How one mistake can launch a career

We asked Rohit Kumar (Product Security Engineer at Groww) about how he built a career in cybersecurity – and he told us about the mistake that led him to ethical hacking. 

“In April 2016, I was 14 and freelancing to earn some money. I found a website called HackerOne and thought it was a job site, like for companies. I made my own social media website in 10th grade and thought the ‘researcher’ signup was for super smart people.” 

So, Kumar did, in his own words, the ‘wrong thing’. He started a bug bounty program on HackerOne to test his website’s security; “...but I didn’t understand what it meant,” he said. “I invited lots of talented people, some even famous now, to find weaknesses.” 

“They found them fast – over 30 in five minutes! But I couldn't pay them because I was just a kid. This made them upset, and some even talked about it online. I'm really sorry for that.”

“However, this mistake changed everything. Seeing my website broken so easily made me realise how important online security is. I learned about this cool world of ethical hacking and all the amazing people in it. Even though it wasn't planned, that day started my journey into cybersecurity.” 

From those shaky beginnings, Kumar has established himself as a leading ethical hacker and security engineer. Read on to discover why open-source projects are so important to him, and what it feels like to discover a major vulnerability. 

What was the first thing you ever hacked?

“Back in my high school days, I was already delving into the world of development, which gave me a good grasp of how websites and software are supposed to function. 

“The memorable incident took place while applying for my Bachelor's course through a University Portal. In a moment of oversight, I accidentally uploaded an MP3 file instead of my 10th Marksheet. To my surprise, the website didn't immediately reject it – but instead responded with an error after a brief delay.

“Curious about this delay and the backend process, I pondered why the system wasn't utilising quick client-side validations. This led me to experiment unintentionally; I sent a script, not realising I was creating a kind of backdoor. To my astonishment, this opened up access to more than 40 university branches worldwide, including their main server with the complete source code and database credentials. It was an eye-opening journey.”

How important are open-source projects to shape the future of tech and cybersecurity?

“I am a strong advocate for open-source projects, and my commitment to this philosophy is evident in my own startup endeavours. The principle I adhere to is simple: for every paid solution I develop for enterprises, there should always be a corresponding open-source alternative from my end. 

“My journey and current standing owe a lot to the open-source tools and the vibrant community around them. I have learned extensively and forged connections with numerous open-source developers, gaining a clear understanding of their challenges and the hard work they invest.

“At present, I actively maintain four open-source projects, spanning areas of security and developer tools. The collaborative and transparent nature of open-source initiatives plays a pivotal role in shaping the future of technology and cybersecurity. It not only fosters innovation but also ensures accessibility and inclusivity in the development process, empowering a diverse range of contributors to collectively advance the field.”

What does it feel like when you successfully identify a significant vulnerability? Does that feeling motivate you to keep going, keep learning, and do more?

“When I find a big problem in a system, it feels really cool. I think about the mistakes people make, like developers or just regular folks, and how interesting it is to take advantage of those mistakes. I spend a lot of time building tools for security and trying to hack things. The reason I do this is because I want to understand both sides – how to attack and how to defend.

“I know more than 10 programming languages now, and it's all because of this curiosity. I don't stick to just one type of technology. I've always been excited about learning new things, and that excitement has given me a lot of knowledge and experience in the world of hacking.”

What do you gain from presenting your work at cybersecurity conferences around the world?

“When I present at cybersecurity conferences worldwide, my main goal is to build connections and friendships with fellow hackers and community members. It's a fantastic opportunity to learn a ton and discover cool possibilities. I always strive to have something interesting to showcase at these conferences, and it has helped me establish valuable connections.

“These connections are like a treasure trove for the future. We share our current projects, discuss what we're exploring, and brainstorm on how to make things better. The experience of connecting with like-minded individuals from different conferences is truly awesome. It not only broadens my perspective but also opens up doors to exciting opportunities down the road.” 

Finally, what's one thing you wish everyone knew about cybersecurity?

“One crucial thing I wish everyone knew about cybersecurity is that it's not just about following a traditional, mundane path to get a job or certification. I've noticed many students entering cybersecurity with the sole aim of landing a basic job or certification, rather than a genuine passion for understanding the field. Real cybersecurity demands broad knowledge across various domains and tech stacks, and this can only be achieved through intense curiosity.

“If you question everything and approach cybersecurity with a genuine interest, that's when you truly excel. If you're getting into it just because it's trendy or offers high-paying jobs, it might not be the right fit. 

“I often get asked about mastering ‘Source-Code auditing.’ My advice is not to focus solely on that; instead, work with different tech stacks, build small projects, create your own scripts instead of relying solely on tools like Burp Suite, and engage in heavy automations. Your skills in source-code auditing will naturally improve through hands-on experiences.

“The key is to change the approach to learning, be more creative, and cultivate a deep curiosity. This curiosity becomes the driving force that fuels your journey in cybersecurity.”

Thanks to Rohit Kumar at Groww. Register now to attend Black Hat MEA 2024.