Meet our Security Expert: Anirudh Anand
Can you please tell me a little bit about yourself and your background?
Currently, I am working with Fintech firm CRED. It was founded by Kunal Shah, who was also the Founder of Freecharge. I am a Senior Security Engineer at CRED where I am responsible for protecting its applications and infrastructure. Before joining CRED, I worked with Flipkart for two years in a similar role.
I did my Bachelor’s in Computer Science from Amrita Vishwa Vidyapeetham, Kollam, Kerala University.
How did you start ethical hacking?
My journey in ethical hacking began when I was in college. My college has an MTech programme that focuses on cyber security that ignited my passion for this vocation. Additionally, we had an amazing Professor, Mr Vipin Pavithran, who encouraged me to learn more in security and made me part of the Capture The Flag (CTF) team of the college. He is the backbone of my success in this field.
CTF is an ethical hacking contest that happens online. It is conducted across the world where teams are invited to participate and win. This is where my introduction to security happened. Every day after college, we used to work from 5 pm to 11 pm in the lab. It was a fun atmosphere and it got me excited about cyber security and ethical hacking.
What are your achievements as a bug bounty hunter?
I do not regularly do bug bounty. What happens is when you work for a company for a long time, it gets monotonous and you feel the need for doing something different. By this I mean, hack into something other than your own company. You know your company in and out and over time it gets easier. I venture into bug bounty as it is challenging, helps me brush up my skills and I get to learn new things in the process. It also helps me stay abreast of evolving threats.
So far, I have reported bugs for Google, Microsoft, LinkedIn, GitLab, Slack, Udemy and many other companies.
How do you approach a program when you do bug bounties?
I don’t have a custom approach. I have learned tactics and approaches from great hackers such as Frans Rosén(@fransrosen), Ben Sadeghipour (@NahamSec), zseano (@zseano), mongo (@mongobug), and many more.
I generally start with the primary domain, say for example google.com. I then figure out the sub domains such as education.google.com or accounts.google.com. I look for all the applications running on the sub domains. Insecure Direct Object References (IDOR) occur when an application provides direct access to objects based on user-supplied input.
My core expertise is in PHP. If I find an application running on PHP, I give it priority.
Do you think bug bounties are significant? Why?
I believe bug bounties are very significant. A company has a lot of exposure to the internet. There could be hundreds of thousands of servers with different vulnerability applications running. Crowdsourcing testing is vital to make your company secure. For example, Google has millions of applications running online. Even hiring a hundred security professionals is not enough to safeguard Google. They need a crowdsourced approach.
The advantage companies have now is there thousands of people testing for bugs and trying to hack into their programmes. In case they are successful, Google pays them as per the criticality of the bug. Companies pay only for valid bugs. I spent a month hacking into Google and I just got one bug. The bug was critical, I agree, but Google had to pay me only for that bug, not for the time spent or the effort. So it is very cost-effective for companies and ensures robust security. If companies hire people full time, they have to pay salaries irrespective of whether they find bugs or not. Crowdsourcing ensures more ground is covered. More testing that takes place, the more secure is the company.
From a security researcher perspective, bug bounties are important as it gives them a diverse range of work, enables learning every single day, and helps them stay on top of new trends and evolving risks. It is also lucrative and many people have made figuring out bugs a full-time career. However, it is not easy. There is a high failure rate when you are starting out and it can get frustrating. It is critical to persevere and keep at it.
What advice do you have to give for someone who is just starting their journey in information security or bug bounty arena?
I believe that the first thing someone starting out needs is a mentor. Yes, you can learn things on your own and there are enough and more tutorials on the web. But it is important to follow successful hackers and learn from them. You can follow hackers such as Frans Rosén (@fransrosen), Ben Sadeghipour (@NahamSec), zseano (@zseano), mongo (@mongobug), etc. on social media and see what they are doing. There is a UK security researcher zseano (@zseano) who does a lot of articles and video series on how to approach a problem and how to solve it. He even does a video screening. If you follow people like him, there is a lot you can learn. Learning is a big aspect of doing bug bounties.
