The Cobalt Core is full of 400+ pentesters from all over the world with different experiences and expertise. Each of them has a different story, a different journey, different techniques, and a different why. This month we spotlight Rajanish Pathak, who hails from Goa, India, and works as a Security Researcher.
Rajanish began his security journey driven by a deep curiosity about how systems function and how logical processes can be defeated or bypassed.
"From a young age, I was passionate about computers and constantly strived to excel in my endeavors," he said. "During my college days, I discovered Bug Bounties and became engrossed in discovering vulnerabilities, spending countless sleepless nights pursuing this endeavor."
Those experiences made him realize that cybersecurity was the path he wanted to pursue long term.
Rajanish has been professionally engaged in the security domain for the past six years, where he has gained valuable experience across a diverse spectrum of clients and roles.
"This includes a significant focus on penetration testing, where I have enhanced my skills in assessing and identifying vulnerabilities in various systems and implementations," he said. "Alongside my pentesting experience, I have also taken on different roles within the security field, further broadening my expertise in this dynamic and ever-evolving domain."
Rajanish's day-to-day consists of overseeing end-to-end processes as he is a member of his company's product security assurance team. His duties encompass a range of responsibilities, including conducting Threat Modelling, defining the security architecture of essential components, and verifying their implementation by conducting security assessments.
"Additionally, I am actively cultivating my skills in the DevSecOps field and progressing towards becoming a subject matter expert in application security as a whole."
His favorite projects to work on evaluate enterprise applications with multiple user roles and complex functionalities. BurpSuite has been his go-to tool.
Time at Cobalt
Rajanish has been a part of the Cobalt Core for two years and finds Cobalt compelling because of the diverse array of projects and clients he engages with.
"This allows us to gain exposure to a broad range of product portfolios across various industries, including banking, fintech, e-commerce, and more," he said. "Working alongside teammates with a proven skillset in security provides excellent opportunities for collaboration, networking, and learning."
"In a recent Agile engagement with Cobalt, I had the opportunity to work on a customer's problem statement related to their CSP (Content Security Policy) implementation on one of their features. Our task was to assess the CSP implementation and provide the best possible recommendation, considering both security and usability factors. Identifying the optimal configuration was an interesting and unique challenge, setting it apart from my previous engagements with cobalt and I was glad that it was accomplished."
Even as the field of pentesting has evolved over time, there still can sometimes be a negative connotation with the job. Rajanish often encounters customers who still perceive his team as adversaries.
"I like to emphasize that as security professionals, our goal is not to create more work for our customers, but rather to work alongside them to improve the security posture of their solutions."
Rajanish says it's essential to establish a collaborative partnership and open communication to ensure that they can address any concerns and achieve the best possible outcomes for customers. For customers to protect themselves, he recommends implementing a multi-layered approach to cybersecurity that includes security into their SDLC, constant monitoring for abnormal behaviors/patterns, and immediate patching of the used components in the event of a security release/update.
"I would also recommend prioritizing the human factor as it plays a crucial role in protecting against attackers in the realm of cybersecurity and can often be the weakest link in an organization's cybersecurity defense," he said. "It is important for all customers to prioritize employee training and awareness programs to educate their workforce about safe browsing practices, email hygiene, and social engineering attacks like phishing, thereby promoting a cybersecurity-conscious culture throughout the organization."
Looking ahead to what's to come
What does the future of the industry look like? According to Rajanish, we will likely see increased use of artificial intelligence (AI) and machine learning in cybersecurity with a heightened focus on IoT, blockchain, and cloud security. He predicts there will be a constant effort to bridge the talent and skills gap as technology replaces a skilled workforce. For him, though, that day isn't here yet.
"My philosophy is to live one day at a time," he said.
His short-term goal is to become an accomplished Subject Matter Expert (SME) in application security. Looking at the long term, he hopes to venture into entrepreneurship and establish his own security or tech startup. And he has no plans to stop learning.
"My approach to learning new things differs from the conventional method," he said. "Putting myself in challenging and demanding situations brings out the best in me, leading to significant learning opportunities. I enjoy taking on challenges like participating in CTFs, solving complex problems, and collaborating actively with my peers. This approach has allowed me to accumulate a wealth of knowledge and experience over the years."
As mentioned above, Rajanish is from Goa, India, which he enjoys because of its relaxed, laid-back atmosphere and natural beauty. In his free time, he enjoys learning about non-tech things such as aviation, cars, geopolitics, astronomy, etc. He also enjoys the outdoors, often kayaking, hiking, or karting. If you are ever in Goa and see a group of friends riding motorcycles together, give Rajanish a wave.