Gordon Draper (00:03):
Hi, I'm Gordon Draper. Welcome to the Cyber Consulting Room podcast where we delve into the minds of influential figures shaping the landscape of cybersecurity. In today's episode, we have the privilege of hosting Sid Siddharth, a luminary in the field of information security. Sid's journey is a testament to his entrepreneurial spirit, transitioning from a serial InfoSec entrepreneur to an angel investor with a keen eye for setting up and scaling businesses. A distinguished graduate from IIT Kanpur in India. Sid brings over 15 years of invaluable experience to our conversation. His passion for collaborating with brilliant minds and breathing life into cutting edge technologies is truly inspiring. Sid has graced the stages of renowned international security events like Black Hat Defcon and Hack in the Box, sharing his insights and expertise. Notably, he's contributed significantly to the field through authored articles, exploits, white papers, and even authored books on crucial topics surrounding application and database security. Join us as we unravel the experiences and wisdom of Sid Siddharth in this exclusive podcast interview.

Gordon Draper (01:21):
Hi, I'm Gordon Draper and I'm the host of the Cyber Consulting Room podcast. I'm at Black Hat training sessions today in Las Vegas, and I've got Sid Siddharth with me who is the CEO of the SecOps Group. 

Sid Siddharth (01:35): 
Thank you, Gordon. Thanks for having me. Thank you. Pleasure to be here.

Gordon Draper (01:38): 
Can you give us a bit of a background about yourself? 

Sid Siddharth (01:41): 
I'm the founder, director, CEO of the business, the SecOps Group. This is my second business. I started off as a pen tester 16 years ago, spoke at numerous black hats, DEFCONs Hack in the Box, did the usual hacker stint, which is articles, exploits, advisories, books, white papers, those kinds of things, t-shirts, coffee mugs. I transitioned from a techie to an entrepreneur in 2013. I found a business in 2013 called Not So Secure, which was a consultancy and training business that did pretty well. In 2018, I sold that business to a company called Clarinet Group. That was my first exit, and then two years later I had the entrepreneur itch again and I picked up from where I left and I said, I can do this again and possibly bigger and better and different. I can do along on that previous earnings, hopefully get to where I was quicker. So yeah, with that in mind, I started SecOps Group, which has now been going for two years, and we are at 22 consultants in that business. 

Gordon Draper (02:38): 
That's really good. It's 22 consultants for just a couple of years of you're not a brand new name, so it's people will flock to you, which is good. 

Sid Siddharth (02:48): 
Yeah, I mean, we have been blessed. I've had a good name in the industry. People have reached out. You always have the previous experience to dwell on, which really helps in general doing something. Again, you will probably find that you can get to the same point much quicker than what you did last time. You have something to dwell on what worked, what did not work, so let's not do that. Plus your risk appetite is slightly bigger. You are maybe when you're a first time entrepreneur, you spend cautiously. 

Gordon Draper (03:14): 
Yeah, you don't have as much safety net. 

Sid Siddharth (03:15): 
Right, right, right. So you're a little bit more bored, a little bit more adventure. Second time round. Now I have a different challenge wherein my challenge is can I go one step higher than where I was? 

Gordon Draper (03:23): 
I guess that sort of leads me to one of my questions is how did you get into cybersecurity slash information security? 

Sid Siddharth (03:30): 
Oh, and that has been, it's been a long time going back 60 years where I used to have some hair, I suppose in the uni days. So I graduated from India's number one university or fortunate enough to graduate from there, which had a fantastic network. You're talking 2000 and Well, I went into the university 2001 when hacking was not necessarily an established field. Pen Testing wasn't really a term that too many people knew of. If you told them that you did hacking for a living, people would look down upon you. The university had a very good network. Network security was a thing. So I picked it up. I did not graduate from computer science. I graduated from material science and metallurgy. But second year of engineering I realised I made an error and I need to fix it now before it's too late. So fortunately, I picked up hacking during the university days and by the end of fourth year I was pretty sure this is where I want to go in. I've always been very clear in my head if there's one takeaway people should take away from by wasting or spending 30 minutes listening to me is charity of thought.

Sid Siddharth (04:31):
To me, that has stuck as the one very key phrase in my life. The sooner you get the clarity of thought, the better it is for you. 

Gordon Draper (04:39): 
Better you can make actions on it, right? 

Sid Siddharth (04:40): 
Even if you make bad decisions, at least you are clear what you're doing. Especially in the startup world, there is a thing called fail fast. Again, for that also, you need to have clarity of thought there. You tried, you failed. Okay, let's move on. 

Gordon Draper (04:54): 
Yeah, it's the reality of that feedback loop. 

Sid Siddharth (04:56): 
You're right.

Gordon Draper (05:01): 
Yeah, definitely. So you decided in university, so for me it was did my undergrad in electrical engineering around the same time. So I finished up in 2006. My favourite subject elective was computer network security taught by Matt Barrie, who now runs freelancer, but it was based on a Stanford computer network security course. 

Sid Siddharth (05:20): 
If you look at majority of the folks in InfoSec space, hardly maybe 5% or even less would've actually had a degree in computer science at the time. Even now, 

Gordon Draper (05:29): 
Well, some of them are transitioning in and they're bringing in with a Masters to do the transition. That's my path. I went down a Master's of IT security and came into a space where I could transition from the electrical engineering and power, which is a power is still a very critical industry. So it's a very interesting field. 

Sid Siddharth (05:51): 
The way I look at it is always pen testing is when you change the application logic or make it do things it is not intended to do. That field attracts people with that sort of mindset and that sort of mindset. You can't necessarily train or teach in any university. You're either born with it or you have a natural inclination towards breaking things, et cetera. To me, it is actually very heartening when I see people not with so much educational background or relevant educational background, but still doing really well.

Gordon Draper (06:21):
Did you always want to be in cybersecurity though? I suppose the metallurgical analysis engineering, you signed up to start that degree. 

Sid Siddharth (06:29): 
Thank God for that. Otherwise, I would be making iron and steel somewhere in some furnace after I graduated from its, I took up a job at IBM because from campus the bus comes and everybody sits in that bus and everybody becomes software engineer, at least in India, and I was also one of the passengers in those bus. Two months down the line I realised, no, no, no, this is not going to happen. I'm not going to end up becoming yet another minion typing keyboard for somebody. So yeah, that was a good decision. 

Gordon Draper (06:54): 
I suppose that as an engineer or as a consulting engineer, IBM. So they do a few different things. 

Sid Siddharth (07:00): 
Yeah, I mean for me, I've not really been suitable for corporate lifestyle. I realised it early on after that. I've always worked in startups or had my own startup at one point in time. One of the startups I used to work for got acquired by a big enterprise and I ended up again in the enterprise irrespective of my life choices, but that didn't last long. 

Gordon Draper (07:19): 
So do you have any other education qualifications other than the undergrad? 

Sid Siddharth (07:25): 
Not really. I took some training courses. Mostly it has been self-learned and I think you will find most people in our industry are self-taught. Definitely, especially at that point in time, there weren't any necessarily defined or great training courses. Certainly not as much as you have right now. I mean, right now the internet is just full of resources, easily available resources, free resources, good resources, labs, VMs, all sorts. 

Gordon Draper (07:48): 
It's a lot different than what it was even 10 years ago.

Sid Siddharth (07:51): 
Right, right, right, right. It's constantly evolving. 

Gordon Draper (07:55): 
So you are here with the SecOps group at Black Hat helping them out with the Black Hat certified pen tester exams. Can you tell me a little bit more about that? 

Sid Siddharth (08:05): 
The previous business was a training business. We did a lot of trainings. When I started this business, I was fed up with trainings. So I said, look, I want to get back to Black Hat. I want to get back to the industry, which has given me so much, but I just do not have the time and capacity to do trainings again. So we looked at the model and we said, we are going to create exams. Being an independent authority who only runs exams and not the trainings, it'll give us a lot more credibility in time to come. What we've done is we've created exams and we have exams at different levels. We have an entry-level examination category under which we have entry-level app sec practitioner entry-level network security practitioner, AWS security practitioner, blockchain practitioner, and then we have professional exams which are hands-on hacking exams. And under our professional exams we have again, application pen tester, network pen tester, android pen tester, and we are adding some more categories to it. Again, AWS Azure pen tester, et cetera, et cetera. So we reached out to Black Hat and we said, of all these things that you do, why don't we include an exam only track in which people come and validate their skills In an proctored environment, you have already validated people's ID before you have given them them badge. We know who they are and if they sit and take an exam in a proctored environment, 

Gordon Draper(09:16): 
That's a good idea an in person proctored exam

Sid Siddharth (09:18): 
right, which will be one of its kind. So black hat training really liked the idea. So this is the inaugural exam that we are doing and we are fortunate enough to partner with the likes of Black Hat. And my vision with this is that I will be black hat huinea pig and I'm introducing Blackhead certified men tester, or maybe next year under the certification or examination track, they can have five more exams. Reverse engineering expert or malware expert or anything in the sky is the limit. 


Gordon Draper (09:44): 
Definitely. You've also run some not so secure and the SecOps group, your bread and butter is consulting as well. That means that you are having to look for consultants to employ. So what challenges do you come across in the hiring of the right consultant for the right job? 

Sid Siddharth (10:00): 
I think hiring is challenging In our sector earlier it was lack of talent. These days we are getting, because of the state of the market and the economy, we are getting a lot of people available and you have to make sure that people cannot just talk the talk but also walk the walk. Unfortunately or fortunately, we are living in the world where people are blessed with so many options. I don't know if you recall in our days we used to have Paris proxy, even Burp wasn't there back then early on. So every single exploit, every single exploitation was made of blood, sweat, and tears. Now, today's day and age, people are fortunate enough to have really modern state of the art tools and the challenge then becomes, yes, you can run a tool and you can make the tool do what it's supposed to do, but do you actually still understand the basics? You still understand the art and the craft and what goes in the background. So if you get stuck, you have the troubleshooting skills as well. I think that is the number one challenge we are getting. A lot of people who comes from bug bounty background, they know one or two class of exploitation or vulnerabilities and they are happy to spray those across multiple targets and think that they're really good.

Sid Siddharth (11:03):
Pen testing or consultancy is different. You have to be thorough. You need to have a breadth of expertise across AppSec or whatever you are selling. I think those are the challenges. Making sure that you have an examination process or certification process or screening process to validate those kind of skills is important. Fortunately with our exams, we use them in our recruitment process. We are also helping other enterprises with our exams. 

Gordon Draper (11:28): 
That's actually pretty cool. You mentioned that you have spent some time as a consultant and which countries have you been a consultant in for cyber? 

Sid Siddharth (11:36): 
I did one year for India, starting off for a company called NII Consulting in Mumbai. And then I was fortunate enough to take a job in uk, a company called Portcullis. In 2006 I had entered to work for this company and I was thrown into a mix in a room. Back then there was no work from home culture. Everybody was in an office, these geeks and nerds in a room, 20 odd nerds. And as things turned out or now when I look back at those time I was so fortunate to have worked with some of the best talents in the world. So I'll give you some names and that why surprise you? One of the names in that room was Alberto, the guy who wrote SQL Map. The other name was a guy called Pharaoh Mauna who would go on to write a tool called Net Sparker, which is now in Viti, a unicorn. Another guy wrote a tool called Nipper, Cisco Firewall rule set auditing tool. Alberto, who wrote SQL Ninja, do you know for website called Pentest Monkey. That guy was in the row as well, one of our best friends. The role of beer in somebody's success or failure I think is less documented once you get put into a right mix and you have are surrounded.

Gordon Draper (12:41):
Culture is king. With the environment, with people that are experts in their field and everyone's getting along with each other while there's friction in all situations as we know. But the ideal is that everyone gets along. 

Sid Siddharth (12:58): 
And when I got thrown into that culture or that mix of people, my immediate reaction was dissent or disagree that, look, I know I'm better than these people. And maybe somewhere over a period of time I had to let go of that ego and understand that these guys are actually miles better than me and I have two options either to sit on my ego or to actually learn from them. And when I crossed that bridge, suddenly life was like, wow. My advice to people is be open to change. Be open to accepting that this guy is actually better than you and learn from him.

Gordon Draper (13:29):
I'm fairly humble myself. I don't like going around saying whether I'm measuring myself against other people. It's all about what you know and how you apply it and it doesn't matter how you are against other people. 

Sid Siddharth (13:43): 
And I'll share some thoughts on that. I think you asked me some very good questions about recruitment. I think, and this is just my entrepreneur take on it, my philosophy on this is some employer's take that view that this guy is only ever going to work for me. Nobody's going to work for anybody forever. Okay? The sooner we accept it, the better we all are going to get a window of opportunity to work with or for each other and we need to make the most of it. So I was fortunate enough to hire some people who would then one day come to me and said, I want to leave the business. I want to start my own business. And I knew that I spent three years, four years with them and they are genius at what they do. Chances are that if they start their business, they will be successful again and maybe even more successful than me. So I was open-minded, okay, look guys, what are you doing? Maybe I can invest some money in your business, be part of your business. And that's how some of my initial investments or my journey as an angel investor started my advice to people who hire people, don't put labels on people. Yes, you may have hired him for a role of pen tester over time. Try to appreciate and understand his ability to do above and beyond things and try to create a role for that person and see how better he can do. Again, it's all about that window. 

Gordon Draper (14:52): 
You've only got a certain amount of time with each person that you're working with. Something that I'm noticing is that consultants are looking to do some work outside of their business as a side hustle kind of thing. So just curious, do you allow your consultants to work or do you have non-competes? 

Sid Siddharth (15:10): 
So when I started Ops group, we had a very open policy and we still have it and we were very open culture about it. When testers are going to do bug bounty at their own time, whether you like it or not, whatever you want them to sign, they will sign it, but they'll still do it. So the sooner you realise and accept it and create a culture to still accept it and maybe not necessarily encourage it or encourage it during working hours, but 

Gordon Draper (15:31): 
Obviously if as long as it's not going to impact Right. Evenings and weekends. Right, right.

Sid Siddharth (15:36): 
As long as they're fresh on the working hours, as long as those boundaries are respected, I think everybody wins. At the end of the day, not everybody goes through a hundred percent utilisation. If people have downtime and they want to enhance their skills and get benefit out of doing bug bounties, why would I have a problem with it? 

Gordon Draper (15:53): 
That's an interesting situation because if you've got bench time in the consultancy and they're doing some vulnerability research for bug bounties, that's on your time. 

Sid Siddharth (16:03): 
I don't wait because I don't have anything else to get them occupied. I hope that when they do release a bug bounty, et cetera, they might be able to credit the company or whatever they've learned or acquired in that process. We rub off each other. Oh, definitely. And we will be collectively better. 

Gordon Draper (16:17): 
So what is one of your most memorable experiences when you have been consulting on cybersecurity? 

Sid Siddharth (16:24): 
This goes back again, more than a decade, et cetera, but possibly some of my working colleagues can relate to this. Due to my consultancy days, I took a liking towards SQL injection. I actually wrote a book, core, wrote a book on SQL injection. SQL injection was my thing. My first ever training at Black Hat was called the Art of Exploiting SQL Injection, and it actually covered a lot of interesting topics, which we probably have been missed over a period of time. I was doing this exploitation and I was helping to that look, this application is well able to sql IE. The tools were not as mature back then, so it was all manual and you don't necessarily get the feedback right away. Suddenly I was just testing a forget password functionality. There was a call from the client and said, look, we think the password of all our 10,000 users have been reset to something random or something constant. Do you think it could be pen testing? Part of me was so happy that my exploit worked, but nobody in the team was interested in knowing that my exploit worked. They were like, how do we calm this customer down?

Gordon Draper (17:20): 
Yeah, well yes, the customer's got to be, you don't really want anything destructive, right? 10,000 users, new password reset. 

Sid Siddharth (17:30): 
So yeah, fun stories. 

Gordon Draper (17:30): 
Definitely one of your memorables. Would you ever consult again? But as a virtual CISO rather than a pen tester. 

Sid Siddharth (17:37): 
Even today I'm very hands-on as a CEO. I like to get involved with what's going on, what have we found, what have you not found? Keep a very open eye on what is the new kind of vulnerabilities, et cetera. And I think that is how the modern CEO's life goes. Yeah, I wouldn't personally consult, but I would keep a very close eye. That's where the startups have an edge or maybe say bigger consultancies attention to detail. Maybe startups are able to provide that more personal touch, be able to handpick resources for each job, understand what each job requires, why is it different or same as any other project. So that's where I think if it flows from the top level, then interculturally it is a good fit as well. For others in the company. 

Gordon Draper (18:18): 
Any kind of cultural change or cultural influence needs to come from the top. We're at Black Hat training, but I'm sure you've been to some other conferences over the last few months, over the last six months for example. What have you seen or heard at conferences that really stands out? 

Sid Siddharth (18:33): 
I think obviously there's new research which stands out to me. I think we went through a period of lull where certainly we were not seeing too many web-based attacks. We were seeing a lot of active directories or involvements in active directory and of attacks with people like James Kettle, et cetera. They have put the focus back on AppSec and suddenly AppSec is again evolving. I think that is good for somebody from web app pen testing background. That is really good to see. There are always new tools around. I think the evolution of Arsenal where people are just writing tools to make other apprentices life easier, et cetera, has been good. And in general, the industry is growing, which is a good sign for us. 

Gordon Draper (19:10): 
It's definitely growing. We're getting a lot of people coming in, people from diverse backgrounds that are at the diversity of thought, diversity of people in the industries of very good signs. You get some positive impact of different people but different backgrounds. It's an intelligent conflict. It's actually better for the organisation because better ideas will be tested. What's one thing in your consulting history that the consultancy did that you didn't expect? I'm not talking necessarily about your own, but as a consultant.

Sid Siddharth (19:41): 
I think we talked a little bit about labelling people and I think not keeping an open view on it. I think that is a very common mistake, which consultancies do the approach or necessarily the reaction of consultancies when somebody leaves a company. Sometimes that can have a better effect for burning bridges was one by consultants and by companies is an unfortunate situation. But that's part and parcel of it. I think my view on this is that nobody's going to work forever for anybody. Again, it's a case of utilising and maximising that window. 

Gordon Draper (20:09): 
What is a common myth about the consulting industry? 

Sid Siddharth (20:11): 
Everybody thinks that they're better. Everybody thinks that they're superior. I don't think anybody's superior to anybody. At the end of the day, we are all learning of each other only as good as each other, and that is why we are coexisting. I think now the industry is kind of more accepting that fact. Earlier we were all living in our own little bubbles thinking, hey, we are better than this. We're better than that. 

Gordon Draper (20:34): 
So yeah, for our listers, what is one of the most important lessons you've learned over your career? 

Sid Siddharth (20:39): 
I think no shortcuts. Clarity of thought is very important. You are not going to succeed without putting in the hard work. Learn the art, work on it, dwell on an idea for a period of time, perfect it. Make sure that you have enough sample size to make a judgement call on it. 

Gordon Draper (20:54): 
And likewise, I suppose, is there any pieces of advice that you'd give to someone starting out in cybersecurity? 

Sid Siddharth (21:01): 
So as a fellow cyber entrepreneur, anybody who's starting a business in cybersecurity, everybody has thoughts, right? Everybody's ideas. It's important to have a decent degree of validation around that idea before you start. So don't just give up your well-paid job tomorrow and say, I want to do this. I'm very passionate about it. Spend some time, run some test cases. What if this fails? What is plan B? What is plan C? How am I going to get there? Is it going to sell? Who is your typical customer? What would it look like? Will the plan validate it with some ideas? At the same time? You're only going to live once. So somebody, when I was starting Not So Secure, the guy runs pen test monkey actually, I went to him and I said, I make, what do you think? Will this work? Will this not work? He gave me one liner and that has stuck with me forever. And he said, look, Sid, what's the worst that can happen? It'll not work, but in two years time or whenever you decide to come back, will you not be able to do pen testing? You'll still be able to run nessus. You'll still be able to validate findings. So what is it that you lose maybe some time, but at least you will have a good validation in your skills. We know what has worked, what has not worked. I said, yeah, cybersecurity skills are not going away, right? No harm in having a crack. So I thought it was a very well calculated risk that I took back then and my advice to people is left inside of the equation, right inside of the equation, balance it out, 

Gordon Draper (22:21):
have to evaluate is it worth it? If so, act on it. You'll still be able to have a job in cybersecurity afterwards if it doesn't work out. What underrated tools or frameworks are indispensable for your job? I mean, your job is not necessarily pen testing much right now, although I'm sure you're keeping your fingers across the latest tools and exploits. Is there any tools or frameworks that you are using or recommending? 

Sid Siddharth (22:43): 
I am not never been a tools person, but I think from pen testing perspective, there are some tools of trade, burp suite, et cetera, et cetera, which are indispensable now and they're getting better with time. So to that community and force figure, et cetera, just some cultural things. 

Gordon Draper (22:56): 
What's the last hacker or cybersecurity movie that you've seen or maybe a book? 

Sid Siddharth (23:02): 
This is the second time somebody's asked me. You even laugh at this, but my favourite book on hacking is TCP/IP Illustrated. I would highly recommend people. I think that changed my perception about network security, just understanding how things work before you do anything, just to understand the basics. 

Gordon Draper (23:17): 
Yeah, I was mentoring someone, that wanted to get into cybersecurity and right, he's do a networking course. You've got to start somewhere and that's exactly what you need. So the ins and outs of TCP/IP, that's such a huge topic. So important. If you could live anywhere in the world, where would it be? 

Sid Siddharth(23:36): 
I still live in Cambridge where I currently live. Very nice. I suppose I can live anywhere I want to live now, but I chose to live in Cambridge because my kids go to school there and it's their life there. So my life revolves around their lives. 

Gordon Draper (23:49): 
What are three cybersecurity books you would recommend already said, 

Sid Siddharth (23:53):
TCP/IP illustrated. Very important. I'll recommend the web Application Hacker Handbook. I'll recommend my own SQL injection attacks and defence. Very good. If you can still buy it. Very nice. 

Gordon Draper (24:03): 
Very nice. I remember reading a web application Hacker handbook and in there is, I was reading it on paper and there's a section in there printed out on Rick Rolling as a culture. I'm like, wait, I'm reading a hacker's textbook and its actually talking about Rick Rolling. I said all right's. Fair enough. This is in a book. It's a textbook. It must be legit. Finally, where can listeners find you online? 

Sid Siddharth (24:26): 
Please do. You can find me on LinkedIn search by get to me as hello at SecOps Group or sid at SecOps group. 

Gordon Draper (24:34):
Well, thank you very much for sharing some time to have a chat. Thanks for having me. And hopefully some good things come from the people listening to your advice. 

Sid Siddharth (24:41):
Thank you. So always. 

Gordon Draper (24:42):
As we wrap up this insightful episode of the Cyber Consulting Room podcast, I want to extend our sincere gratitude to Sid Siddharth for generously sharing his wealth of knowledge and experience with us. Sid's journey from a serial InfoSec entrepreneur to an angel investor is not just inspiring, but also illuminating for our audience. His passion for innovation coupled with a deep understanding of cybersecurity, has undoubtedly left an indelible mark on our discussion. We're truly thankful for the engaging conversation and we hope our listeners have gained valuable insights into the dynamic world of information security. A special thanks to Sid Siddharth and to our listeners. Stay tuned for more captivating conversations in the realm of cyber consulting.