Acest articol este un interviu cu Sahil Ahamad, Application Security Researcher ce este in acest moment pe locul 26 in clasamentul Hackerone.
Who is Sahil Ahamad? (some info about you so that people would get to know you better)
I’m a Security Engineer at Zomato, a tech-food startup based out of India. I’m also a full-time bug-bounty hunter since almost 5 years, have been around even when there were no platforms like HackerOne and Bugcrowd. I started my bug-bounty career by hunting on PayPal with my first $750 bounty. Also, I’m enjoying managing the Zomato bug bounty program on HackerOne (https://hackerone.com/zomato). Being on the other side of the fence gives you a great visibility and trust me internally everyone sees the researcher perspective and we’re absolutely listening. Always open for feedback.
You have been on both sides (freelance bug bounty hunter & security engineer at a company). What is the difference. In both places you search for bugs, do some architecture etc ? What do you like more, freelance or employee?
Both have been great experiences for me; with company you get to know a lot about the DevOps and internal processes of a security bug-cycle and product security, on other hands with bug-bounty: you have to work hard in black-box scenario, reconnaissance about the target, learning technologies insights and finding loop-hole where developer has missed out.With bug-bounty, I really like it because of it’s flexibility and it’s more like you are your own boss; you don’t need to go to office, you can just lie on the bed and hunt all day. However, I personally felt a mismanagement, and slow progression, therefore I decided to work as a security-engineer to learn more insights on how things work at company and at the DevOps level. Since I’ve joined the company, I found an enormous level of responsibility with an ongoing process of learning the DevOps/Infrastructure management cycle. You get to learn and involve yourself in pushing the code from staging servers to production, improving SSDLC process, automating the security tasks during SDLC, setting up monitoring tools, monitoring logs, solving fraud/security cases, training of software development engineers and keeping them updated with latest security threats.
Let’s say I am a freelancer, how can I approach a company and offer security testing services? A company that doesn’t have a bug bounty program.
Good Question 🙂 It’s very important to take consent from a company before performing any tests, since they do not have a bug-bounty program, that’s a clear cut indication that they have not given you or anyone a permission to test their infrastructure, but that also doesn’t means they do not take security seriously, hence the best option would be to connect with the concerned team and take an approval to perform security audit.Also, if you really care about the security for the product you are using and having some concerns, you can directly talk to them show the importance of having responsible disclosure policy or a bug bounty program, you can help them to set up. Show them what could go wrong, what can be done, what could be the cost, etc.
Can you share a few of your favorite tools?
The infosec community is created huge numbers of awesome open sources tools for various purposes, I’ve tried many tools for my various tasks but the followings tools are my favorite
- Burp Suite (Community/professional)
- Masscan by @robertdavidgraham
- Nmap by Gordon Lyon – Network scanning
- Subfinder by @Ice3man543, @codingo and other – Passive subdomain scanning
- Dirsearch by @maurosoria – Directory bruteforcer
- Gobuster by @oj – Direcory bruteforcer written in GO
- The various tools created by @tomnomnom including hacks, httprobe, waybackurls etc
- LinkFinder by @GerbenJavado
- Bucket Finder by @digininja
- Gowitness by @sensepostIf you guys are really interested in learning about more tools, I’ve written a detailed blog post on my medium – https://medium.com/@ehsahil/recon-my-way
What was the most dangerous or craziest bug you ever found?
In the year of 2015, I found an account takeover issue in a cryptocurrency bug bounty program, the vulnerability was tricky but very easy to exploit and the impact was really huge, I was awarded with 20 Bitcoins at that time. I was like Whoaaa!!!There was another critical issue I found, I’ve written about it here – https://medium.com/@ehsahil/getting-access-to-25k-employees-details-c085d18b73f0
What’s your advice for beginners who spend a lot of time reading and testing but have no results? Most tend to give up.
I usually get messages from the beginners “Not getting bounties even after working hard for 2 months”, I always tell them the result is not the only bounties you get, you are getting more precious thing than the bounty, which is experience, the more experience you will have in this field, the more will be the chances of winning. It’s not always about the bounties, the experience is more important, start from the basics, learn how things work and start trying to break them. Don’t limit yourself, keep growing so as you get more experience, there would be more chances of getting higher bounties. I’ve written another blog post on getting started into bug bounties – https://medium.com/@ehsahil/getting-started-in-bug-bounty-7052da28445a
Where do you think there is a lack of security engineers/bug bounty hunters? In mobile apps, IoT, desktop apps?
I believe, this industry is still growing not just a specific section of it, we need more security engineers/researchers/hunters in all of the sectors but I can surely say that the information security related skills will be in higher demand.
Considering that AI will improve everything we do in the future, do we still need security engineers or bug bounty programs?
We’re nowhere near to that, considering how complex apps are now getting built – it is really tough to automate the vulnerability-detection even with machine learning. There are vast varieties of vulnerabilities which need human intelligence to understand and find them, I do not think it would be possible in the near future until we get closer to True AI.
Don’t forget to check out the other interviews I posted with security researchers / white hat hackers here.