Anand Prakash, founder of startup PingSafe, shares his insights on building a successful cybersecurity business and his experience as a top bug bounty hunter. He emphasizes the importance of fast execution, accountability and learning from mistakes when growing the company acquired by SentinelOne, where he’s now a senior director of product management.
Anand Prakash on cloud security startups and next-gen hacking
Anand Prakash, founder of startup PingSafe, shares his insights on building a successful cybersecurity business and his experience as a top bug bounty hunter. He emphasizes the importance of fast execution, accountability and learning from mistakes when growing the company acquired by SentinelOne, where he’s now a senior director of product management.
In the latest episode of WE’RE IN!, Anand touches on India's prominence in global tech – particularly in security research and bug bounty programs – and he shares his personal journey into cybersecurity, which began with a curiosity about hacking at a young age in cyber cafes.
Listen to hear more about:
[00:00:00] Blake: so Anand, thanks so much for joining me on the podcast.
[00:00:03] Anand: Yep. Thank you.
[00:00:04] Blake: Now, you, you led a team building the PingSafe cloud security platform that was recently acquired by SentinelOne. What lessons can you share for other startup founders and CEOs looking to grow their companies and find success in what's become a fairly challenging and crowded cybersecurity market?
[00:00:21] Anand: Yeah, I think a few of the pointers are like first, the first and foremost thing that matters a lot while you build a company is like fast execution. So if you look a journey of two years, we ended up building very comprehensive offerings in cloud security, CSPM, CNAP, Kubernetes security, IEC, secret scanning. Something called offensive security engine, all in like two years of time.
[00:00:46] And similarly, uh, on the GTM side, we grew from like zero to a hundred customers within like two years. So what it matters is like faster execution. Of course there are other important things like accountability, uh, holding people, folks accountable, uh, even founders. If we miss on something, it's like, okay to commit mistakes, but then learning from them and moving fast is what I feel like is one of the most important trait, while you build a company.
[00:01:19] Blake: Looking back when you started versus now, have there been any significant shifts in the market that you've noticed or, you know, would that, or does that guidance kind of hold true no matter what the conditions are?
[00:01:30] Anand: Yeah, so I still feel like so when we started there were cloud security companies who were doing CSPM, KSPM all this standalone So we thought of adding context by building a platform and also powering this using my bug bounty intelligence which I gained over the period of past, uh, 10, 12 years and we ended up building something called offensive security engine.
[00:01:55] So using that, we were able to like find exploitable issues in companies, cloud environment, helping companies prioritize at a faster speed so that they really focus on things which really matter rather than like noise coming out from traditional CNAP companies out there. So I still feel like that's still a gap because we are the only cloud security player who does that as of today. And I feel like more and more, other players would start building it.
[00:02:21] Blake: And CNAP referring to cloud native app protection platform. The kind of the approach that, that PingSafe has taken. And, you know, say you're a security leader who's searching for that type of platform. What are some of the important questions to be asking?
[00:02:36] Anand: Some of the important areas when they are considering buying CNAP is like, first of all, like there is so much noise. There are so many point solutions in cloud security. Yeah. Absolutely. Right. So the first and foremost thing that matters is if they are buying, buying something, is that really a platform or, uh, is it a product which is built by maybe combining six, seven different products, which are really not a single platform on the backend, That's important because if, if you don't have that, then, um, companies end up missing like context and miss, and if they miss context, they end up missing like so many critical findings. So this is like unified platform thing, right? Second is the proof of exploitability piece. Does the platform provide proof of exploitability for findings that appear in the platform?
[00:03:28] Does it have a mechanism to filter out noise by actually sending exploits like an attacker, like harmless exploits, and then sharing these are the top findings that the customer needs to fix, like, right away?
[00:03:41] Blake: Right, right. That makes sense. No, the differentiation there is really important. And, you know, before founding PingSafe, mentioned that you did kind of, rise through the ranks of some bug bounty programs. As I understand it, you were in the top five or, you know, top three in many cases for Facebook's global bug bounty program for several years. Can you give listeners a sense of what that entails and the kind of work that you need to go into to, to, to reach that kind of rank globally on a huge program like this?
[00:04:10] Anand: I think, like, dedication, I started doing bug bounties in 2013, I saw a tweet from a researcher that he found a security bug on Facebook and I started doing bounties because of that, but it mattered over the period of time. So since like Facebook was written in PHP at that point in time, and I used to write code in PHP, right?
[00:04:32] So I got familiar with Facebook's platform by using Facebook in my college and, I used to monitor Facebook for what all features they are releasing new. Are there any hidden features in the app which no one else has access to? So if I, if I see that, that they have released something new, I was always jump in and see like, can I access it?
[00:04:51] If I am not able to access it, how do I get access to that feature? And the moment I get, I would always find a critical feature. Issue because most of the time, the beta features, they are not often released to everyone, right? Because they are meant to be in beta. So security researchers, they end up finding like so many critical findings in them. And that's what I used to do. But in the end, what it matters is like when I was doing bug bounties initially, it was very hard for me to find like security bugs in these beta companies, really hard. Like you can't be like number two or number three very easily on these boundary platforms where like, thousands of hackers are hacking continuously because they pay a good amount as well as there is a large exposure. So what mattered is consistency, like keep on looking for findings, even if you don't find, uh, you try to become more aware about the platform by going through the APIs again and again.
[00:05:46] And, uh, at the end, like, there will be a day where you will be very familiar with platform than any other hackers and you will be able to find more findings because the moment you see any API or some infra change, you will be the first one to notice because you are treating like you were like actually employed by Facebook, right? So, yeah, that's what it matters.
[00:06:08] Blake: Hacking for the, some of these major corporations, Facebook, Uber, Twitter, what were some of the coolest or most interesting or impactful bugs that you found over your career?
[00:06:20] Anand: Yeah. So, uh, one of them, uh, there are a couple of ones. So the first one is, I'm not sure if you use Tinder, but I could have, I could have hacked your Tinder account.
[00:06:30] Blake: Uh,
[00:06:30] Anand: So your messages chats and swipe from your account all the time.
[00:06:35] Blake: I do not use, I do not use Tinder. I have helped friends who've used Tinder though, so I know how bad that would be if you are just forced to constantly
[00:06:43] Anand: Yeah.
[00:06:43] Blake: the wrong way.
[00:06:45] Anand: Yeah. Then the other one was like, I could have, uh, tweeted from any Twitter account. I could have posted from Mark Zuckerberg's profile to any profile with any message out there. So, compromise any Facebook account out there, deleted your, could have deleted your LinkedIn posts. Any post that you have done.
[00:07:06] Blake: Please, please do. My LinkedIn posts are terrible. No, just kidding. That's not good. That's very alarming. And in fact, the Twitter point, you know, we've seen bad actors leverage that to move markets. I remember, what was it, in 2016, 2015 era, there was the Syrian Electronic Army explosion at the White House, and President is injured, and the stock market plummeted.
[00:07:26] That's a huge bug. You don't want to be tweeting from presidential accounts or AP accounts or anything official like that. Yikes.
[00:07:35] Fixed now, I
[00:07:35] Anand: I could, yeah, they are fixed now. They are fixed now.
[00:07:39] Blake: Oh, that's good. And what you were going to say, maybe you could also, uh,
[00:07:43] Anand: Yeah, maybe I could also order like food or maybe help you ride for free on Uber.
[00:07:48] Blake: Okay. Well, those, those are some pretty blockbuster bugs. And it takes a lot of dedication and focus, obviously. It's interesting. You mentioned joining that field and kind of exploring security vulnerabilities, finding those on a bug bounty basis back in 2013.
[00:08:04] Now, how has the culture shifted? Cause for instance, right now, I feel like. It's a pretty accepted, point that, you know, a good security testing program is, is a very responsible thing to do. You can have ethical hackers scanning for possible vulnerabilities to fix and, and that's like, that's fine. And that's good. And large organizations kind of trust that model. But in 2013, I feel like it was a little bit, why are you on my network? So did you ever have to navigate that in your, in your bug bounty days of maybe people pushing back on findings or not appreciating the work you were doing?
[00:08:36] Anand: yeah. So there were a lot of times where, found something on the company and I tried disclosing ethically to the company because they were not having a responsible disclosure program or a bug bounty program. And then I was like, I got an email from CISO or from the legal team, like, why were you trying to find that, but this was like way early on 2012, 2013, 14, right? Now there is a cultural shift when you see like so many hacks happening. Everyone is scared about Data breaches right now, right? So they are much more open. That's what I feel like. Platforms like, uh, CNAC, HackerOne, Bugcrowd, they have completely like revolutionized, changed the way like CISOs used to think about this. So for example, like, uh, the way you run boundary programs, I, um, uh, the way CNAC runs boundary program is like very, very private in a private way. So if I was a CISO, I would be more comfortable doing that kind of a program to start with. ? So it was not there in like very initial years. So I feel like, there are more things which companies could do right now. and there are ways there, there are fewer legal challenges and CISOs understand like severity of this. So they have like kind of prioritized the way they want to think about this.
[00:09:53] Blake: Yeah, I couldn't agree more, and it's exciting to see, but yeah, there's definitely still more to be done. And to that end, on the US side here, the Cybersecurity and Infrastructure Security Agency has been trying to kind of beat the drum of better security practices, and is leading this big secure by design push. Which actually set in a one I noticed is a signatory as a SYNAC, including a pledge for software manufacturers to, quote, demonstrate actions taken towards enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturer's products, end quote.
[00:10:30] And so in other words, they're trying to get organizations to reduce entire categories of vulnerabilities. What do you make of that goal? Is that achievable?
[00:10:39] Anand: I feel like so, yeah.
[00:10:42] Blake: How can you hope to do that? I feel like that's such a daunting task of being like, never see this whole category of vulnerability again.
[00:10:49] Anand: Like it's really a complex problem. Example of like insecure direct object reference, right. They are very difficult to. mitigate at a large scale because mostly these are like business logic flaws, logical flaws, which lead up to like very large amount of data.
[00:11:08] Similarly, if you look at like software supply chain, right? Uh, if you run any tool out there, you would find like thousands of issues right away. Majority of these tools are missing context. If something is getting used in production, deployed in production, Is that library in use somewhere?
[00:11:26] Sometimes what happens is like, this is the most common issue, which like attackers exploit, they claim the library on the web, wherever it's all hosted, some of the platforms allow it. And then the library automatically has like attackers code injected. So wherever the company is using, like you can do everything, right? So I think it's a complex problem, but of course we'll have to start somewhere. For example, if you look at cross site scripting today, SQL injection today, you would find like they are near to mitigated state, right? You won't find them like very often. For example, Facebook had written a library which mitigates cross site scripting and SQL injection by default. HPHP, I think it was called HPHP, yeah.
[00:12:16] Blake: It's funny you mentioned SQL injection because Sysa also called out SQL injection in a recent alert. And basically the alert was like, we've been talking about this since the 2000s as like, I think they referenced, I think it was MITRE that categorized it as like a quote, unforgivable vulnerability, which maybe is a little harsh, right? People are going to make mistakes. It's going to some, sometimes weave its way in there, but we've noticed this on the SYNAC side too, of like a huge chunk of folks are still suffering from SQL injection vulnerabilities. Why is it so difficult to stamp out these certain types of flaws, when we know, like you pointed out, we know ways to mitigate them very effectively.
[00:12:54] Anand: The main problem is like, um, these still exist in older frameworks. The bigger enterprises, they are still running on legacy systems, legacy code languages, and that's where the issue is most prevalent. With so that's the problem and it's not like hard to mitigate if they enable like maybe proper code scanners Someone looking at it some kind of training for developers giving feedback to developers on the ID itself I think that could be like very easily mitigated, but I think it has to do with legacy because I don't see that very common in the newer technologies which are out there.
[00:13:32] So
[00:13:33] Blake: That makes sense. Yeah. And a lot of organizations from a cost perspective or what have you, it just doesn't make sense yet to update those. I know I used to cover the critical infrastructure security space and sometimes there's like something that's been on for 20 years and it's like, don't turn that off.
[00:13:46] We need that. And it's just like, you know, nobody's going to update those environments very frequently because it's costly. The downtime just isn't worth it. let's talk about cloud security vulnerabilities for a bit now. Cloud misconfigurations can certainly be a big issue for many organizations, but for those unfamiliar, or we'll say less familiar with cloud environments, can you walk through, you know, what, what a misconfiguration can look like in practice?
[00:14:11] Why, why that is so common?
[00:14:13] Anand: the most common one is open S3 bucket. So companies, they end up storing data on storages like S3 bucket. And I've seen this where companies like they go to cloud provider, do next, next, next, and make bucket public. Though it's, now that option is disabled by default, some of the cloud providers show warning when you try to do that.
[00:14:37] This was one of the current change, but this is the most common one where the storage bucket is public. And, uh, they don't want to fix it. Companies are more like, no one is going to guess the bucket name, right? But you know, it's very easy to figure out the name. It might get leaked in some application, which is public. Similarly, there are things like open ports. We still see issues like Elasticsearch open to public without any authentication, MongoDB open to public. Database, full database, open to public without any authentication. . So these are some of the issues which I like very prevalent, but what I've seen is like, these are most common with companies who are just.
[00:15:19] Adopting cloud journey right now, but companies who are on a very mature curve right now, they would have like other sophisticated kind of issues like sub domain takeovers, like all the time, right? SSRF issues coming in, exploitable CVs coming in.
[00:15:37] Blake: You mentioned the cloud journey, right? And, and I feel like there's this notion of digital transformation that's been around for a while. Uh, where are we at with that? Are, are most mature organizations already? In the cloud, essentially, I feel like we, we, we often hear about cloud transformation, but who's, who's left to go to the cloud.
[00:15:55] Anand: No, so I think it's still a work in progress. There are companies who were born in cloud who are by default, 100 percent on cloud, right. The newer companies, but then there are legacy companies, the bigger organization where they are still running on hybrid mode. They are using both on prem. Plus cloud for something, then they are slowly moving from on prem to cloud because the way their applications were architected long back, they will have to like re architect when they move to cloud. So it's definitely going to take some time. And that's when like most of the migration happens. So someday, some developer would think that no one is going to see if I make this public. But there are hackers who are continuously looking for it and they figure, figure it out during migration. Even it's for like short period of time.
[00:16:44] Blake: That makes sense that, yeah, that would be a particularly sensitive stage in the process. It's almost like going through an acquisition. There are a lot of other circumstances. Even adopting, uh, I guess more organizations are turning to multi cloud environments, right? So you have your cloud, you know, backups available, but tailoring that, that sounds, I'm glad I don't have to do that.
[00:17:04] Let's put it that way. Nobody's going to be breathing down my neck for, for that sort of work. Now, stepping back for a second. We've seen India become a really major player in global tech. And I know you're, you're based in Singapore. But particularly on the security research side, we've seen a ton of activity, expertise, and interest in bug bounty and pen testing as a service programs.
[00:17:26] Why do you think that is, and what do you see coming around the bend for India's tech ecosystem as somebody who comes from Indian heritage there?
[00:17:35] Anand: So, um, you must be aware that India has, um, second largest or largest, I don't know, number of ethical hackers. As far as I think Facebook's bounty report or something. Right.
[00:17:46] Blake: I think it might be largest. Yeah, yeah, I think it's, yeah.
[00:17:49] Anand: Yeah, because the thing is bug bounties are a lucrative things thing from a earning perspective, if you compare to some, like, the entry level jobs at majority of the places in India, right? So basically for the services company and the other thing is like, we have so many universities where people are for computer science degree and they are so much interested in computers by default and, um, the first thing that comes to mind, even this happened with me is like hacking.
[00:18:24] Like, I need to learn hacking and then it's done. It turns to ethical hacking and then to bug bounty, right? So I feel like it's a good source of income as well as it gives you a good experience overall, right? So that's why, like, I feel like so many people are interested in doing this.
[00:18:43] Blake: Now, you mentioned a little bit how you got into Bug Bounty around that 2013, you know, that time frame. How did you get into cybersecurity in the first place? Tell me a little more about your background.
[00:18:53] Anand: Yeah. So, uh, that's a weird story. I was, uh, 16, 17 years old. I wasn't, I was studying somewhere. I went to some place in North of India for preparing for, to get into universities. I went to cyber cafe. Uh, over there. So, uh, of course you went out, I was not having computer at home. So there are cyber cafes where like there are multiple systems and you go either play like counter strike on them or maybe surf internet.
[00:19:26] So I was doing both, right? So there was this, um, something called Oracle at that point in time, the social media site by Google. Oracle, which Google acquired. So I got to know about the word hacking over there. Like someone wanted to hack Oracle account and I was like, how do I, how do I hack Orkut account?
[00:19:48] And I Googled a few steps. Um, I Googled like how to hack Orkut account and 10 steps came in. Like copy this page, post this over third party website and send it to your friend. And I posted it as scrap and my friends. They entered the username and password and this excited me. Then I got into, yeah.
[00:20:09] Blake: The how to hack, it's funny because that how to hack phrase, it's like one of the most googled, how to hack X is like, you see all sorts of Google results for that, which obviously can have nefarious intentions, but it can also have completely, you know, responsible and ethical intentions of like wanting to learn how all this works, which is kind of interesting.
[00:20:27] I remember, you know, some seeing some cyber cafes here and there and, uh, yeah, maybe, maybe not Counter Strike, but a lot of, a lot of other games available too. If you could wave a magic wand and take away one cloud security weakness or vulnerability forever. Which one do you think it would be?
[00:20:45] Anand: You are asking that which ones I would like to mitigate right away.
[00:20:49] Blake: Yes. And just never have to think about again, like for organizations, they just, it would just be gone.
[00:20:54] Anand: That's a tricky one because there are so, so many. So maybe I, uh, I think the most damaging ones are the ones which are related to security groups and open storage instances. Which cause a lot of damage to company's reputation as well as end up, companies end up in being like bigger data breaches.
[00:21:16] So I think these are the two ones, securing storage and securing instances. So
[00:21:24] Blake: That makes sense. Yeah. Those, those can be pretty impactful when they do occur. Now you knew that we'd have to talk about artificial intelligence at some point, in a podcast in 2024 here. How do you see AI shaking up the security landscape for the cloud?
[00:21:40] Anand: I have seen a couple of good companies coming out in AI who are trying to solve for AppSec, Red Teaming. For example, there was an AppSec company which is trying to analyze behavior across the entire life cycle and trying to surface issues very early in the pipeline, right?
[00:21:58] But I think it's still early. There has to innovation, which has to happen on this front for now. Right now, the state, if you talk about AI, right? The AI, you know, Platforms which are built right now, they themselves have like traditional vulnerabilities, right?
[00:22:16] Anand: . So I feel like there is a scope for improvement. If you look at like the number of API keys being leaked by these AI platforms all across GitHub, GitLab, bit bug every day. The number is like large, huge. So there are issues like that which are still prevalent.
[00:22:35] Blake: Yeah, I feel like there's been a lot of buzz around AI's specific security vulnerabilities or like vulnerabilities. Ways to, to steal model training data and like inject, you know, poison the well for the actual, large language models. But on the flip side, like you mentioned at the end of the day, AI, there's still apps essentially, and you're still going to have it just like, buzz recently was all about API vulnerabilities before that web three vulnerabilities, now it's AI apps.
[00:22:59] They're still going to fall prey to some of the same types of vulnerabilities that you see in other environments. It's just, yeah, folks, folks have got to be on guard with those for sure.
[00:23:07] Anand: This is about API and AppSec where a lot of innovation has to happen on the AI front. But if you talk about endpoint, we were the first one, Sentinel One was the first company who did AI, like started doing AI for endpoint like 10 years back when no one AI was like next generation thing at that point in time.
[00:23:26] And that's been really helping us, surface more issues. Better outcome for our customers, because of the AI capabilities that we have, uh, on the platform. Yeah. For example, a recent offering around like purple AI, it's really game changing for stock analyst for security teams out there. I feel like there, so endpoint, endpoint, analyzing endpoint data using AI that was like very well tackled by us, but I feel like API security, AppSec, there are companies yet to come on that front, right?
[00:24:07] Blake: You mentioned AI helping the SOC analysts and helping the defender essentially, do their work a lot better, but on balance attackers are going to be using AI technology as well. Who do you think is going to benefit more in the near term? We'll say like in the next year or two, attackers or defenders from AI.
[00:24:24] Anand: I feel like whoever is first to figure out the attack patterns, right? So I think they are going to win.
[00:24:32] Blake: The, the attackers are going to benefit more.
[00:24:33] Anand: no, no, I, I, I'm
[00:24:35] Blake: Oh, whoever's first,
[00:24:36] Anand: are able to whoever is first, if, if, if we know like how attacker is going to attack first, we would of course win.
[00:24:45] Blake: Right, right. It's a classic
[00:24:46] Anand: is a game. It's a classic race. Yeah.
[00:24:49] Blake: Yep. Cat and mouse. That's how it always goes. Yep. No, it's, it's a really fascinating space and really appreciate you sharing some of your, your insights across a wide range of topics, including some that I'm sure the listeners of our podcast who, uh, hail from the, uh, Red team, which has a sizable, contingent by the way of, Indian contributors.
[00:25:08] So we'll appreciate your insights there. Now, finally, this is something that we ask of everyone who joins on the podcast. And that's what's something that we wouldn't know about you just by looking at your LinkedIn profile.
[00:25:21] Anand: Hmm. My wife is a hacker too. So maybe, yeah,
[00:25:28] Blake: You go. Did you meet hacking? Sorry. I'm not, now I'm like curious. Did you meet hacking? Or was it, was it, uh, did you both happen to, happen to hack?
[00:25:36] Anand: I was trying to find a bug on Facebook and that's how I met her. So in, in my college.
[00:25:43] Blake: Oh, that,
[00:25:44] Anand: In my college days. So,
[00:25:45] Blake: That's great. That's a great story. And, uh, yeah, that's, that's really funny. That you wouldn't find on Facebook. So that does constitute a, a, a, a fun fact. Well, thanks so much for joining Anand. Really appreciate, appreciate your time here. And good luck out there defending the cloud.
[00:26:00] Anand: Thank you. Thank you. And thank you so much for having me here.