I got a chance to intern at Appsecco for my 8th Semester project on DevSecOps.
For as far as I can remember, I’ve always been interested in computers. Soon enough I got fascinated about security in computers. This interest, however, remained at the backburner while I was in school. Cut to when I got into college, I learned more about how things worked in security. It wasn’t long when I decided that when I graduate from college, I should have a job in the security industry.
I’ve fortunately had the opportunity to intern as both, a Security Engineer and a DevSecOps Engineer, at different instances. Both times with Appsecco and hence, needless to say, Appsecco has had a big role in helping me achieve my ambitions.
Soon after the summer internship at Appsecco ended, back in college, I found myself looking into all the cool things I learned, and slowly I got more engrossed about how one secures things from the attacks I had just seen in the summer. Since this was my 7th semester, I was looking for 6-month internships and this search soon got me back in touch with Akash. I sent him a mail asking if I could join Appsecco as an intern again, but this time in his team and we got on a call in the following days to discuss certain questions about the internship. Such as what did I expect out of this internship and if I had anything specific in mind that I wanted to work on.
Having had other interviews, I find the way people at Appsecco deal with interviews, is vastly different in the sense that it is always more of a discussion, not a barrage of do-you-know-X type of questions.
Shortly after we had a few calls, I received the confirmation of the internship.
When I had approached Akash about interning under him and learning about DevSecOps, I had mentioned that I’m a beginner. This, however, was not an issue, Akash was fine with me getting a quick course when I started the internship to get started with basic concepts around the domain that I would need for working on my project.
Eventually, while there was still some time left before my internship began, I wanted to make use of the spare time I had and get a headstart with the basics. So, I asked Akash if I could help me with resources/tasks to get started and then Sunesh and Akash, after a discussion, gave me a few tasks to revolving around Jenkins, performing Static Application Security Testing (or SAST for short) and create a report for the same. I had multiple calls with Sunesh to talk about my progress and resolve the issues I faced and these tasks saved me some time that I would have otherwise spent in the office learning the basics. I, instead, was able to do more learning about the actual work.
Though I had already interned at Appsecco once, still on the first day walking into the office was like having the first-day all over again but the moment I walked in the office I was greeted with familiar faces and the butterflies were replaced with a comfort of knowing (almost) everyone. I found took a desk on the Blue-team side of the office this time. Soon we had a quick meeting with everyone for introductions and the rest of the day was spent setting up stuff for the project, a review of what I had done till now, a few formalities, and some catching up with everyone.
Everyone at Appsecco ends up contributing to each other in some way. Being a small team, I find it really nice that I get to know everyone properly and not superficially. Another good thing that comes out of this is picking up things from others in the team, as I earlier mentioned, in the form of meta-learning. This has led me to become more productive and if nothing else more aware of how well I am performing as per my capabilities.
Be it from writing To-Do notes, learning keyboard shortcuts on VSCode, or something else.
One great thing that I experienced that everyone is so welcoming. The team lunches every Friday is where everyone would discuss everything apart from work like TV shows they plan on watching, movie recommendations, book reviews, and a lot more. This group can initially be really intimidating (unintentionally) because of the experience and knowledge they pack as a team, but I’ve come to see them being very receptive to my opinions and views too. They are all ears to understand where my thoughts come from. If they are right, well and good but if they are wrong, they help me understand why which is a critical step towards learning new things.
The project that I worked on as part of the internship was to learn how CI/CD pipelines were built and how was security integrated to create application security pipelines. This project was devised by Akash and Sunesh as from an earlier discussion that I had with Akash I had told him that I didn’t have a specific project in my mind. They also took the fact that I was a complete beginner but still wanted to learn more about DevSecOps into account while thinking of this project. Since I was not well-versed with all aspects that went into solving each of the tasks as part of the project, I couldn’t really see the big picture behind the project but as I moved closer towards the completion of the project, I saw it all come together and I could realize how various forms of testing worked together, the significance of different forms of testing and along with that how to utilize the various offerings available on the cloud.
I was thoroughly walked through various stages of creating a pipeline to test and deploy an application both locally and on the cloud. I was made to do a set up locally to learn the crude hands-on approach to doing things and replicate the task on the cloud to see how cloud made things easier in various instances.
I learned how to use various forms of deployments when on the cloud as opposed to just using a virtual machine for everything which is how I had set up the pipeline locally. The knowledge of using a service that the cloud provided came in the form of advice and an explanation of why a certain service would be useful than some other approach that I was working towards.
I was asked to document the steps I had been taking to solve the tasks that I was given. Initially, fresh out of college, the report I was writing felt okay until it was reviewed. After the first review, I had to restructure how I was documenting steps. Akash explicitly mentioned that the report should reflect my individuality and my opinions and decisions. This led me to write every single thing with Sunesh’s overview of whether or not I was writing it properly. After each chapter I wrote, I’d pass on the updated report to Sunesh, he’ll verify it and suggest amendments and after he had taken another look, I’d send it to Akash for further comments. Writing every single action I took, noting each decision I took, adding screenshots, sample outputs, etc. might seem tedious to think of, I probably would have felt the same if I read this out of the blue, but when I was made to do it, I could see that writing steps in the documentation helped me clear things out in many ways. For example, when Sunesh asked me why I chose to do a certain thing with a particular approach and I didn’t have a definitive answer, it helped identify that I was lacking some form of understanding around that concept/task. I doubt I have ever written such a concise report for my college projects, but for this report, I felt amazing after seeing what it turned out to be. If you want, you can have a look at the report here.
The report also helped me identify various assumptions I had made without realizing it. To help me identify the same, I was asked to apply the same pipeline to another application. This shed light on these assumptions and I was able to understand certain constraints that come implicitly with different kinds of applications. Since we are talking about assumptions, there’s a quote that we have framed and kept in the office for everyone to see:
One thing that was required for me to realize that just building pipelines was not DevSecOps. It was a part of it. Akash and Sunesh made sure that I knew that there are various other aspects that encompass the whole concept of DevSecOps which I certainly feel was an important thing indeed.
Along with the internship project, I also got the opportunity to contribute to a CTF for the first time. Riddhi was working with WINJA CTF, a women-only CTF, and asked me if I’d be willing to create some challenges. At this point, I had never created any challenge and because of the same a part of me wanted to say no but I remembered the line:
“If somebody offers you an amazing opportunity but you are not sure you can do it, say yes — then learn how to do it later!”
- Richard Branson
Needless to say, I said yes and then created a couple of challenges. I learned about not just the challenges but also how to manage a CTF. The CTF was part of Nullcon 2020 and I as a contributor received a corporate pass to the conference and my stay in during the conference was also looked after!
From early February, Akash had asked me what were my plans for Nullcon. At that time I had not received the pass and hence, Akash helped me find alternative ways to get a pass to ensure I was able to attend the conference. Then March came and the whole team flew off to Goa!
This was my first time attending a security conference and it was an amazing experience. I met some interesting people, learned about a lot of cool things happening, learned a little bit of hardware hacking, conducted a CTF along with the team and the best part was attending the event “Hacker Horror Stories” where seasoned people from the industry shared when they messed up.
There were parties and after-parties. I saw things I never thought I would. The most memorable would be to see Akash dance. But the coolest bit was when I had a few people approach me and ask me if I was working at Appsecco because I was wearing an Appsecco T-shirt. Contrary to me thinking that when I told them I was just an intern they’d just shrug it off, they were at times more impressed. I distinctly remember one of them saying, “Great place to start!” and I obviously loved it!
After returning from Nullcon, the project I was working on was almost complete and I was incorporating final changes. Amidst all this, the outbreak of Novel Coronavirus happened. But Appsecco was very proactive and took measures way ahead of the nationwide lockdown. Akash had a talk with everyone on the team, foreseeing a lockdown, and suggested that everyone travel back to our homes and be with family. This was a very impressionable moment where the team members were put before everything else and the concern was their health. Soon after, I had flown home and my internship was completed, albeit a bit abruptly, at the end of March.
Though my internship ended in March, my journey with Appsecco continues. I was soon asked to join the team as a fulltime employee to which I said yes right away and as of April 2020, I joined Appsecco as a DevSecOps Engineer and am continuing to learn new things almost on a daily basis.