Anant Shrivastava

Individual Contributors in corporate world: my observations
Anantshri Blog
December 24, 2021

In this article I would like to explore the idea of Individual contributors and various notes and references I was able to collect so far. Continuing my observations from Richard Hamming’s “You and Your Research” . There is a section where a specific personality defect is explained termed “ego assertion“. We will explore that today.

Cybersecurity: Passion or Profession
Anantshri Blog
December 21, 2021

This blog post takes notes from an excellent talk by “Richard Hamming” called “You and Your research”. Its interesting how some talks leave a mark and you derive your own conclusions and way forward when you spend enough time thinking about the topic. Over a period of time my thought’s have changed on this particular discussion and I have tried to outline those points below. A large number of people have talked about this talk in various manners so i would not like to do that again but rather point you to this and this.

There was a time when I used to refer to this to almost anyone of my fellow colleagues in the information security industry that this is a must read / watch and look at what he is talking about: It made so much sense. However, I have stopped doing that now or rather i have started to caveat it a lot before i ask people to go through it.

There are some points about that talk which I kept missing:

Secretary Null Community
Null Community
October 30, 2018

Secretary for Null community.

null is one of the most active, open security communities. Registered as a non-profit society in 2010. One of the main objectives for null is spreading information security awareness. In a calendar year, null chapters host about 100+ events across security domains and impact about 8000-10000 security professionals, enthusiasts, and beginners with their initiatives. null is open, professional, inclusive, responsible, and most importantly completely volunteer-driven.

Responsible for
1. Helping with managing the society operations.
2. Helping drive newer directions

Cyfinoid Research Private Limited
Cyfinoid
December 24, 2021

We are a boutique research and training firm. We focus on innovative research and we bring all of our research in public via our training programs

My 2 Paisa’s on Infosec World
DiverSecCon
November 14, 2021

I have delved into my experience and tried to summon my internal thought leader and speak to all sections of infosec industries

Freshers
Employers
Defenders
Attackers

Hopefully everyone will have something to take away from this.

Podcast with Anant
WeHackPurple
February 09, 2023

In this episode of the We Hack Purple podcast host Tanya Janca met with Anant Shrivastava! We talked about securing the entire software supply chain (including your CI/CD and where you get your packages from), and how it is more than just buying a software composition analysis (SCA) tool. He explained the new and very different risks of securing a mobile app versus a regular web app or an API, that’s he’s more of an ops than a dev person, and how the risks are all coming together now that many of us are doing DevOps. He shared his numerous open source projects, such as: code vigilant: https://codevigilant.com/, TamerPlatform : https://tamerplatform.com/ and HackingArchivesOfIndia https://hackingarchivesofindia.com/.

Podcast with Miho
Miho
January 26, 2023

Discussion around how to convert offline trainings to online trainings.

How to Start Your Career in Cybersecurity : Red Teaming / Pentesting
Prabh Nair
September 09, 2022

In this Session we have covered some great topics around
1) How to start your career in cybersecurity
2) What is Penetration Testing and how its different from Red Teaming ?
3) What skills are required for becoming an Pentester and Red Team Expert ?

Useful Links
Null Discord : https://discord.gg/MMDJdaWU2U
Adversary village : https://discord.gg/ds8hCb3Jvn
Red Team Village : https://discord.gg/wWJR4DtSgb
Recon village : https://discord.gg/FUq8bvE7mV
Cloud village : https://discord.gg/rZBn7w4xG2

Chat with Anant
IT Chat with Abhi
December 30, 2020

a light hearted discussion around cybersecurity and how I got involved and my journey through it.

Security Then vs Now
Null Community
June 11, 2022

discussing the security scenario a decade ago and how things have evolved in the security landscape.

The panel we have are -
Anant Shrivastava (https://twitter.com/anantshri)
Prashant Mahajan (https://www.linkedin.com/in/prashant3535)
Hosted by Kumar Ashwin (https://twitter.com/0xcardinal)

Discussion- Citizen confidence on his mobile device is crucial for businesses as well as governance
IAMAI
January 17, 2022

Citizen confidence on his mobile device is crucial for businesses as well as governance
Satyendra Verma, Head - Indian Citizens Assistance for Mobile Privacy & Security (I-CAMPS), IAMAI
Pani Prasad, Director, NCCS, Department of Telecommunications ( DOT ), Government of India
Sumit Monga, Head - Government Affairs, Lenovo
Subho Halder, Co-Founder & CISO, Appknox
Anuj Bhansali, Head - Trust & Safety, PhonePe
Anant Shrivastava, Project Leader - Androidtamer & Android Security Researcher

Panel on Shift Level with CISO's Part - 1 with Anant Shrivastava and Patrick Pitchappa
SNYK
August 31, 2021

Focused discussion around practicality of Shifting left from a CISO's point of view.

Panel discussion: Adversary simulation, emulation or purple teaming - How would you define it?
Adversary Village @ Defcon
August 07, 2021

A deep dive discussion around emerging field of adversary emulation, purple teaming. what fits in which bucket and how things are evolving.

RTV Panel: Pre-empting Attacks - Relevance Of Red Teaming In Enterprises
RedTeam Village @ Hack in the Box
February 04, 2021

Discussion around how Red Teaming is evolving

RTV: Attacking Storage Services: The Lynchpin Of Cloud Services
Red Team Village @ Hack in the Box
February 04, 2021

We all agree that most organizations have some or the other service leveraged over cloud environments. To add to it, there are assets that are not linked directly to the public and not easily spotted. When it comes to Red Team Engagements it boils down to a simple statement. “Are you able to find something that wasn’t supposed to be visible in the first place ?”. Storage services by the cloud providers are usually not visible directly to the end user and are often overlooked by pentesters and Red Teamers. In this talk we will be leveraging the possibility of Storage Services of different cloud vendors and how if not properly configured could lead to a lot of Damage to the organization.
Storage services are almost always the second service started by cloud vendors after IaaS, it is done in that order for a reason. Cloud Storage irrespective of how simple it looks, is a complex deeply integrated component for cloud services. The primary purpose of storage services is to hold data of all kinds, besides its primary function it also performs multiple other actions. Storage allows building higher abstraction services on top of the it such as:
Static file hosting,FaaS or PaaS code hosting and Log storage
Due to its versatility storage is an area which should be looked at with a fine tooth comb. However the situation is far worse than what we can imagine. From exposing buckets to public, to leaking api keys or ssh keys in public. Things go from bad to worse when buckets also are leaking write access to source code leading to full account takeover scenarios. This talk will cover the following aspects around Cloud Storage Services.

1. Basics of Cloud Storage Services and why to target them
2. Attack Methodology to be followed
3. Various attack scenarios from real and bug bounty world
4. What are cloud vendors doing to protect this
5. What the developers or admins have to keep in mind
6. Question and Answer
Note: Case studies will be interspersed throughout the slides

DevSecOps: What why and How
BlackHat USA
August 08, 2019

Security is often added towards the end, in a typical DevOps cycle through a manual/automated review. However, with DevSecOps, security can be injected at every stage of a DevOps pipeline in an automated fashion. Having a DevSecOps pipeline enables an organization to:

* Create a security culture amongst the already integrated “DevOps” team.
* Find and fix security bugs as early as possible in the SDLC .
* Promote the philosophy “security is everyone’s problem” by creating Security champions within the organization.
* Integrate all security software centrally and utilize the results more effectively.
* Measure and shrink the attack surface.

In this talk, we shall focus on how a DevOps pipeline can easily be metamorphosed into a DevSecOps and the benefits which can be achieved with this transformation. The talk (assisted with various demos) will focus on developing a DevSecOps pipeline using free/open-source tools in various deployment platforms, i.e. on-premise, cloud native and hybrid scenarios. We will then dive into cultural aspects of DevSecOps and the changes needed to get tangible benefits. The talk will also present various case studies on how critical bugs and security breaches affecting popular software and applications could have been prevented using a simple DevSecOps approach.

When the Internet Bleeded
RootConf by HasGeek
June 05, 2014

The talk will talk about various TLS / SSL related bugs that are identified in past year.

HeartBleed
GNUTLS Bug
Apple SSL Bug
Lucky 13
BEAST
CRIME
These bugs have shaken the core premise of Secure communication. The talk will focus on bringing a basic understanding of these issues to the administrators or developers. Besides this the talk will also focus on some burning questions that are now raised in wild. Such as

How secure are secure Socket Libraries?
Is opensource code really secure?
Is it really true that “given enough eyeballs, all bugs are shallow”?
Should we move towards higher abstract languages?
and most important.

What it really means for a Administrator / DevOps person

Attack and Defend Android Applications
BlackHat USA 2022
August 06, 2022

Begineer / Intermediate level course covering tips and tricks around android application attack and defense.

Details are available at https://cyfinoid.com/android-application-training/ or publication page.

Security Issues in Android Custom ROM’s
Self-publishing
October 16, 2011

This paper attempts to look behind the wheels of android and keeping special focus on custom rom’s and basically check for security misconfiguration’s which could yield to device compromise, which may result in malware infection or data theft.

Web application finger printing
Self-publishing
July 17, 2011

This Paper discusses about a relatively nascent field of Web Application finger printing, how automated web application fingerprinting is performed in the current scenarios, what are the visible shortcomings in the approach and then discussing about ways and means to avoid Web Application Finger Printing.