SecurityStories

View on GitHub

SecurityStories - 52 Weeks, 52 Stories

Story - 7: Featuring Mrityunjoy Biswas

Mrityunjoy Biswas

Through the SecurityStories series, Today, we are excited to bring forward the story of Mrityunjoy Biswas, a highly skilled hacker and security professional from Bangladesh. He is one of the finest pentester in Cobalt core and has a great experience in application security.

Let’s jump straight into learning more about him and his experience.

Question: Could you briefly introduce yourself?

Mrityunjoy Biswas: My name is Mrityunjoy Biswas, an experienced expert with a keen interest in cyber security. I have a background in bug bounty hunting and pentesting. I used to be an active bug bounty hunter at HackerOne and Synack. Currently, I’m pursuing my bachelor’s degree in computer science. Also working as a Team Lead and Core Pentester at Cobalt, where I lead pentest engagements. I am very passionate about security and have a proven track record of finding and remediating vulnerabilities.

Question: How did you get started in Cyber Security?

Mrityunjoy Biswas: Back in my school days, I became interested in cybersecurity. I was intrigued by the stories of people who could earn rewards, or “swags,” for reporting security vulnerabilities to companies. In addition, I wanted to learn more about bug bounties and Ethical Hacking. Determined to learn as much as possible about these topics, I began teaching myself all I could about the field. I spent countless hours studying and practising, immersing myself in cybersecurity, and developing my skills and knowledge. It was a challenging but rewarding journey.

During that time, I discovered my first vulnerability, stored cross-site scripting (XSS) vulnerability in Yahoo’s mailbox. I decided to report it on their bug bounty program at HackerOne. The company responded quickly and began to triage my finding within hours. A week later, I received a notification that I had been rewarded with a $10,000 bounty for my discovery. It was the first bounty of my cyber security career, and I was shocked. I couldn’t believe I had received such a generous reward for my first bug submission. It was an exciting moment that further fueled my passion for cybersecurity and bug bounty hunting.

I became determined to master the latest tools and techniques in the field. I threw myself into learning about security automation and participated in various bug bounty programs to put my skills to the test. My dedication paid off as I earned recognition in top organizations and was awarded “hall of fame” by over 300+ companies, including major tech giants like Google, Yahoo, Mozilla, Twitter, Gitlab, Snapchat, Microsoft, Intel, Valve, HackerOne, and Synack. It was gratifying to be recognized for my contributions, and I continued to push myself to excel in the field.

Question: What were the initial challenges and blockers you faced?

Mrityunjoy Biswas: As a security professional, I faced several challenges early on in my career. One of the biggest obstacles was staying up to date with the constantly evolving landscape of cybersecurity. With new threats and vulnerabilities emerging regularly, I needed to continuously learn and adapt to stay ahead of the curve.

Working with sensitive information also presented its own set of challenges. As a security professional, I had access to sensitive data and systems, and I was responsible for handling this information with the utmost care and adhering to strict confidentiality protocols.

In addition to these challenges, I had to work within time and budget constraints and maintain objectivity while conducting assessments and implementing security measures. This could be challenging, especially when the results reveal vulnerabilities or weaknesses in the organization’s systems. Finally, I had to be prepared to handle negative feedback and handle it professionally.

Question: What is the learning methodology you followed or still follow?

Mrityunjoy Biswas: As a security professional, I followed several approaches to learning and staying up to date in the field. One of my most valuable methods was attending conferences and workshops, which offered in-depth training and the opportunity to network with other professionals.

I also made it a habit to stay connected to the latest trends and news in cybersecurity by reading industry publications, writeups, and security articles. These resources provided flexible, self-paced learning opportunities and covered various topics.

In addition to formal learning opportunities, I practised my hands-on skills through exercises and simulations. This helped me stay proficient in my craft and allowed me to apply my knowledge in a practical setting.

Finally, networking with other professionals was a valuable resource for learning and collaboration. Also, by building relationships with my peers, I could share knowledge and insights and stay current on the latest developments in the field.

Question: What all certifications do you hold, and what certificates would you recommend to the readers?

Mrityunjoy Biswas: I hold eWPT (Web Application Penetration Tester) and eCPPT V2 (Certified Professional Penetration Tester) security certification through e-learning security.

I would recommend the readers look into acquiring the following certifications:

  1. Certified Information Systems Security Professional (CISSP) - This certification is one of the most sought-after security certifications in the industry. It is designed to help validate an individual’s knowledge of information security standards and practices.

  2. Offensive Security Certified Professional (OSCP) - This certification helps validate an individual’s ability to identify and exploit vulnerabilities.

  3. Offensive Security Web Expert (OSWE) - This certification helps a practical understanding of white box web application assessment and security.

  4. CompTIA Security+ - This certification covers networking, operational security, access control, and organizational security.

  5. CREST - CREST Certifications are recognized worldwide by the professional services industry and buyers as the best indication of knowledge, skills and competence.

Question: What is your favourite thing to hack on?

Mrityunjoy Biswas: My favourite thing to hack on is web and mobile applications. With web & mobile applications, I can explore and exploit their vulnerabilities to uncover security flaws and improve their security features. I enjoy the challenge of finding weaknesses and developing strategies to protect them from future exploitation. Some of my favourite attacks are Remote Code Execution, SSRF, XXE, SQL Injection, and Broken Access Control vulnerabilities.

Question: What does your tool arsenal look like - Could you share some?

Mrityunjoy Biswas: To kick off my recon phase, I utilize Subdomain Enumeration Tools, Nuclei, Waybackurls, Gf by tomnomnom, Project Discovery tools, and BurpSuite. In addition, I also use a variety of custom scripts and other tools depending on the task at hand.

Some of my tool arsenals include the following:

  1. Nmap: An invaluable network mapping tool that allows me to scan for open ports, OS and service detection, and more.

  2. Nessus: An industry-standard vulnerability scanner that can detect potential risks and security vulnerabilities.

  3. Burp Suite: An integrated platform for performing security testing of web applications.

  4. Metasploit: A robust framework for exploiting networks and systems.

  5. SQLMap: A tool for automated exploitation of SQL injection vulnerabilities.

  6. Dirserach / FFUF: It allows users to perform a complex web content discovery, with many vectors for the wordlist, high accuracy, impressive performance, advanced connection/request settings, modern brute-force techniques, and excellent output.

  7. MobSF - Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

Question: How do you cope with Burn Outs?

Mrityunjoy Biswas: Burnout can be a real challenge regarding Hacking. I like implementing a few strategies into my work routine to prevent burnout while hacking. This can include taking regular breaks to stretch and relax, setting clear boundaries between work and leisure time, and prioritizing self-care activities like exercise and getting enough sleep.

I also like to make sure I’m taking time to do something I enjoy outside of work, whether going for a walk, playing sports, or watching movies. Additionally, it is helpful to vary my tasks and projects, seek out professional development opportunities, and learn to keep things fresh and exciting. Finally, I communicate with my team and colleagues about my workload and any challenges.

Question: What would you advise the newcomers in Cyber Security?

Mrityunjoy Biswas: As a security professional, I would advise newcomers in Cyber Security to always be curious and never stop learning. Technology is constantly changing and evolving, so to stay ahead of the curve, newcomers must stay up-to-date on the latest trends and techniques in the industry. This could include learning programming languages, networking protocols, and operating systems. It’s also essential to stay current on the latest trends and developments in the field, as the landscape is constantly evolving.

Also, I advise newcomers to get involved in the community by attending conferences and events, joining online forums, and connecting with other professionals in the field. In addition, I recommend gaining hands-on experience through internships, hackathons, continuously participating in CTFs, and other practical opportunities to apply what you’ve learned. Finally, I encourage newcomers to build a network of professionals in the industry, as having a support system and mentors can be invaluable for learning and career development. All of these tips will help newcomers excel in Cyber Security.

Question: How do you keep up with the latest trends in Cyber Security - Could you share your go-to resources?

Mrityunjoy Biswas: I like to keep up with the latest trends and developments in the cybersecurity field by regularly reading industry publications and blogs, attending conferences and events, and participating in online communities and blogs.

Some of my go-to resources for staying informed include:

  1. Black Hat and DEFCON - These are two of the most well-known annual conferences in the cybersecurity field. They offer a wealth of information on the latest trends and techniques in the industry.

  2. Reddit’s cybersecurity netsec - This netsec is an excellent resource for staying up to date on the latest news and trends in the field, asking questions, and engaging in discussions with other professionals.

  3. Security blogs: Reading security blogs is a great way to stay on top of the latest trends in cyber security. Some examples include:

  1. Twitter: Twitter is a great place to follow security experts and stay up to date with the latest news in cyber security.

Question: What’s your life like outside Hacking?

Mrityunjoy Biswas: As a security professional, I have various interests and hobbies outside of work. As I said before, outside Hacking, Currently, I’m pursuing my bachelor’s degree in computer science. Some activities that I enjoy include, Staying physically active - I like to go for runs, bike rides, and hikes, and I also enjoy participating in sports. At weekends, I loved playing football with my friends. I love exploring new places and experiencing different cultures. I take at least one international trip each year. Also, Spending time with friends and family. I value my relationships with the people close to me and try to make time for social activities and gatherings.

Social Profiles

Did you find Mrityunjoy Biswas’s story interesting and inspiring? Please share it with your friends and colleagues to spread the word.

We will be coming up with more exciting and inspiring stories Weekly.

Follow Me on Twitter