We sat down with our first pentester here at Cobalt, Shashank, to learn more about him and his time with us. Since Shashank has been with us, the Core has grown to more than 300 pentesters. Along with being in the Core, Shashank has also started his own business: CredShields which is building next-generation security services for web3 and blockchain; he building a cloud-based smart contract vulnerability scanner called SolidityScan.com
Where did your curiosity for ethical hacking start?
My story into security started almost 12 years back in middle school when one of my senior's Orkut accounts was hacked. I was amazed how this could happen. I spent nearly a month figuring out how it could have happened, and that's how I learned about phishing attacks.
While reading on the internet, I also learned that even websites could be hacked. This is how I learned about bugs like SQL injection and file upload bugs. It was fun to find bugs in websites, but the most troubling question was how could I use this skill? In 2013 I heard about Google and Paypal’s bug bounty programs. This is where my life changed. I spent months finding and reporting bugs in google and PayPal, and one day, I received an email for a $200 bounty for my cross-site scripting bug and the very next week, a $1,000 bounty from PayPal. I was so happy to know that I could get paid to do something fun and challenging that needed a lot of creativity. This is how the journey of ethical hacking started.
What did ethical hacking mean to those around you? How did you explain the work you did to family and friends? Did they understand?
Explaining what I was doing to my friends and family was certainly not easy for me, and it took me a long time to explain it. My parents don't know much about computers, and I had to show them companies' hall of fame pages and official emails. I was under 18 when I started getting paid for finding bugs. I deposited all the money I had made from it into my Dad's account, and he was worried that I was doing something illegal. After matching the names in bank statements, he believed it to be true.
My parents wanted me to have good grades and get a job at an MNC. It took me almost three years to convince them that this could be a career option. They were worried as this was not like a full-time job. But during mid college years, I got a job offer as a security engineer at Deriv, and I was working for the Core, so I had a regular flow of income. After picking up jobs, I made more than anyone would get in India; I was paying my college fees and my expenses on my own. Cybersecurity was booming, and a lot of media blogs were interviewing me. After that, they never questioned it.
The fun part was when I started; my dad used to tell me to focus on grades and follow the traditional ways in India to get a job. But after seeing my success, he tells other parents that they should allow their children to follow passion rather than chase grades.
Did you have experience with other security communities at this point in your life?
I am well connected to security communities in India; they consist of pentesters, people working at corporate, Cobalt pentesters, and bug-bounty hunters. We mostly meet at security conferences, and few are now like family and friends.
You’re Cobalt’s first official pentester. What are some of your first memories of working with the Cobalt Core?
Nine years ago, I heard about Cobalt on Twitter. At that time, Cobalt was CrowdCurity and technically a bounty platform. They launched their first program, and the scope was Cobalt; I found two bugs and got rewards for them. I can never forget that. Later Cobalt came up with this fantastic idea of pentests. I liked the idea because bug-bounty was getting exhausting with college in parallel.
Pentesting was better as I didn’t have to rush or worry about being duplicated. If I was close to finding a bug, but I had a lecture to attend, I could work on the bug after the class. Plus, now I had a friendly team to discuss my findings or seek help. I remember my first pentest, we were suspicious about a potential RCE, and then a team member managed to create a working PoC, and we all celebrated.
What has it been like watching this community grow? Could you imagine hundreds of pentesters back when you first started?
I believed in this idea from the beginning; it was solving the problem for pentesters and companies. I expected the community to grow, and it happened. Excellent hackers with a wide variety of skills make up the Cobalt Core. I get to learn a lot here.
What kind of professional are you now compared to the person who started here years ago?
I have grown a lot at Cobalt. It was an overall change. I believe there are two types of growth in a professional career.
First is the technological growth:
Every project at Cobalt is a new company using different technologies and frameworks. After working for four years and doing 100+ pentests, I never got outdated with my skills.
There were instances when a specific pentest opportunity was published, like a desktop application, and I was initially limited to web and mobile. So, I felt a force within me to learn, and I managed to diversify and add more skills to cloud infrastructure, desktop applications, etc.
Second is professional skills:
When I joined Cobalt, I realized I needed to work more on my report writing skills and communication to be a lead because clients are involved in the slack channel. Cobalt promoted me to a lead after a few years as a pentester. Now I am always in touch with the client and answerable to them. I also need to ensure my team is not facing any blockers or constraints and help them out wherever required.
Why have you remained a Cobalt Pentester? What have we done to keep such a talented pentester in our community?
The biggest reason I have remained a Cobalt pentester is to keep my pentesting skills sharpened. Working on different pentest projects each month prevents my skills from rusting. Also, when I learn anything new, I leave a message to the TPMs (Technical Project Managers), and they have made sure I get a pentest related to that technology. The TPMs here care about new skills and give us enough chance to harden our unique skill sets.
Is there advice you’d give to people who are just joining Cobalt?
My advice is to not rush into picking up a lot of projects initially but instead focus on delivering the best performance. Then slowly scale up as your speed grows. Also, if you see any project you could not bid on due to a lack of skills or expertise in that area, make sure you are ready for it next time. Ask you TPM when you are ready, and you will get a chance.