Traditional Pen Testing is Never Going to Guarantee Foolproof Security

Ankit Singh is an independent cyber security researcher, ethical hacker, and bug hunter. He currently ranks among the Top 85 Bugcrowd researchers globally and bagged the second position in the global Live Hacking Event with Indeed at Vegas Bug Bash 2022.

Over the years, Singh has been involved in several cybersecurity audits for the Govt. of India as well as finding bugs for big organizations, such as Microsoft, Apple, Yahoo, Twitter, Amazon, Visa, Adobe, Mastercard, IBM, and Western Union among others. Awarded the second position in the Okta Bug Bash 2021, a global live hacking event conducted by Okta & Bugcrowd, Singh was also rewarded 750,000 MileagePlus miles from United Airlines for reporting security bugs within their bug bounty acquisition. In 2021, he won the “Most Interesting Bug” award for Okta Bug Bash.

In an exclusive interview with The Cyber Express, Ankit shares his journey as an ethical hacker, how he succeeded in his career, and what skill sets helped advance him in cybersecurity.

Here is an excerpt from the interview.

TCE: What myth would you like to dispel about ethical hacking or cybersecurity in general? 

Ankit Singh: From my personal experience, the carelessness of organizations for not having a definite cyber security plan or strategy is itself a big problem. Still, there are organizations living in a myth that no one is going to breach through their application or server, and they just don’t bother about it unless a breach actually takes place. 

I remember in my early days of ethical hacking, when I was not aware that something like bug hunting platforms existed, I had found some RCE sort of bugs in the production websites of some organizations. I remember I tried hard to find their contact and called them about the issue, and they just hung up the phone before I could even complete it. 

Maybe they didn’t bother, or maybe they were not too sure about what security breaches are about.

TCE: If you could teach the entire world just one security concept, what would it be?

Ankit Singh: There is no hotfix for social engineering. No matter how secure your applications and servers are, no matter the number of firewalls and IDS/IPS you have in your setup. But there is no treatment for the foolish acts that we may do knowingly or unknowingly. There have been many case studies in the past where some critical hacks were accomplished solely on the basis of social engineering. There must be a proper awareness plan and strategy to tackle social engineering attacks too.

TCE: From a cybersecurity standpoint! How far does cybersecurity certification help individuals in their careers? 

Ankit Singh: What is your take on cybersecurity certification vs. self-learning? As per my personal experience, today, the emphasis is more upon what one is capable of, about one’s skill set rather than the papers we’re holding. I’ve seen many successful ethical hackers and researchers coming from entirely different backgrounds and streams making an impact in the cybersecurity industry.

As far as the professional career goes, then today’s organizations tend to assess more of your industrial skill set rather than relying upon what your documents say. If you’re aspiring to join a research team or a product-based organization, then most of the time, it would be your skill set that would matter. 

If you’re opting for a service-based organization, then such organizations would need to outsource resources to their clients, so in such cases, your certifications may help. No doubt that certification may play as an add-on, but ultimately it’s your skill set that largely determines your career aspirations. 

TCE: What security incident or event had the most significant impact on your life? 

Ankit Singh: Prior to the epidemic, I was a regular participant of Null events. But afterward, I started following some of the presentations from the virtual conferences. The research presentations by James Kettle had the most significant impact on my security journey. His intense research in the field of web cache poisoning and HTTP desync attacks is just incredible and personally inspired me a lot.

TCE: What do you wish other people understood about ethical hacking and your work?

Ankit Singh: I wish I could help change the world’s perception towards “Hacking.” I want them to look at it from a perspective of “art” and one’s “creativity” rather than merely a subject or skill. Your understanding of technology is the “subject,” and the additional creativity you employ is “hacking.” 

Since technology will always be enhanced and applications will always be developed, there won’t be any boundaries to hacking. So this can never be referred to as a particular “subject.” 

This way, the organizations would understand that the number of firewalls, IDS/IPS, or traditional pen tests does not guarantee you foolproof hardened systems because there are no limits for creativity, and so it applies to hacking. 

TCE: From a bug bounty standpoint, India is not in the big leagues compared to countries like the USA, where all the major government bodies run bug bounty programs. Even though India has produced some of the most phenomenal ethical hackers, the Indian government does not provide equal opportunities for young talents to show their skills. Why do you think there is a trend like that in India?

Traditional pen testing is never going to guarantee you foolproof security. I have been at both sides of the profession, a full-time penetration tester and now a full-time bug hunter. And I’m absolutely aware that traditional pen tests are not capable enough to cover up all of your bugs. Because as I said earlier, “Hacking” is not a subject, but it’s just about the creativity you invest in.

You’re never too sure from where a cybercriminal would craft their creativity to intrude and breach into your systems. So I strongly believe that having a bug bounty program for your assets (rather be it in a staging environment if concerned about the real-time impact) would definitely help to uncover the never-seen-before security flaws. 

TCE: Do you have a prediction or hunch about how cybersecurity will change in the future? 

Ankit Singh: As I said earlier that technology will be ever enhancing and expanding, and so the scope of opportunity to intrude through the technology would also augment in parallel. With the sophistication in machine learning and AI, there would be a more complex but enhanced form of cyber security that would emerge. 

Alongside, cyber threats would also grow in scale and complexity. So this war of cats and dogs will always remain a mainstream issue. As part of this cyber security community, our objective should be to “White Hat” the cyber world. 

Cybercriminals would 24*7 seek to strike our critical infrastructure and harm our economy. And as part of the crowd, I aspire to outsmart myself and the cyber world enough to evolve the true responsibility before a security breach.