[PenTest Magazine]: Hello Dinesh! It means a lot to us that you agreed to the interview! Would you like to introduce yourself to our readers?
[Dinesh Sharma]: Hi! First of all, thank you so much for giving me this opportunity to interact with this amazing audience. It’s me, Dinesh. If you are a regular reader of the PenTest Magazine, then you may have come across an article written by me. I have written more than 13 articles for the PenTest Magazine. I am a pentester who likes to automate repetitive tasks. I am involved in red team activities, cloud pen testing tasks, apps penetration testing, secure source code review, configuration review, etc. I have done a few certifications like OSCP, SCS-C01, and CARTP. I have a total of four years of experience in the Security Domain. I like coding in Python. Nowadays, I am working as a security engineer II at 7-Eleven. Currently, I am enhancing my skills in cloud pentesting. Connect with me for more info at Dinesh’s LinkedIn Profile.
[PenTest Magazine]: Many PenTest readers will surely recognize your name as a regular contributor of excellent material in many PenTest Magazine editions. Do you have any tips for those who’d like to try writing their own articles?
[Dinesh Sharma]: Yeah, sure. So basically, when I was starting my career in cyber security, there was not much quality content available specifically for pentesting. I had to struggle a lot in my initial growth. At that time, I decided to share my knowledge with the community so that other newcomers would not have to struggle to find quality content. This is how I started my journey in article writing. Those who want to share their skills with the community and consider this thing as their responsibility to increase the number of people with the right cyber security knowledge, should start writing articles. In order to start writing, you should always follow a few things:
- Choose your topic wisely. Choose something rarely available on the internet but is much needed for the day-to-day tasks of a security engineer job.
- Always start by giving background about the topic. Make it beginner friendly and add as many references as you want. Give background as well about the references, or else the reader may be confused.
- Show a practical, step-by-step tutorial so that it will be easier to follow for a newcomer as well. Add PoCs to demonstrate the commands and their output.
- Divide the article into multiple parts, like the intro, the main course and the desserts with a conclusion. References at the end should also be mentioned.
[PenTest Magazine]: The main topic of our current edition is Python for pentesters. What’s your take on this particular language? Do you employ it on a regular basis in your professional work?
[Dinesh Sharma]: Yes, Python is like oxygen for the pentesters. If you are dealing with repetitive tasks or want some innovative test case to be tested in multiple instances, then Python can become a game changer. Some people say that you don’t require coding skills to be a pentester, but I do not agree with them. For me, coding is a must as it will make you understand the vulnerabilities with a more in-depth mechanism. You can then easily find a way to bypass the security checks because you can think like a hacker as well as a coder. I like it because it has many libraries to accomplish the task with easy and compact code.
[PenTest Magazine]: From time to time we can hear about alternatives to Python, but after all these years, it still dominates the field. Why is Python still popular? What are its biggest drawbacks?
[Dinesh Sharma]: Python is hackers’ favorite language because it is simple as well as rich with useful libraries. Python is very powerful. Almost all hacking-related tasks can be accomplished using Python. It requires less coding and comes with easy syntax but provides complex concepts like socket programming, OOPs, etc. We can write exploits, automation scripts, viruses, scanners, etc.; basically, pretty much anything. After all those pros, Python does have some cons as well. It is slow as compared to C/C++ or Java because it is a high-level language and it is an interpreter language as well. That’s why the code is executed line by line. It consumes a lot of space in the memory as it is flexible with the data types. But after all these cons, Python is hackers’ first choice.
[PenTest Magazine]: Speaking about your toolset, what are your favorite tools? Do you have anything you can’t live without? Bonus points if it’s something less well-known :)
[Dinesh Sharma]: I am more of a manual person. I do use automated scanners and exploitation frameworks but I prefer to do it manually so that I can have more control over the command output.
It depends on the project, basically; suppose I am doing an app pentest, then Burp Suite is my favorite tool. If we can combine this with the extensions it provides, then it is more killer than an AK-47. For directory brute-forcing, there are multiple tools available, like amass and dirbuster, but I have written my own Python script that can do this task for me with multithreading and with desired output format.
If it’s a cloud pentest, nothing is better than the aws cli. Create a profile using the credentials provided and start playing with the aws services. Boto3 is Python’s library to interact with the AWS services. For the Azure Cloud, az cli, and Azure PowerShell are there. Some other tools like Pacu, Prowler, Principal Mapper, ScoutSuite, etc., are also useful when dealing with big infrastructure. Let me tell you one secret, after all these manual tools you don’t require any hidden gems.
[PenTest Magazine]: Cloud Security seems to always be a big topic in the cybersecurity industry. Some even say that the cloud cannot be truly secured. What’s your take on that? We always hear about leaks from various platforms, yet everyone still uses various cloud platforms. Do we have to ditch the cloud completely, or is there some light in the tunnel?
[Dinesh Sharma]: Let me tell you one secret - nothing can be 100% secure. It is a harsh reality. That’s why even companies who are spending a huge amount on their cybersecurity face security incidents. As security engineers, we can try our best to make the assets incident resistant and this is for all the assets, not only for the cloud. People say it is hard to secure the cloud as in the case of a cloud environment, the attack surface is huge. Mostly, misconfigurations or vulnerabilities in the apps hosted in the cloud lead to compromise the cloud environment.
As I said above, it is not only the cloud leaking information, there are other assets, like apps, network components and even users themselves, are leaking the information. Ditching the cloud is not a solution. We should always practice secure policies while setting up new assets. There should be continuous pentest and vulnerability scans to find the possible loopholes. These should be fixed as soon as possible too.
[PenTest Magazine]: Everyone (including us!) seems to talk about AI and ChatGPT these days. Did you try to use it in your work? Is it another tool to be used, or a huge challenge for cybersecurity professionals in the future? Are we going to see programs full of vulnerabilities written by inexperienced users? Or maybe swarms of easily developed viruses?
[Dinesh Sharma]: ChatGPT is a sensation nowadays. We are not relying on an AI-based tool to work on our critical infrastructure and complex cyber security tasks where we can not afford to make a mistake. People say it is like Iron Man who can do anything. It has both pros and cons like any other thing in this world. But let’s see what the results say:
Now, there are two thoughts on this. First, the OpenAI team who developed this, said that it can only provide the data used during its training. Like if some code-related questions are asked, then it can act like a search engine. It provides a code snippet, that’s all. It can’t make the changes in the code like humans. But some threat intel researchers found in their research that it is more than a search engine when code-related questions are asked. It can think like a human and can make changes in the code as well. Some other researchers found out that it can be used to make very evasive malware like polymorphic. It’s kind of a gray area as of now as it is in a very early stage to comment on anything on the ChatGPT. ChatGPT can be an assistant to humans but it can not be a replacement for humans.
[PenTest Magazine]: Any other trends you expect to dominate the cybersecurity field in 2023?
[Dinesh Sharma]: Nowadays, automotive hacking has become a new area of concern for cybersecurity engineers. Big automotive brands are even facing the same issue. Hackers are targeting the big car brands, which were previously considered secure. As we discussed ChatGPT in the previous question, it is basically an AI-based tool. AI can help to detect anomaly-based attacks but it can be a threat as well, if not used properly. Cloud is one of the emerging topics of 2023. Automation in cyber security has a bright future too.
[PenTest Magazine]: Thank you very much for the interview! Any final words to our readers? Where can they find out more about you?
[Dinesh Sharma]: Thank you for having me here. I am not very active on social media except LinkedIn. You can reach out to me on my LinkedIn Profile: https://www.linkedin.com/in/dinesh2/