Talking with the expert- Riyaz Walikar
By Ashish Chhatani - July 20, 2019
Riyaz Walikar, a well known face in the InfoSec industry is a security evangelist, offensive security expert and researcher with over 9 years of experience in the Internet and web application security industry.Currently he is Chief Offensive Security Officer at AppSecco.
He has many years of experience providing web application security assessments, has lead penetration testing engagements in many countries and performed numerous onsite reviews on infrastructure and system security.
Riyaz is an active speaker in the leading Information Security conferences- Blackhat, NullCon, OWASP AppSec. Apart from consultation and sharing knowledge in the conferences, he researches on the vulnerabilities and also carries out bug hunting in major organisations’ applications. In this interview, Riyaz shares the journey and his take on various aspects of InfoSec domain.
1.Please tell our readers about yourself and the journey you have gone through.
My name is Riyaz Walikar, a web application security enthusiast and life long purveyor of knowledge. I currently head the Offensive Security team at Appsecco, an Application Security specialist, headquartered in London, with clients all over the world. I started my career in the field of Information Security as a Penetration Tester for Microland way back in 2007. Between then and now I have worked at multiple organisations leading teams, breaking applications and networks, mentoring and educating folks in the field of offensive security. I have been a chapter leader for null Bangalore in the past and currently lead the OWASP Bangalore chapter as one of its leaders.
In over a decade of my experience with information security, I have spoken at international conferences, trained security testers and developers of some of the largest organisations in the world, found security weaknesses in applications owned and operated by most major Internet players and written 2 books as well.
2. What was that thing that pushed you to pursue Information Security?
I started breaking things when I was in college. Back then most computers in college ran Windows XP and it was fun to bypass protections put in around them by the staff. My teachers fuelled my passion for computers by letting me use lab time when no one was using the lab. That's where I learnt to program in multiple languages, install, break and reinstall stuff. I started creating programs that would help me do cool things to networked machines, for which I had to learn how data is transferred between systems and how a system can be used to do your bidding if you have know what programming APIs to call and play with.
In my third year of Engineering, I was on the campus placement committee and would help out students by holding mock tests and dummy interview rounds, preparing them for actual company interviews. During one of these placement events, Microland did a presentation where I realised that Network and Application Security is a career people could choose if you were interested. That's the day I realised what career I would follow my entire life. I answered the interview and was selected shortly after that. After that I focused my attention to other Operating Systems, web applications, wireless networks and network security in general. I gulped down everyth
I moved to Bangalore in 2007 and was introduced to the null Bangalore community couple of years later. No other single open security community has had such a major influence in my life as the null community. With its inclusiveness to anyone who is security curious, its hands on meets in the offensive and defensive space, its monthly meet-ups (which are still going strong with over 100 in attendance every month) and all being free of cost was something that bowled me over. The founder of null Bangalore and a close friend of mine, Akash Mahajan, once said, "When like minded people come together to learn something, they create a lot of new things". That has stuck to me since then and I constantly try and give back to the community from whom I have taken so much. It's been a fun ride so far!
3. What is Appsecco? What's the end goal of it?
Appsecco is a specialist application security company providing industry leading security advice that is firmly grounded in commercial reality. We work with some of the biggest companies and financial firms in the world and with exciting start-ups too.
Our services cover the entire software development lifecycle from advising on how to build and foster a culture of security within development teams and organisations to reviewing and advising on the security of applications and associated infrastructure under development to providing rapid response and advice in the event of a security breach or incident.
In addition to our client-facing work, we are actively involved in researching and training folks in the areas of Offensive Security, Automated Defence, Security for DevOps and Cloud Security at popular conferences around the world including nullcon, BlackHat, DefCon and DevSecCon.
Our goal is and will always be to continuously deliver awesome security advice that genuinely adds value to our clients, the community and all those around them.
4. Being chief offensive security officer of Appsecco, what's your prime focus?
There are multiple areas that I focus on as I head the team delivery at Appsecco, however, as we aim to provide our customers true value for the time and money they invest in us, my prime area of focus is to ensure quality of delivery not only in the terms of the reports that go out but the actual testing and assessment as well. As we are a growing team, internally every application that we test, every bug we find and every report we create goes through multiple rounds of quality testing so that our customers receive the highest quality of work compared to what they would have had from similar organisations. This backed with the collective technical skill and experience of the team is a key strength that we use in our day to day work to ensure our customers are delighted at the end of an engagement.
5. According to you, what's that tech which can revolutionise the InfoSec industry or become a pathbreaker?
I see containerisation of code and infrastructure becoming (if it hasn't already) a game-changer for the InfoSec industry. As more and more organisations move their code to micro services, short lived containers and fully contained environments, new security challenges will arise and a whole new way of attacking these systems would be and is already being created by a lot of researchers in the industry. Couple this with the cloud and now you have environments that are accessible from anywhere and is tied into other services that cloud providers provide.
You would then start asking, would an attacker be able to gain access to my container through my application? What about accessing the host from the container? Or is there a way to reach my cloud account and other infra from the host running the containers? All sorts of interesting things are happening and we are in a very exciting phase for the InfoSec community.
6. Which area of InfoSec domain excites you the most? Why?
I have been passionate about web applications and network security, you combine that and you (somewhat) have apps on the cloud protected by defences that are programmable and configurations that are coded via static files. There are several things that can go wrong during implementing or mimicking on premise setups on the cloud and that excites me as someone who has known nothing but breaking things all of his life.
With the number of cloud vendors out there today and each one of them constantly trying to better their services than the next cloud provider, things are only going to get more exciting.
7. As OWASP chapter lead, what are your responsibilities?
As one of the chapter leaders for Bangalore, my responsibilities include spreading knowledge about OWASP projects to the general community and security folk, help folks to get started in the field of application security, train and teach people on how to apply what the OWASP guidelines are saying about best development practices and attacking applications and to include as many people as possible in the journey that OWASP Bangalore is taking.
8. The biggest challenge you have faced being a security researcher/expert till date.
Not me personally, but I have seen other folk go through this within the security community; many security folk I know work for pretty large organisations that have limitations and restrictions on things that would further their knowledge. This includes access to labs where hacking exercises can be practiced, installation of tools or hacker friendly operating systems or simply access to training programs online or offline that would allow the pursuit of knowledge in the InfoSec industry. This seriously limits the amount of time one can dedicate to learning when all you then look forward to are weekends. This needs to change, at-least for the folks whose primary job function is to attack internal applications as part of the organisation security lifecycle.
9. We hear data breach stories every now and then. According to you, what's that loophole the organisations are not able to rectify? Or even if they know it, why they are not able to prevent it?
There are multiple reasons why applications become vulnerable. Bad programming practices, poor configuration, mismanaged access and using old and vulnerable software. A surprising number of breaches also happen due to a general lack of awareness regarding standard security hygiene. Be it passwords or personal information, users tend to be overtly generous with security choices.
There is also the case about assets that are unaccounted for. In large organisations that may have Internet facing assets that run into the thousands, IT may not even be aware that these are exposed and alive on the Internet simply because their inventory may not be updated. From personal experience, one of the services we offer allows us to create an attack surface for an organisation using over 40 checks that we have compiled over the years. For all the organisations who have used this service have gone back with at least one such asset that they did know existed.
10. What's the next thing to achieve? The endgame you're looking forward to.
There is no endgame. I wish I could snap my fingers and make everyone security conscious but I don't see that happening anytime soon. I am however actively looking forward to breaking more things on the cloud and the IoT space while constantly mentoring folks within the community as I move forward.
11. An advise to the freshers pursuing this field. How, what and where they should start?
Practice. There is no other way. We live in a world today where access to information is insane compare to back in the day when we had to go to a library and checkout a physical book!
Don't let anyone tell you that you are not good enough. Practice what you learn, even if means you are starting with hello world programs. You will train your mind to constantly be curious (something that is a required skill for attackers). Learn, discuss, share and create all the while practicing what you are learning, discussing, sharing and creating.
Start by creating your own virtual machines, then download and practice attacks on vulnerable virtual machines created by multiple cool folks on the Internet. Learn at least one scripting language (python or go if you may) and a server side language. Build simple hello world apps, host them on your local virtual machines, stop, configure and start web servers. Get familiar with the command line in at least one OS (Linux recommended but Powershell is also getting cooler day by day). Take small steps, document what you have practiced and do not feel shy to ask questions or accept that you need help or give up because you have failed. Remember, even the expert you look up to started by failing.
Join a local community (null and OWASP Bangalore come highly recommended :)) to learn and share, make like minded friends and see where this field takes you.