Interview with Mustafa Hasan (strukt)
Acest articol este un interviu cu Mustafa Hasan, security analyst (etical hacker) ce este in acest moment pe locul 36 in clasamentul Hackerone.
Who is Mustafa Hasan? (some info about you so that people would get to know you better)
I am a penetration tester at a local company called SecureMisr, where I do penetration tests on mobile, web, and desktop applications. I am also working as a security analyst at HackerOne, doing report triaging for the platform’s customers. I am also an active bug bounty hunter. I come from Egypt and I have been into the information security industry for a total of around 4 years.
I know you were a developer before. What’s the strategy to switch to security when you have a full time job, a familly, school etc?
Although I used to be a developer (technically a CS major with focus on Software Engineering), I never really worked as a full time developer. The first ever job I had was basic Android development of a little product me and a couple of friends worked on, it was discontinued a little bit later however. That was while being a student. I then switched to learning about information security generally, and focused more on appsec since I had an SE background. About a year into infosec I worked with Netsparker as a Q&A analyst, that only continued for 3 months. I then worked in R&D for my university when I transferred to study in Malaysia. After I finished my studies and got back to Egypt, I started working for SecureMisr, and only 3 months later I started triaging for HackerOne. All of that was going along side bug bounty hunting, which I started practicing about 3 years ago.
How can you approach a company and offer it your security testing services? Just to get some work/bugs/money on less crowded apps than the ones on Hackerone or BugCrowd.
I don’t normally approach a company that doesn’t have either a VDP or a BBP, since that would probably be illegal and I wouldn’t get much out of it. However, I sometimes try to find bugs in open source software. Although that almost never got me any monetary outcome, it helped me get some CVEs under my name, as well as allowed me to take part in the FOSS movement.
Can you tell us how a regular day of work goes for you? Do you include some hobby stuff or is it just work?
If I am up for a penetration test, I mostly wakeup and go the engagement. After that’s done, I get back home and have lunch with my wife, then do a couple of hours of triage, watch a movie or something with my wife, and call it a day. If no peneration tests are going on, I wake up and do some triage, code/learn/practice for sometime, then do some more triage, have lunch with my wife, work a little bit more, then go to sleep.
Of course a little bit of a mix of those takes place all the time. Apart from computers, I like going to plays, concerts, and the movies. I also like driving cars, travelling, and listening to classical, metal, EDM, and synthwave music.
Can you share a few of your favorite tools?
There are many, and I sure can’t list them all here. Some of them however are Burp Suite (Professional if possible), Genymotion for Android device emulation, dirbuster/gobuster/dirsearch, wfuzz, sqlmap, and of course nmap. I also have my own homemade set of tools that I use personally.
What’s your advice for beginners who spend a lot of time reading and testing but have no results?
Persistence is key. Rome wasn’t built in a day, and you have to persist and keep trying until you start seeing some results. You will eventually get somewhere as long as you are good with the basics. The community is also full of nice people that would be more than happy to help, just leave a DM/tweet.
What do you think would be the next big thing in security? IoT maybe?
I can’t really say, but I believe systems related to automobiles are going to have more coverage, and thus reveal a lot of new knowledge. IoT is also getting more focus by the community due to it’s increased usage and being more widespread over time, which is unveiling a lot of new attack techniques. I believe AI is going to be increasingly integrated with security-related software, like AV, IDS, IPS, etc.
The best advice you can give to a 16-18 years old that thinks about a career in IT?
Start with some programming knowledge. It doesn’t matter what you will end up doing, programming is a corner stone for the IT field. After getting a good grasp of how software is developed, learn about networking and databases. Learning those will expand your knowledge about how systems may be integrated and connected together. If those parts are becoming easy for you, dive deeper into web technologies, cloud computing, and mobile applications. After getting that much knowledge, you are most likely going to have a ground that your career can be built upon.
Find Mustafa on twitter.
Also read his blog.
Don’t forget to check out the other interviews I posted with security researchers / white hat hackers here.