Flip Cycle of Computing
blog.anantshri.info
April 08, 2024
In the world of computing, I have observed an interesting trend in last 2 decades. I thought it might be useful to put it out in writing and others might get some other thoughts around it.
Technology follows cycles, and things eventually travel full circle like a fly sitting on a bicycle wheel.
See publication
Tags: Future of Work, IT Strategy, Management
How Infosec Can Learn from Healthcare and Aviation
blog.anantshri.info
March 01, 2024
Over the past several days, I’ve been deeply immersed in the world of medicines and hospitals, a realm undeniably crucial for sustaining human life. Interestingly, the field of information security (infosec) often views itself through a similar lens of indispensability.
See publication
Tags: Business Strategy, Cybersecurity
Playing with NFC Cards
blog.anantshri.info
November 15, 2023
Have you also been bombarded with ads about the NFC Visting Cards for 1000 rupees or 2000 rupees. Make one card and never make another. I have been lately (ya ya, ad blocker yada yada : these are not simpler ad’s (insta ads) that can be blocked via pi-hole if you can do share tips would love a cleaner feed for myself).
See publication
Tags: Cybersecurity, Security
Startups vs. Corporates: Unblurring the Lines for Job Seekers
blog.anantshri.info
September 28, 2023
A blogpost exploring difference between startup and corporate roles. especially cautioning about the risk startups have.
See publication
Tags: Careers, Lean Startup
Big Fish or Bigger Pond? Rethinking the Future of Tech Companies
blog.anantshri.info
June 24, 2023
Challenging the status quo in tech: Could a future with numerous smaller, cooperative organisations be more beneficial than a handful of giants dominating the scene? Unity in diversity - perhaps it's time for a change
See publication
Tags: Lean Startup
Mastering the Essential Skills for the Digital Age
blog.anantshri.info
May 29, 2023
Uncover the power of four essential digital-age skills: variable speed reading, enhanced typing speed, sustained focus, and critical thinking. Learn practical tips for honing these abilities, driving productivity and success in the rapidly-evolving digital landscape.
See publication
Tags: Careers, Personal Branding, Social
PrivateGPT and CPU’s with no AVX2
blog.anantshri.info
May 24, 2023
Venturing into AI with older CPUs. My journey to run LLM models with privateGPT & gpt4all, on machines with no AVX2.
See publication
Tags: AI, Emerging Technology, Generative AI
My thoughts on the new and emerging world of GPT, AI, LLM
blog.anantshri.info
May 20, 2023
Exploring the fascinating new world of GPT, AI, and LLM. Discussing search engines, education, privacy, prompt engineering, and our perception of intelligence
See publication
Tags: AI, Generative AI, Education
Life as a Lefty in a Right-Handed World
blog.anantshri.info
May 04, 2023
As a lefty, or southpaw, my perspective of the world has always been different from the majority. Right from being looked upon differently whenever I eat or do things with left hand to being suggested that its not the right way of doing things (pun intended). To inform those uninformed we the leftie
See publication
Tags: Social
OSINT on Decentralised / Federated Softwares (Mastodon, Pixelfed and more)
blog.anantshri.info
November 23, 2022
Decentralized federated social medium (aka fediverse) is the talk of the town especially with the twitter drama that’s unfolding right now. To know more about fediverse softwares https://fediverse.party/en/miscellaneous/ is the best list of softwares. I was curious about OSINT activities that
See publication
Tags: Cybersecurity, Digital Disruption, Emerging Technology
Individual Contributors in corporate world: my observations
Anantshri Blog
December 24, 2021
In this article I would like to explore the idea of Individual contributors and various notes and references I was able to collect so far. Continuing my observations from Richard Hamming’s “You and Your Research” . There is a section where a specific personality defect is explained termed “ego assertion“. We will explore that today.
See publication
Tags: Diversity and Inclusion, Leadership, Management
Cybersecurity: Passion or Profession
Anantshri Blog
December 21, 2021
This blog post takes notes from an excellent talk by “Richard Hamming” called “You and Your research”. Its interesting how some talks leave a mark and you derive your own conclusions and way forward when you spend enough time thinking about the topic. Over a period of time my thought’s have changed on this particular discussion and I have tried to outline those points below. A large number of people have talked about this talk in various manners so i would not like to do that again but rather point you to this and this.
There was a time when I used to refer to this to almost anyone of my fellow colleagues in the information security industry that this is a must read / watch and look at what he is talking about: It made so much sense. However, I have stopped doing that now or rather i have started to caveat it a lot before i ask people to go through it.
There are some points about that talk which I kept missing:
See publication
Tags: Cybersecurity, Leadership
Semgrep: scanning unusual extensions
blog.anantshri.info
May 14, 2021
Last few months I have been spending time with semgrep tool. As much as it has features its still a growing tool and does needs a bit of handholding. Here I will quickly explain how to hack the base code of semgrep to make it work against your specific language even though input file extension ̷
See publication
Tags: Cybersecurity, Supply Chain
My experiments with Game Capture Card
blog.anantshri.info
April 04, 2021
I have been playing on my Nintendo switch for a long time now and have thought about recording my gameplay for reference. Past few days I have been reading about how to do game streaming and / or recording. I found a lot of interesting things and a simplified way to achieve my goal. This … My
See publication
Tags: SportsTech
Anant Srivastava: Navigating AI, Open Source, and Community in Cybersec
BugBase
September 11, 2023
See publication
Tags: AI, Careers, Cybersecurity
Quantifying Defence (Ask A CISO SE03EP09)
Horangi Cybersecurity Podcast
April 06, 2023
Join us on this episode of the Ask A CISO podcast as we discuss how to quantify defence with Anant Shrivastava, an information security professional with over 15 yrs of corporate experience and expertise in Network, Mobile, Application, and Linux Security. Along with host Mark Fuentes, he discusses looking at the big picture, why DevSecOps as a term should not exist, and the value of investing in cybersecurity.
See publication
Tags: Cybersecurity, IT Operations, Leadership
Podcast with Anant
WeHackPurple
February 09, 2023
In this episode of the We Hack Purple podcast host Tanya Janca met with Anant Shrivastava! We talked about securing the entire software supply chain (including your CI/CD and where you get your packages from), and how it is more than just buying a software composition analysis (SCA) tool. He explained the new and very different risks of securing a mobile app versus a regular web app or an API, that’s he’s more of an ops than a dev person, and how the risks are all coming together now that many of us are doing DevOps. He shared his numerous open source projects, such as: code vigilant: https://codevigilant.com/, TamerPlatform : https://tamerplatform.com/ and HackingArchivesOfIndia https://hackingarchivesofindia.com/.
See publication
Tags: Cybersecurity, DevOps, Supply Chain
Podcast with Miho
Miho
January 26, 2023
Discussion around how to convert offline trainings to online trainings.
See publication
Tags: Cybersecurity, EdTech, Entrepreneurship
How to Start Your Career in Cybersecurity : Red Teaming / Pentesting
Prabh Nair
September 09, 2022
In this Session we have covered some great topics around
1) How to start your career in cybersecurity
2) What is Penetration Testing and how its different from Red Teaming ?
3) What skills are required for becoming an Pentester and Red Team Expert ?
Useful Links
Null Discord : https://discord.gg/MMDJdaWU2U
Adversary village : https://discord.gg/ds8hCb3Jvn
Red Team Village : https://discord.gg/wWJR4DtSgb
Recon village : https://discord.gg/FUq8bvE7mV
Cloud village : https://discord.gg/rZBn7w4xG2
See publication
Tags: Cybersecurity, Security, Supply Chain
Chat with Anant
IT Chat with Abhi
December 30, 2020
a light hearted discussion around cybersecurity and how I got involved and my journey through it.
See publication
Tags: Cybersecurity, Leadership, Management
Safety Talk #66 - Offensive and Defensive Cybersecurity
SafetyTalk Podcast
December 31, 1969
See publication
Tags: Cybersecurity, Security
Locknote: Conclusions and Key Takeaways from Day 2
BlackHat
August 12, 2022
See publication
Tags: Cybersecurity, IT Operations, National Security
Security Then vs Now
Null Community
June 11, 2022
discussing the security scenario a decade ago and how things have evolved in the security landscape.
The panel we have are -
Anant Shrivastava (https://twitter.com/anantshri)
Prashant Mahajan (https://www.linkedin.com/in/prashant3535)
Hosted by Kumar Ashwin (https://twitter.com/0xcardinal)
See publication
Tags: Cybersecurity, Security
Discussion- Citizen confidence on his mobile device is crucial for businesses as well as governance
IAMAI
January 17, 2022
Citizen confidence on his mobile device is crucial for businesses as well as governance
Satyendra Verma, Head - Indian Citizens Assistance for Mobile Privacy & Security (I-CAMPS), IAMAI
Pani Prasad, Director, NCCS, Department of Telecommunications ( DOT ), Government of India
Sumit Monga, Head - Government Affairs, Lenovo
Subho Halder, Co-Founder & CISO, Appknox
Anuj Bhansali, Head - Trust & Safety, PhonePe
Anant Shrivastava, Project Leader - Androidtamer & Android Security Researcher
See publication
Tags: Cybersecurity, Mobility, National Security
Panel on Shift Level with CISO's Part - 1 with Anant Shrivastava and Patrick Pitchappa
SNYK
August 31, 2021
Focused discussion around practicality of Shifting left from a CISO's point of view.
See publication
Tags: Cybersecurity, DevOps, Leadership
Panel discussion: Adversary simulation, emulation or purple teaming - How would you define it?
Adversary Village @ Defcon
August 07, 2021
A deep dive discussion around emerging field of adversary emulation, purple teaming. what fits in which bucket and how things are evolving.
See publication
Tags: Cybersecurity, Emerging Technology, Supply Chain
RTV Panel: Pre-empting Attacks - Relevance Of Red Teaming In Enterprises
RedTeam Village @ Hack in the Box
February 04, 2021
Discussion around how Red Teaming is evolving
See publication
Tags: Cybersecurity, Emerging Technology, Supply Chain
Beyond The Code / SBOM: Supply Chain Security
Bsides London
December 09, 2023
Supply Chain security is the new buzzword of the town and everyone is gaga about it. After the executive order and SSDF / SLSA documents being released, every single vendor has added SBOM capabilities and declared the problem solved. The problem is its not solved, Supply chain security is not a new problem and sbom is not the final solution. This talk wants to throw lights on supply chain security overview and then address following points.
How supply chain security is a age old concept.
What has changed in last few year and how that affects this problem space
At a broader level how SLSA / SSDF are trying to address the problem.
What is still missing in market and what is needed to be done beyond buying tools.
See publication
Tags: Cybersecurity, Security, Supply Chain
Expanding capability horizons : Homelabs and beyond
C0c0n Conference
October 06, 2023
See publication
Tags: Careers, Education, IT Operations
Developer Security Based on 15 Years Experience
The Big Fix 2023 by Snyk
February 28, 2023
See publication
Tags: Business Strategy, Cybersecurity, Security
RTV: Attacking Storage Services: The Lynchpin Of Cloud Services
Red Team Village @ Hack in the Box
February 04, 2021
We all agree that most organizations have some or the other service leveraged over cloud environments. To add to it, there are assets that are not linked directly to the public and not easily spotted. When it comes to Red Team Engagements it boils down to a simple statement. “Are you able to find something that wasn’t supposed to be visible in the first place ?”. Storage services by the cloud providers are usually not visible directly to the end user and are often overlooked by pentesters and Red Teamers. In this talk we will be leveraging the possibility of Storage Services of different cloud vendors and how if not properly configured could lead to a lot of Damage to the organization.
Storage services are almost always the second service started by cloud vendors after IaaS, it is done in that order for a reason. Cloud Storage irrespective of how simple it looks, is a complex deeply integrated component for cloud services. The primary purpose of storage services is to hold data of all kinds, besides its primary function it also performs multiple other actions. Storage allows building higher abstraction services on top of the it such as:
Static file hosting,FaaS or PaaS code hosting and Log storage
Due to its versatility storage is an area which should be looked at with a fine tooth comb. However the situation is far worse than what we can imagine. From exposing buckets to public, to leaking api keys or ssh keys in public. Things go from bad to worse when buckets also are leaking write access to source code leading to full account takeover scenarios. This talk will cover the following aspects around Cloud Storage Services.
1. Basics of Cloud Storage Services and why to target them
2. Attack Methodology to be followed
3. Various attack scenarios from real and bug bounty world
4. What are cloud vendors doing to protect this
5. What the developers or admins have to keep in mind
6. Question and Answer
Note: Case studies will be interspersed throughout the slides
See publication
Tags: Cloud, Cybersecurity, DevOps
DevSecOps: What why and How
BlackHat USA
August 08, 2019
Security is often added towards the end, in a typical DevOps cycle through a manual/automated review. However, with DevSecOps, security can be injected at every stage of a DevOps pipeline in an automated fashion. Having a DevSecOps pipeline enables an organization to:
* Create a security culture amongst the already integrated “DevOps” team.
* Find and fix security bugs as early as possible in the SDLC .
* Promote the philosophy “security is everyone’s problem” by creating Security champions within the organization.
* Integrate all security software centrally and utilize the results more effectively.
* Measure and shrink the attack surface.
In this talk, we shall focus on how a DevOps pipeline can easily be metamorphosed into a DevSecOps and the benefits which can be achieved with this transformation. The talk (assisted with various demos) will focus on developing a DevSecOps pipeline using free/open-source tools in various deployment platforms, i.e. on-premise, cloud native and hybrid scenarios. We will then dive into cultural aspects of DevSecOps and the changes needed to get tangible benefits. The talk will also present various case studies on how critical bugs and security breaches affecting popular software and applications could have been prevented using a simple DevSecOps approach.
See publication
Tags: Cybersecurity, DevOps, Startups
When the Internet Bleeded
RootConf by HasGeek
June 05, 2014
The talk will talk about various TLS / SSL related bugs that are identified in past year.
HeartBleed
GNUTLS Bug
Apple SSL Bug
Lucky 13
BEAST
CRIME
These bugs have shaken the core premise of Secure communication. The talk will focus on bringing a basic understanding of these issues to the administrators or developers. Besides this the talk will also focus on some burning questions that are now raised in wild. Such as
How secure are secure Socket Libraries?
Is opensource code really secure?
Is it really true that “given enough eyeballs, all bugs are shallow”?
Should we move towards higher abstract languages?
and most important.
What it really means for a Administrator / DevOps person
See publication
Tags: Cybersecurity, DevOps, Supply Chain
Beyond the Code: Securing Your Software Supply Chain
c0c0n 16
October 05, 2023
In an era where up to 80% of your code can come from third parties, the security of your software supply chain is more critical than ever. Software isn't built in silos anymore. It's built on a complex web of dependencies, with each component sourced from different providers across the globe. This opens up a myriad of vulnerabilities, making your software supply chain a prime target for cybercriminals.
Welcome to our two-day intensive course on Software Supply Chain Security. This is not just another IT security course. It's a journey that takes you beyond the confines of your own code, diving into the interconnected world of software development and delivery
See publication
Tags: Cybersecurity, Risk Management, Supply Chain
Attack and Defend Android Applications
BlackHat USA 2023
August 05, 2023
This course takes a focused approach on android application security. We start with identifying various ways by which an android application could be attacked and then cover various scenarios in which android application pen testers will struggle.
How to intercept the traffic (http/https/WebSocket/non-http)
How to bypass root detection
How to perform static and dynamic analysis of the application
Exploiting deep link flaws
How to perform dynamic instrumentation (Frida / Xposed / Magisk)
How to analyze HTML 5 and non-Java/ Kotlin application
Throughout the day students will be exposed to multiple applications with deliberate weaknesses that they will exploit using the techniques covered in the class. We will also have additional applications that students can play with after the class.
Then, we shift gears and focus on defending the applications, and major areas covered are
Application Threat Modeling
Application Source code Review
Identifying weaknesses
Adding Security into CI / CD Pipeline for the application
Result analysis and further actions
This section will be covered in a hand-holding fashion with focus on ensuring everyone is able to set up a pipeline for a deliberately insecure application, discover and subsequently fix the flaws.
We then cap this course of by covering secure coding strategies and defense in-depth implementational logics:
Anti-tampering
Code obfuscation
SSL Pinning / Root Detection strategies
The aim is not to create zero to hero but provide a methodical approach with which any android application assessment could be performed by the participants. Students are provided with access to a learning portal and a soft copy of slides, detailed answer sheets and AMI's for the environment.
See publication
Tags: Cybersecurity, Mobility, Security
Attack and Defend Android Applications
BlackHat USA 2022
August 06, 2022
Begineer / Intermediate level course covering tips and tricks around android application attack and defense.
Details are available at https://cyfinoid.com/android-application-training/ or publication page.
See publication
Tags: Cybersecurity, DevOps, Mobility