My Internship Journey
A seamless journey of career growth @Appsecco, remotely working as a security intern.
The past few months were great for me, I’ve been remotely working with Appsecco as a security intern. During this journey, I’ve been assigned a lot of enthralling tasks that helped me to develop my technical, corporate, and soft skills. All of the tasks were more like “do it yourself” which inspired me to learn and figure out things on my own. However, Mr. Riyaz Walikar (my mentor) was always there to help me with any difficulties I faced. On the first day itself, Riyaz told me, “Let’s not focus on what you know yet, our goal is to expect what you’ll be at the end of this internship.” By that time, I had realized that this journey is going to push me out of my comfort zone for sure.
When it all started
Since the 5th semester of my college, I actively started participating in bug bounty programs and was also working as an SME for the CSE subject. I didn’t join any company after completing college due to some personal reasons so, I decided to continue the work that I was doing, along with preparing for OSCP which I’d aspired to give when I was in college. On earning the certificate, I started looking for opportunities where I can fully work remotely.
After a few months, I got a job posting on LinkedIn Appsecco and I applied for the same. A few days passed, and I got a call from HR followed by a link to an online quiz. I completed the quiz and scored enough to get a technical round interview scheduled with Riyaz. The interview went pretty smoothly, I was able to answer some of the questions and I didn’t have an idea about the rest of them. We discussed a few vulnerabilities such as SSRF, LFI, and a lot more. Some days passed and I got a call from HR about the next round with the CEO Mrs. Smita Malipatil, and this was a non-technical discussion about myself and the work culture at Appsecco. After a couple of days, I got an internship offer for 6 months after which I’ll be confirmed as a full-time employee of the company, I accepted the offer and completed all the formalities with them.
First Interaction with Riyaz
On the first day itself, I had a meeting with Riyaz and I was very excited and a bit nervous as well. While discussing the desired flow of the internship, Riyaz told me to set up a secure working environment (Unix VM) on my PC, get familiar with OWASP ASVS and create a list of things that I want to learn by the end of this internship. I took a few days to think and created the wishlist.
Assignments
The first assignment was to perform a professional vulnerability assessment of an intentionally vulnerable web application using the OWASP ASVS framework. This assignment was an eye-opener for me that how actual pentests are done. Before this, I’d never tested an application like this hence this was a great learning for me. After completing the tests, I created a security report using the given format and submitted it. But after the submission, I realized that made a lot of mistakes while creating the report due to which I learned numerous points to keep in mind that how an effective report should be made.
The next assignment was even more interesting where I had to develop a deliberately vulnerable web application. I had never developed a web application entirely from scratch so I was really very excited that this gonna be fun for me. After watching a few tutorials and reading a few blogs I jumped right into my VSCode for developing the application. After a lot of fuzzing, troubleshooting, debugging, and tinkering the application got ready. I then containerized the application and pushed it on GitHub as was required in the assignment. Learnt a bunch of things about Dockerfiles, code repositories and actual programming.
Now the time was to move forward toward some cloud-related stuff. Honestly, I had no idea about cloud security at all so I was a bit anxious but more enthusiastic about this assignment. The assignment was all about solving a cloud CTF challenge and documenting each step. After a lot of trial and error and learning new concepts, I completed the challenge. All the credit for getting comfortable with AWS security goes to this assignment but it was just the beginning as there was a lot more to learn.
While doing a Kubernetes related assignment, I faced a number of errors one after another and got stuck on one of them, for real this time. Even after a lot of struggle, I was not able to get what was wrong there and got frustrated.
It was time to call the helpline, you got it right — “Riyaz”, we connected over a call to figure out the issue and get it resolved. The art of troubleshooting is a skill not everyone has.
Similarly, there were a lot more interesting assignments that I enjoyed completing.
Learnings:
➣ Testing web applications based on the OWASP ASVS framework.
➣ Creating professional security reports.
➣ Calculating severity of vulerability using CVSS v3.1.
➣ Creating a web application entirely from scratch.
➣ Using MongoDB as a backend and NoSQL for managing databases.
➣ Using Git for managing repository, managing code changes.
➣ Implementation and mitigation of few common web application vulnerabilities.
➣ Containerizing applications on Docker.
➣ The approach to enumerate cloud assets and some common attack scenarios related to it.
➣ How to perform the OSINT of an organization.
➣ The working of Kubernetes and creating a cluster in AWS.
➣ Enumerating a cluster and some common attack scenarios related to it.
➣ Creating a static site and deploying it on a CDN via CLI and code pipelines.
➣ The importance of documentation and using markdown to do so.
➣ Last but not the least, “always believe that things are already vulnerable, we just need to find it.”
Fun Fridays
As I already knew that working remotely with Appsecco is NOT all about learning and working, we have a fun catch-up call too. In this call, we get a chance to know everyone and create a bond with them. Especially the one-liner jokes by Riyaz which are often difficult to explain but worth listening to as they are very funny. I wait for the entire week for this day, especially the fun game that we play organized by our HR.
We often play Skribbl but anyone can come up with new ideas and our HR will arrange that game beautifully for us to enjoy.
So far (since I joined), we had played Tambola, Skribbl, Gartic Phone, Codenames, and guessing Bollywood movie names. I’ve been really excited about new games, but Skribbl is the one that is my favorite as I always feel, one day I can be at #1. Defeating Riyaz and Pranav to get to the first position is what I always try to do as they are pros at it.
On fine Fridays, Someone from the team came up with an idea to play a game called Gartic Phone. Initially, I had no idea about it and I felt like this gonna be boring. But in the end, while watching everyone’s albums none of us were able to control our laughter, it was very hilarious to see how a sentence transforms into something really unexpected.
We even had Secret Santa on Christmas in which all the members are divided into secret pairs in which, one will be a secret santa and the other will be the giftee. The secret santa will know who’s their respective giftee and they have to gift something to them as per their wishlist. After the exchange of gifts, all the giftees have to guess their secret santa. Some of us wished for really hilarious things, I wished for a copper water bottle as I was looking to buy one for a long. While guessing the secret santa, some of us already knew about their santa due to some obvious reasons like delivery OTP sharing but fortunately, my santa failed to guess me whereas I guessed my santa using some observation skills, it was Shruthi.
Closing Note
So, this was a glimpse of my journey at Appsecco being an intern, learning stuff and enjoying at the same time. I was a bit scared of the word corporate but working with Appsecco has busted this myth for me that not every work culture is as perceived.
Until I write again, thank you for reading — Ratnakar Singh :)
