InfoSec Journey in SecureLayer7…..
Hi all, hope you are doing well.
In this blog, I’ll be sharing my comprehensive technical journey of me working at SecureLayer7.
How My Journey Started?
After working as a Security analyst/Trainer for a year I joined SecureLayer7 in Jan 2019. From the first week itself, I got projects in Android, iOS, and Web App Pen-testing. Working full-time as a Security Consultant gave me the opportunity to work with big project organizations including some financial bank projects. This provided me with wide exposure in terms of great experience a learning deep insights of pentest while working with SecureLayer7.
Travelling Overseas during my SecureLayer7 job
My first international project was in Dubai & its scope was internal network pentest, wireless pentest, physical pentest, architecture review, and config. review of all devices. It was a big opportunity. I was initially daunted by the scale of the task as I had to this all by myself in just 10 days. The fact that I had to travel alone and work out everything on my own added to my nervousness. But my colleagues motivated me & made me believe in myself. Once in Dubai, besides doing my best for the project, I got to make the most of my trip by indulging in various activities every day after getting free.
My Second project was in London and emboldened by my previous experience, I was super excited to go there. There I did internal pentest and wifi pentest for a Bank. It was a one-week project. I discovered high to low-level vulnerabilities in the scope. My experience in making wifi course from my previous company helped me do an appreciable job on the project. Further, I had to pentest WPA2 Enterprise network which was new to me. So enumerating the web I found EAP Hammer tool and that helped me during pen-testing. Besides working on the project, I travelled across London & got the chance to interact with a lot of people. Overall this was a memorable project and journey.
Offsec journey
When I took the Offsec labs project, I was worried that managing the 2-month lab would be difficult. I used to work from 9 am-6 pm and then 3 hours that I dedicated solely to the lab. My other colleagues also did research till 9 there which further motivated me to work every day till 9 PM. I enjoyed working on the lab immensely & hence I used to come to the office even on Saturdays and Sundays. I finally gave my exam after my London onsite project and passed it in the first attempt.
When Times Got Tough!
In June-July, I got a client where I only had 10 days to pentest the project which was already pen tested 4-5 times previously by other companies. There I devoted exactly 9 hrs every day to hunt for vulnerabilities. For the first 3 days, I got very low vulnerabilities whilst thinking of many logic scenarios. On the fourth or fifth day, I was able to find stored and reflected XSS. By the end, I submitted 12-14 high to low vulnerabilities.
Besides this, even in the office, I got projects like Binary pentesting, external network pentest and other difficult web app projects with varying level of languages involved like Angularjs, .NET and JAVA projects. Sometimes it became difficult to find vulnerabilities, since the project that came, was already pen-tested by ours or some other company.
But though the times were difficult, I never lost faith in myself & kept going forward. My colleagues kept me inspired and I knew these problems were opportunities for me to learn & grow. I went through those situations with ease & emerged stronger.
Thus begins my Whitebox Journey
In August of 2019, I got a long term client. Before this, I only did black box pentest for everything like web, mobile and APIs. This client gave me the opportunity to work on many source code projects.
The organisations had projects involved in IoT, admin portals, websites, APIs and mobile apps. I performed SAST manually and through fortify including the languages like PHP, Python, Perl, Go, RUST, NodeJS. Initially, I had a little difficulty reading languages, but I got a hang of them in due time.
An advice that I can now give to other new pen-testers from my experience is to search test for language-specific vulnerabilities, search third party dependencies and lastly read at which places the user input is getting stored in variables and how it’s handled across the functions. Just a tip to make your job easier.
Overall I understood how applications worked, the complete architecture of the entire IoT system including the frontend, backend, the AWS infrastructure like EC2, S3 and lambda functions, protocols used by IoT platforms including MQTT, etc. I worked on a different mobile app based on react-native, Java, Xamarin, etc. Web apps were based on Code Ignitor, Magento, React, Nodejs. I tested Firmwares in C and APIs based on Nodejs and other provisioning tools in Python, Perl etc.
Overall Working with SecureLayer7
Working in SecureLayer7 has helped me boost my career growth and I got the opportunity to work on a variety of projects. I learnt how to handle newer problems in terms of technology and gained a lot of experience. Every project taught me a skill & helped me grow as an individual. Moreover, I never got bored as every month we got to do something new. Our colleagues shared new concepts with us regularly based on their research which helped everyone. The managers and seniors were always there & had our back whenever we got stuck. We worked as a team and made sure no one faced any challenges.
I’m thankful to SecureLayer7 that they believed in me and gave me onsite opportunities to handle clients individually. Lastly thanks to Sandeep Kamble Sir for motivating the team and leading the team in the face of any technical and other challenges.