when we filtering the CVs. So yeah, it's not a to have must have,

but it's good to have because you know it filters out your CV, but at the end of the day, if you have a certification, but you cannot clear the exam or the I mean to say the interview, then it doesn't make sense, right? So ultimately, yeah, it's good to have but not a must. Yeah, it's good. Yeah. So I mean it's it's a hit or miss, right? And it all depends on the company. So you just have to kind of you know consider like what the company is saying but also understand that there's other things that you can do to get experience um to offset because you know one of the things you have to think about is you

know when you uh go for an interview and let's say you do have the certification the certification won't be able to speak for you know so it's something that you want you don't want to rely on 100%. And as we're getting into interviews, you know, what are some things that you have? Because there's there's two parts, right? There's one thing where you qualify for a job, but then this thing that's stopping you from getting the job is the interview, right? So when it's time for the interview, what's the best way for anyone to prepare for a cyber sec cyber security interview?

I would say first uh be authentic. Okay? If you are mentioning that you are u pro at web application security or you are pro at network security and you are not able to answer the basic question you will be the first person who get reject rejected okay so uh I will start with the basic uh that okay I'm assuming the like cyber security was right so I'm like talking about like in terms of product security engineer right now so So it would be uh if we consider as a three aspect right they want to know basics. So first Oas stop 10 it's your clear or not cryptography how much you know network part like not uh

exploitation part but at least you should know what is top OSI less right what are the possible attack vectors for that uh then uh uh like yeah they also see the reasoning part how are you trying to solve for example if I'm saying accesss and I will twist the question and you are not able able to answer that it's again like you just uh have the basic definition knowledge and you don't have the like that problem solving ability for example if I give you my context right uh they have asked bunch of question like uh what is web application security os web cloud network okay uh then if you now in cloud right IM and

all these things but basic they mostly play play around like this if application oas scans uh yeah and all these question they do ask and the authenticity authenticity they look for for sure I have seen the people get rejected uh just because of that they have mentioned something and turn out to be a disaster and second thing the way you communicating they uh also evoluting your communications skill in interview itself. Okay, that's good. That's good. You have any thoughts? Uh yes I think uh uh you said exactly right thing and uh for for like starting in whenever you apply in any particular company or anything just study about like what they do uh like what is what is what is your uh your

like skills and their match like if if the application is for like uh if they have job descriptions and uh it is already mentioned that they are looking for network and you are expert of web application then please do not apply because it's it does not make any sense to apply and waste your time and their time as well because it's it's like uh it's a it's a thing that they have described we are looking for this particular things and uh we are looking for starting level opportunity or something like that. So whenever you start like uh what what you look at the job descriptions and try to understand each and every points mention in that

particular uh job descriptions and uh like uh and whenever you send a rum like don't don't just mention like any bluff things in the resume. uh some sometimes what happens like we write all the tools of security right and we don't know how to run that and how to like uh exploit we also mention sometimes the vulnerabilities but we don't know how to exploit it like let's say we we have mentioned dellization attack so uh the interviewer will ask you the question like how you you do exploit or something like that right and if you have got bounty or something in that particular area then you will you will ask for that particular boundaries as well like uh

you if you mention that I have found the bug in Google and uh at that time founding the bug in Google you took help from the friends that is fine but you need to understand that means the the finding which you have submitted to any platforms right so you need to understand that particular findings in deep and you need to do analysis after the like uh after like review or accept the things like in in like you you you are uh like in scenex So you you you might know better than me like whenever any bugs comes to in the picture like what are the things like how how how far the attacker like do the exploits or

something like that. So you need to also understand CI tri like confency, integrity and availability. If they if the all three are like vulnerable and all three are like exploitable then it will definitely like more than high or critical vulnerability as well. So this is the things we need to manage when sending the rum and matching the job description with our resumeum. Yeah, and that's good studying the company, you know, because you have to imagine you're not the only person applying. So somehow you have to be set apart from the other candidate, right? So if you actually study the company, you show that you're interested. Uh they look to that as oh this guy's not just looking for a job.

This individual, this this man, this woman looking for an actual career. That's a big difference than just a job. You know, they're going to look at you differently as a candidate. So it is important though, like you said, to study the company. What do they do? you know, uh, did they acquire a company? You know, acquisitions, sound interested, bring these things up and they're going to see that you're you're you're you know, you're different, right? Um, but one of the things though is it could be tough because like let's say you you're trying to break into the industry as we're talking about and you may know some people or you may know some people from afar. You see their

LinkedIn or you see their Twitter and they're doing so many good things, so many big things, but you feel like, man, maybe I can't catch up to them. It's too late. I don't know if I can make it in cyber security. what's the point of even starting? So that kind of thing that happen in your mind, the syndrome, right? Like how do you handle that when that happens? Because we know those things happen where you see people doing so well and you're wondering, man, like would I be able to get into that? Like how do you deal with that with that thought process? Yeah. So I said you are not at all late, right? So uh don't think like

people have already uh started and they have already like in the field and they have u already like finds issues and all how you will find it. No you are not at all late whenever I I just want to suggest uh uh everyone who is a new who wants to grow his career in the cyber securityities. So before like uh you you just need uh whenever you um you choose a target just focus what exactly and try to uh see find something new not not focus on excesses and all those things right and um uh and the one thing I want to suggest patience is a Patience. Patience is a key, right? I have seen people they uh in any of

platform they reported issues and after that they just like sitting and be waiting for a bounty when my bounty will come when um what will be next? People will not people are not sleeping like oh my god oh mail is coming okay how much bounty but after that they uh message got it's got duplicated or rejected something yeah yeah yeah yeah how so you are wrong you need to whenever you uh find the issues after report forget about this leave what you have done just move on to the next thing and be patient it if it's your bug is a valid and you are the first one then definitely it will be your uh you will

be get rewards right so and find something new means and uh read the applications read the complete yeah okay that's good you have thoughts yeah so I want to say what you mentioned uh it can be more said to be imposer syndrome and I think already the two keynotes have already spoken about it and we all face it. Uh let's agree. But yeah, that's something that should not burn you out and stop from trying. So that's what yeah you you I did not find my first bug until I was one month into it. Okay. And the first day that I found after that I've been doing it. I'm not leaving security. Okay. Yeah. So keep trying. That's the

key. Yeah. Keep trying. Keep trying. when I found my work like wait hold on wait hold on one second because I want to make sure we go through uh everyone yeah what you going to say okay so my okay I was the one of the question you asked right I was in that dilemma also yesterday itself I was like I'm surrounded by so many films so what would be like long-term goal would be like and in beginning itself like 3 years or two years back I was same okay I wanted to start I don't know like I I was reaching out to people okay uh so I was so at time okay I was uh working

okay as a intern already but I was like I wanted to explore more like it's not enough this is not only this this much cyber security I wanted to explore more so I started reaching out people that hey I much I know this much but I wanted to explore this area as well okay can you help me with because I just starting and the as I mentioned right the background of cryptography and all this and detecting anomalies, right? So it quite deeper than the web application or the API security. So try to reach out uh to people like LinkedIn and or Twitter also ask them look okay you you see the profile okay they are doing great or you

can utilize communities as well uh that hey uh you are doing great with it can you help me with the uh what do and don'ts and like maybe uh give some direction at least and don't expect to okay give you uh like exact that okay this is what you how to do and don't expect it to teach you everything just ask for the direction and resource that uh uh but yeah like you don't know that's would be like I think that's the beauty of cyber security it's like you have to keep learning so that's good that I mean you you do want a community of people that you have that you're going to ask questions to you

know and as a community we just need to be helpful you know for each other um as well um you know do you is anyone out here have any questions question for the panel. Any questions that you you might have in your mind that uh you would like answered that they can help with.

Thank you so much. how to find the resources for the as I am the beginner of uh in the field of this huge cyber security field. So how to find the resources that this is the best thing I want to learn means how to start how what is the first step uh we need to take for the field of cyber security. Thank you. You want to take then yeah I would say like cyber security is a vast domain. I would suggest you to first start looking at different domains. Okay? So that you can first find your field of interest and once you can recognize your interest, nothing is going to stop you because if something

interests you, it keeps you awake and you'll never get tired. You'll start learning it. That's my first thing that I would suggest and people will add up to it. Actually, I agree to with Kanan like you have to first explore enough. I give you my example. Okay. I was one of you like it's okay what to learn and all these things. uh but I explored enough even uh so I'm one of that uh who is having the like masters and all this went for the traditional approach but at some extent that helped me okay I figured out what I like what I didn't like if someone says answer I would pretty enough say I will

no I don't have the interest in it I won't explore it but if someone come up with okay web application I'm liking it machine learning I'm liking it AI I'm liking it now To find good enough resource, take help of seniors at least they have the experience. For example, if you are liking the web application, right? See who is working from past 2 three years or at least five years they know what could be a basic resource that good to start. Now to explore in depth that up to you what you like because some resource they will find it's good for them that won't work for you because the level of understanding right uh and

the maybe you might be the visual learner also or maybe audio learner so it's vary uh but uh basic uh I would say ask take help from the seniors like sometimes you won't get for example Well, I was digging into one particular topic. I was just okay searching all together. Yeah, that's Yeah, that that's really important though cuz everybody has different things that they like. So, it'd be hard to give an exact answer because it depends what you like, you know, cuz the person give you the answer, they may like something, but you may not like it. So, that's a good that's a good thought process. Um, we have one more round before our time is

up. If there's no more questions, we'll just finish uh answering the last one. Oh, you have oh you have a okay my question is for you actually uh I am also just as you said so I related with you that yes I am undergraduate in last year and I last year also attended uh besides like they say like you said that ask your seniors and things uh like whenever you go to your seniors they say that read documentation for knowing the technical side of the things. So what are this documentations and where can we find such like see we can read papers for something like if you want to build a basic AI or some application we read

papers where they mention about the tools and everything okay and then we just have to go through it and we can be getting the idea basic idea of how to how that will function and how so what are these u like documentations for that cyber security they are saying and Where can we find that? Okay. Uh, so let me just confirm if I Well, we're actually going this going to be the last question. I'm going to have um uh anyone that hasn't had a chance to speak yet at the end. Any anybody have an answer for that besides Okay. Yeah, you can just finish. This should be the last one. Yeah. Yeah, you can you can finish. Yep.

Okay. So like uh as you mentioned right the documentation I don't agree that only documentation is the key because I refer YouTube videos as well curriculum as well that's why I uh mentioned earlier right figure out how you learn quickly right if someone is having hold of reading they will uh refer the documentation now I will tell you do why documentation like for example OAS have the video and the documentation. Documentation is going in depth. That's why they are telling you to go through the documentation part right now to finding uh particular one that's again uh uh like for example uh for web application uh or OAS view right so it's a standard documentation for

cloud if you say AWS uh they have that documentation very well written so I think that's one of the key uh to going through But I'm not telling that. Okay. But you will have the all the things in one place. So that's why it's work as a book kind of. So thank you. Yeah. Thank you for answering. Our time is up. We have to keep keep rolling. But um you can always ask questions after for sure. Uh thank the panelists for their time and the answers and their experience that they can share with you. Uh these are celebrities here in front of us and uh we don't want to thank you for your time. So, thank you so much for

sharing. Thank you everyone. Thank you everyone.