Join Anant Srivastava, Founder of Cyfinoid as he sheds light on AI’s transformative role in cybersecurity, explores the vital contributions of open-source, and emphasizes the importance of community involvement for strategic advancement Follow Anant: https://www.linkedin.com/in/anantshri/
- 00:00 Introduction to the Podcast
- 01:21 Evolution of Cybersecurity and Changes in Information Security Roles
- 07:15 Breaking into the InfoSec Industry: Tips and Strategies
- 11:23 The Power of Community: Investing in CEH and Networking Benefits
- 14:15 Anant’s most Memorable Talks and Interactions
- 18:10 The Impact of Open Source on Cybersecurity
- 30:18 Mobile Development Pitfalls: Overlooked High-Risk Vulnerabilities
- 35:23 Behind the Scenes: Crafting Topics for a Cybersecurity Blog
- 38:59 The Future of AI in Cybersecurity: Enhancing or Replacing Critical Thinking?
- 44:23 The Evolving Role of Security Engineers in an AI-Dominant Future
- 51:43 Closing Thoughts and Podcast Conclusion
AI Generated Summary
This comprehensive podcast discussion covers the evolution of cybersecurity, community involvement, open source contributions, mobile security, blogging, and the future of AI in cybersecurity.
Key Topics Discussed
Evolution of Cybersecurity Industry:
- Major shift: “We used to be chased because we were finding bugs” (with court orders) β “Now we are getting paid to find bugs”
- Hacking vs InfoSec: Hacking is fun and exploration; InfoSec is what you get paid to do
- Shift from convincing people why security is needed β People now proactively asking for security help
- Field has matured from hobby to professional career, but still not fully structured like medicine
Security Implementation Spectrum:
- Companies range from bare minimum compliance to proactive security implementation
- Security decisions should be based on audience level:
- 4 people playing Ludo game β minimal security needed
- Governments of different nations β maximum security, including nation-state attacks
- Company size matters: 2-person company (trust), 10-person (reference-based trust), 50+ (public hiring, need EDR/XDR)
- Different security levels for different roles: Receptionist/HR (full security) vs Pentester (trust building, minimal security initially)
Entering Cybersecurity:
- Universities now offer cybersecurity degrees (entry-level but provide foundation)
- Industry moves fast - by graduation, technology may have changed
- Recommended pathways: CTF events, Bug Bounty programs, Google Summer of Code
- Team Bios (university team) - people from this team have shown exceptional trajectory
- CTF participation helps build network and skills before entering industry
Community Involvement:
- Communities provide collaborative learning and crystallized/distilled information
- CEH certification value: Not for practical info, but ensures you’ve heard every keyword in infosec space once
- NULL meets, OWASP meets - hear 3-4 different researchers share learnings
- Small Discord channels also valuable for networking and growth
- Important to “show up and make your presence felt” - not just be part of 200-500 people crowd
Memorable Talk Learnings:
- Don’t use Wikipedia as official source (can be edited in real-time)
- Always cite references - if source is inaccurate, you’re inaccurate double times
- Sessions are for audience, not for presenter - make assumptions clear
- Presentations should be useful after the session (PDFs, slides should make sense standalone)
- Example: IPPSec always starts from scratch, documents videos on i.r website
Open Source Projects:
Android Tamer (now Tamer Platform):
- Started 2011 - unified environment for Android security tools
- Problem: Tools fragmented across different languages/versions (Java 1.7, 1.8, Ruby 1.5, 1.6, etc.)
- Solution: Cohesive environment where all tools coexist and cooperate
- Allows VM setup, apt-get updates, tool installation without version conflicts
Code Vigilant:
- Started at NULL meets 2014 with Prajal Khar (now CISO at Groww)
- Target: WordPress themes and plugins
- 2014: Found ~300 bugs, reported and got fixed
- Paused until 2021, restarted with Semgrep (more structured searches)
- 2021: Found another ~100 SQL injections
- Current workflow: Semgrep β Defect Dojo β Validate β Report to vendors
- Provides internship opportunities for people from small towns
- Philosophy: “I helped you, you help two others” - pay it forward
Open Source Philosophy:
- Don’t do open source expecting returns - do it because you want to
- Open source is “medium of expression” - I did something, I want to share it
- Not recommended to make living solely from open source (Red Hat is exception, not rule)
- Projects are personal - “These are my projects, I’m doing them for myself. Want a feature? Fork it.”
Mobile Security:
- Mobile is “fully hostile territory” - device may be hacked, owner may be hostile
- Beyond API vulnerabilities (which are web app testing), mobile apps face unique challenges
- Defense in depth approach: SSL pinning β Request signing β Validation layers
- Each layer raises attacker skill requirement (0-3 β 5-6 β higher)
- No 100% security, but increase complexity to make attacks harder
- Give debugging app to VAP vendor, but production app should have all security layers
Blogging:
- Blogging for 15 years - started when blogging was for fun
- Blog is personal journey documentation, not focused on one topic
- Evolution: Blog β Myspace/Orkut β Facebook β Twitter/X
- Moving back to blog due to social media instability (TwitterβX, Facebook changes, Reddit API closures)
- Blog serves as personal reference - “5 years later I search my own blog”
- Current split: Company blog (mobile, decentralized web, supply chain) vs Personal blog (PKM, automation)
AI in Cybersecurity:
- LLM analogy: Child born in library, taught alphabets, read all books by age 18, no human interaction
- AI identifies patterns and repeats them - not actually “thinking”
- Can help go from 0-60% proficiency; 60-100% still requires human intuition
- Example: Feed all bug bounty reports to AI β Get list of most commonly exploited parameters for XSS
- Jason Haddix created Burp plugin doing exactly this (manually, before AI)
- AI helps with repetitive patterns; humans needed for novel scenarios and gut intuition
Future of Security Engineers with AI:
- Comparison: Finance person when calculators came β They didn’t lose jobs, they “babysat computers”
- AI will automate repetitive tasks (dealing with XSS on CVSS 9.8 internally deployed machines)
- Humans will be freed for more useful tasks
- Medicine is science (documented procedures); InfoSec is still art (no one knows what they’re doing)
- AI might help structure InfoSec field, but refinement comes from human inputs
- Decision-making still requires humans - AI can’t predict social outcomes
- Research example: AI couldn’t predict children’s future (marriage, arrests) based on habits
Key Insights:
- “Show up and make your presence felt” - critical for community involvement
- Many people hired before graduation because they showed skills in communities
- Code Vigilant provides internship opportunities for people from small towns
- Mobile security requires defense in depth - no single solution
- Blogging is personal knowledge management and reference tool
- AI is pattern recognition, not critical thinking replacement
Important Projects and Tools Mentioned:
- Android Tamer/Tamer Platform - Unified Android security tool environment
- Code Vigilant - WordPress security research project
- Semgrep - Code review software
- Defect Dojo - Bug tracking and management
- Team Bios - University CTF team with exceptional trajectory
Actionable Takeaways:
- Participate in CTF events, bug bounties, Google Summer of Code
- Join communities (NULL, OWASP) and make your presence felt
- Document learnings in blog posts
- Contribute to open source projects
- For mobile security, implement defense in depth (SSL pinning, signing, validation)
- Use AI for repetitive pattern recognition, but rely on humans for novel scenarios
- Show skills in communities - many get hired before graduation
- Open source should be done for passion, not expecting returns