With a career that spans over 20 years in IT Security and Management, Debasis is what some would call a “natural hacker”. He got into security as early as 1998 when there were limited online resources and one had to self-learn and rely more on textbooks, MSDN resources (for Windows), or man pages (Linux/Unix) than on the internet.
He started as a freelancer writing system security tools and password recovery tools for Windows systems, later progressing to working as a full-time virus/worm researcher for an Anti-Virus software firm. Over the years he worked in various security roles with several industry sectors that included large Technology companies, AeroSpace, Defence, and multiple security consulting firms.
Debasis is now a well-respected figure in the cyber security realm, both in India and New Zealand. He has headed operations across multiple Information Security domains covering areas such as Security Assessments, Vulnerability Research, Secure SDLC Management and Security Training. Although not limited to these areas, Debasis specialises in application security, infrastructure security, exploit development and reverse engineering.
A large part of his background has been working closely with software engineering teams in large tech companies to evangelise security at various stages of the software development lifecycle. Although not limited to, it often involved providing security training for the engineering team, architecture reviews (including threat modelling), code reviews, penetration testing and consulting. Debasis has also worked with numerous reputable security consulting firms offering various offensive and defensive consulting services. Having this experience in the best of both worlds, Software Security Engineering and Security Consulting, has made Debasis the well-rounded security professional he is.
In 2014, Debasis, along with his wife and son, relocated from India, and in 2019 Debasis took up the role of Head of Technical Services at SEQA. Below, Debasis shares his experience of working in cyber security, his insights gained into common major challenges, and why he finds his work so rewarding.
As the Head of Technical Services, I’d love for SEQA to be known in the market for… world-class quality work and as a niche player in providing offensive and defensive cyber services not only in New Zealand but globally.
I’ve been in the cyber security field for a little over 20 years now, and the number one thing I’ve learnt in my time is… one must continuously learn and upskill if you want to stay in demand.
I’ve seen some major changes within the cyber security field. Here are my top three…
- An enormous number of resources (including simple to advanced content) are available for free online, which can completely replace the need for paid training, for anyone.
- A lot of cross-collaboration within the community across the globe has led to an exponential growth in a wide range of readily available open source tools/projects, research artefacts and papers that are benefiting the community in the most positive ways.
- Most software vendors and organisations have become much more open-minded towards receiving and acting upon security bugs. These days, most mature organisations reward or credit (based on the nature of the bug) those who take a responsible approach towards reporting bugs.
Organisations can perform with confidence when… they invest reasonably in their staff members training to make them more security aware. An organisation may spend thousands, or even millions, of dollars implementing security technologies, however, if they are not spending reasonably on staff training, they’re still likely to get compromised, even with the most advanced security controls.
The biggest cyber security challenge I’ve seen a client organisation encounter is… lack of clarity over organisational security goals and a lack of consistency across the organisation in following security best practices. In the absence of clear and progressive security goals and thus with none to act upon, the organisation will be far behind being mature in terms of security. They will spend more on their IT security budget doing random security activities year after year than those with clarity.
The most rewarding aspect of my work is… that it challenges you to keep raising the bar and exercise your highest technical abilities. Whether you are on the offensive or defensive side of security, or both, you get to deal with challenges, from the simple to more complex, related to various projects/technologies. It can either be finding those hard-to-find security bugs or providing tailored recommendations to customers to solve complex security problems. It can get daunting and exhaustive on most occasions, but it just makes you better over time.
I’ve been described by colleagues as a ‘natural hacker’ because… Being called a ‘natural hacker’ has a much simpler meaning than it seems. It is all about how you look at your target and the approach you take to find security bugs.
The definition of a ‘hacker’ differs depending upon which side of the fence you play on. A person who is part of a corporate or business world are typically called security consultants and are tasked with finding security bugs in target systems and technologies. On the other hand, those on the opposite side of the fence that target systems and networks without authorisation are typically called an adversary or malicious actor.
Here, I’m relating ‘hacker’ to a person who works in the corporate world or an independent security researcher who is authorised to find security bugs as part of their regular job to guide their customers in mitigating security risks.
I’d call someone a natural if they were tasked to hack a target system unfamiliar to them or were completely unaware of the technology stack but still feel confident that they knew where to look for bugs or where to start.
It is an ability that anyone can develop with enough years of experience and the right exposure to a wide range of technologies, coupled with an inbuilt capacity to understand any complex or unfamiliar target solution or system at its core. For example, if a person has many years’ experience finding bugs at an application or network level and one day they were tasked to find bugs in a rocket, with no background, the first question to ask themselves is “Does it intimidate me?”. If their reaction is “I can do it”, and they think it would be a cool project, even if they’d never been exposed to such a technology but have some initial ideas on where to start, that’s what I’d call a natural hacker.
Therefore, my exposure over two decades in the industry, trying to break a wide range of technologies, helps fuel new ideas on “How can I break this?” which flows naturally, in my mind, when exposed to an entirely new/unfamiliar technology.
The best advice I could give someone starting out their career… IT security (or cyber security) is a vast domain, and there are multiple areas of specialisation. If you wish to pursue a career in security, start with one or two areas in the beginning and get better at them. Let’s say application and network security is a good start. Try to master both the offensive and defensive aspects of them to become more well-rounded. Over time, once you feel comfortable with these areas, keep cross-skilling in other areas as you progress your career. Over time you will realise what your specific areas of specialisation are. Learn coding, which can complement your skills in the long run, and never skip the fundamentals of what you do choose to learn. Finally, to really raise the bar, consider learning the most complicated looking area in security to you, as the area you choose gets easier once you get to know the What, How and Why answers related to that field.
I give back to the security community by… Between 1998 and 2008 I was an active contributor to the global security professionals community, providing multiple tools, exploits, and research articles/papers. However, to do this I had to invest a significant amount of my personal time, so after I got married in 2009, I started to give more time to my family than to research. While I am still very technical and hands-on, my contribution these days is more in the form of mentoring and providing guidance to those new to the industry.
When I first came to New Zealand my first thoughts were… beautiful country, beautiful weather, lovely, friendly people, and countless scenic destinations across the country for a keen nature photographer like me.
I’d love to meet… people new to the industry who have clarity over their goals and who are seeking guidance in this field. They remind me of a much younger version of myself.
I absolutely love… photography.