Individual Contributors in corporate world: my observations
Anantshri Blog
December 24, 2021
In this article I would like to explore the idea of Individual contributors and various notes and references I was able to collect so far. Continuing my observations from Richard Hamming’s “You and Your Research” . There is a section where a specific personality defect is explained termed “ego assertion“. We will explore that today.
See publication
Tags: Diversity and Inclusion, Leadership, Management
Cybersecurity: Passion or Profession
Anantshri Blog
December 21, 2021
This blog post takes notes from an excellent talk by “Richard Hamming” called “You and Your research”. Its interesting how some talks leave a mark and you derive your own conclusions and way forward when you spend enough time thinking about the topic. Over a period of time my thought’s have changed on this particular discussion and I have tried to outline those points below. A large number of people have talked about this talk in various manners so i would not like to do that again but rather point you to this and this.
There was a time when I used to refer to this to almost anyone of my fellow colleagues in the information security industry that this is a must read / watch and look at what he is talking about: It made so much sense. However, I have stopped doing that now or rather i have started to caveat it a lot before i ask people to go through it.
There are some points about that talk which I kept missing:
See publication
Tags: Cybersecurity, Leadership, National Security
Secretary Null Community
Null Community
October 30, 2018
Secretary for Null community.
null is one of the most active, open security communities. Registered as a non-profit society in 2010. One of the main objectives for null is spreading information security awareness. In a calendar year, null chapters host about 100+ events across security domains and impact about 8000-10000 security professionals, enthusiasts, and beginners with their initiatives. null is open, professional, inclusive, responsible, and most importantly completely volunteer-driven.
Responsible for
1. Helping with managing the society operations.
2. Helping drive newer directions
See publication
Tags: Cybersecurity
Podcast with Anant
WeHackPurple
February 09, 2023
In this episode of the We Hack Purple podcast host Tanya Janca met with Anant Shrivastava! We talked about securing the entire software supply chain (including your CI/CD and where you get your packages from), and how it is more than just buying a software composition analysis (SCA) tool. He explained the new and very different risks of securing a mobile app versus a regular web app or an API, that’s he’s more of an ops than a dev person, and how the risks are all coming together now that many of us are doing DevOps. He shared his numerous open source projects, such as: code vigilant: https://codevigilant.com/, TamerPlatform : https://tamerplatform.com/ and HackingArchivesOfIndia https://hackingarchivesofindia.com/.
See publication
Tags: Cybersecurity, DevOps, Supply Chain
Podcast with Miho
Miho
January 26, 2023
Discussion around how to convert offline trainings to online trainings.
See publication
Tags: Cybersecurity, EdTech, Entrepreneurship
How to Start Your Career in Cybersecurity : Red Teaming / Pentesting
Prabh Nair
September 09, 2022
In this Session we have covered some great topics around
1) How to start your career in cybersecurity
2) What is Penetration Testing and how its different from Red Teaming ?
3) What skills are required for becoming an Pentester and Red Team Expert ?
Useful Links
Null Discord : https://discord.gg/MMDJdaWU2U
Adversary village : https://discord.gg/ds8hCb3Jvn
Red Team Village : https://discord.gg/wWJR4DtSgb
Recon village : https://discord.gg/FUq8bvE7mV
Cloud village : https://discord.gg/rZBn7w4xG2
See publication
Tags: Cybersecurity, Security, Supply Chain
Chat with Anant
IT Chat with Abhi
December 30, 2020
a light hearted discussion around cybersecurity and how I got involved and my journey through it.
See publication
Tags: Cybersecurity, Leadership, Management
Security Then vs Now
Null Community
June 11, 2022
discussing the security scenario a decade ago and how things have evolved in the security landscape.
The panel we have are -
Anant Shrivastava (https://twitter.com/anantshri)
Prashant Mahajan (https://www.linkedin.com/in/prashant3535)
Hosted by Kumar Ashwin (https://twitter.com/0xcardinal)
See publication
Tags: Cybersecurity, Security
Discussion- Citizen confidence on his mobile device is crucial for businesses as well as governance
IAMAI
January 17, 2022
Citizen confidence on his mobile device is crucial for businesses as well as governance
Satyendra Verma, Head - Indian Citizens Assistance for Mobile Privacy & Security (I-CAMPS), IAMAI
Pani Prasad, Director, NCCS, Department of Telecommunications ( DOT ), Government of India
Sumit Monga, Head - Government Affairs, Lenovo
Subho Halder, Co-Founder & CISO, Appknox
Anuj Bhansali, Head - Trust & Safety, PhonePe
Anant Shrivastava, Project Leader - Androidtamer & Android Security Researcher
See publication
Tags: Cybersecurity, Mobility, National Security
Panel on Shift Level with CISO's Part - 1 with Anant Shrivastava and Patrick Pitchappa
SNYK
August 31, 2021
Focused discussion around practicality of Shifting left from a CISO's point of view.
See publication
Tags: Cybersecurity, DevOps, Leadership
Panel discussion: Adversary simulation, emulation or purple teaming - How would you define it?
Adversary Village @ Defcon
August 07, 2021
A deep dive discussion around emerging field of adversary emulation, purple teaming. what fits in which bucket and how things are evolving.
See publication
Tags: Cybersecurity, Emerging Technology, Supply Chain
RTV Panel: Pre-empting Attacks - Relevance Of Red Teaming In Enterprises
RedTeam Village @ Hack in the Box
February 04, 2021
Discussion around how Red Teaming is evolving
See publication
Tags: Cybersecurity, Emerging Technology, Supply Chain
RTV: Attacking Storage Services: The Lynchpin Of Cloud Services
Red Team Village @ Hack in the Box
February 04, 2021
We all agree that most organizations have some or the other service leveraged over cloud environments. To add to it, there are assets that are not linked directly to the public and not easily spotted. When it comes to Red Team Engagements it boils down to a simple statement. “Are you able to find something that wasn’t supposed to be visible in the first place ?”. Storage services by the cloud providers are usually not visible directly to the end user and are often overlooked by pentesters and Red Teamers. In this talk we will be leveraging the possibility of Storage Services of different cloud vendors and how if not properly configured could lead to a lot of Damage to the organization.
Storage services are almost always the second service started by cloud vendors after IaaS, it is done in that order for a reason. Cloud Storage irrespective of how simple it looks, is a complex deeply integrated component for cloud services. The primary purpose of storage services is to hold data of all kinds, besides its primary function it also performs multiple other actions. Storage allows building higher abstraction services on top of the it such as:
Static file hosting,FaaS or PaaS code hosting and Log storage
Due to its versatility storage is an area which should be looked at with a fine tooth comb. However the situation is far worse than what we can imagine. From exposing buckets to public, to leaking api keys or ssh keys in public. Things go from bad to worse when buckets also are leaking write access to source code leading to full account takeover scenarios. This talk will cover the following aspects around Cloud Storage Services.
1. Basics of Cloud Storage Services and why to target them
2. Attack Methodology to be followed
3. Various attack scenarios from real and bug bounty world
4. What are cloud vendors doing to protect this
5. What the developers or admins have to keep in mind
6. Question and Answer
Note: Case studies will be interspersed throughout the slides
See publication
Tags: Cloud, Cybersecurity, DevOps
DevSecOps: What why and How
BlackHat USA
August 08, 2019
Security is often added towards the end, in a typical DevOps cycle through a manual/automated review. However, with DevSecOps, security can be injected at every stage of a DevOps pipeline in an automated fashion. Having a DevSecOps pipeline enables an organization to:
* Create a security culture amongst the already integrated “DevOps” team.
* Find and fix security bugs as early as possible in the SDLC .
* Promote the philosophy “security is everyone’s problem” by creating Security champions within the organization.
* Integrate all security software centrally and utilize the results more effectively.
* Measure and shrink the attack surface.
In this talk, we shall focus on how a DevOps pipeline can easily be metamorphosed into a DevSecOps and the benefits which can be achieved with this transformation. The talk (assisted with various demos) will focus on developing a DevSecOps pipeline using free/open-source tools in various deployment platforms, i.e. on-premise, cloud native and hybrid scenarios. We will then dive into cultural aspects of DevSecOps and the changes needed to get tangible benefits. The talk will also present various case studies on how critical bugs and security breaches affecting popular software and applications could have been prevented using a simple DevSecOps approach.
See publication
Tags: Cybersecurity, DevOps, Startups
When the Internet Bleeded
RootConf by HasGeek
June 05, 2014
The talk will talk about various TLS / SSL related bugs that are identified in past year.
HeartBleed
GNUTLS Bug
Apple SSL Bug
Lucky 13
BEAST
CRIME
These bugs have shaken the core premise of Secure communication. The talk will focus on bringing a basic understanding of these issues to the administrators or developers. Besides this the talk will also focus on some burning questions that are now raised in wild. Such as
How secure are secure Socket Libraries?
Is opensource code really secure?
Is it really true that “given enough eyeballs, all bugs are shallow”?
Should we move towards higher abstract languages?
and most important.
What it really means for a Administrator / DevOps person
See publication
Tags: Cybersecurity, DevOps, Supply Chain
Attack and Defend Android Applications
BlackHat USA 2022
August 06, 2022
Begineer / Intermediate level course covering tips and tricks around android application attack and defense.
Details are available at https://cyfinoid.com/android-application-training/ or publication page.
See publication
Tags: Cybersecurity, DevOps, Mobility
Security Issues in Android Custom ROM’s
Self-publishing
October 16, 2011
This paper attempts to look behind the wheels of android and keeping special focus on custom rom’s and basically check for security misconfiguration’s which could yield to device compromise, which may result in malware infection or data theft.
See publication
Tags: Cybersecurity, Mobility
Web application finger printing
Self-publishing
July 17, 2011
This Paper discusses about a relatively nascent field of Web Application finger printing, how automated web application fingerprinting is performed in the current scenarios, what are the visible shortcomings in the approach and then discussing about ways and means to avoid Web Application Finger Printing.
See publication
Tags: Cybersecurity, DevOps