Candid Conversation with Riyaz Walikar

riyaz2Let me introduce you to Mr. Riyaz Walikar!
He is a Security researcher, a vampire killer and an astrophysics enthusiast as he mentions in his blog ( He has been lucky to find vulnerabilities in popular web applications like Facebook, Twitter, Google, Cisco, Symantec, Mozilla, PayPal, Ebay, Apigee, Adobe and the list continues.
We (students from SCIT and me) were fortunate to meet him at Nullcon2015 and we present to you the Gupshup we had with him! 😀

  • Describe yourself in 5 words

Energetic, atheist, philosophical, rebel and humanist

  • What is it that you like about application security?

You cannot ignore the Internet. That said the most common service on the Internet is HTTP which puts web applications to the front. You can access myriad services and perform innumerable tasks from buying shoes on ecommerce sites to controlling physical devices like cameras and power turbines. The attack surface and the possible consequences of unauthorized access are just too hard to ignore. An attacker can steal information related to identity, credit card numbers, flight information, medical records, military secrets, government data, trade secrets, formulae, gain access to internal machines on networks that otherwise wouldn’t be reachable from the Internet. I like the thrill of finding a way into the network on which a web application is hosted. I mostly find and work with server side exploits like SQLi, LFI/RFI, XSPA/SSRF, Crypto issues, Command executions etc. Application security is ever evolving and the nature and complexities of attacks are increasing every day given the importance that administrators/developers are assigning to keeping their assets secure.

  • Who was and is your current inspiration in the field of Information Security?

There are quite a few actually. I have always been in awe of the work done by Samy Kamkar and Tavis Ormandy. In the field of Web application security, I would say Robert Hansen, Dafydd Stuttard and Lavakumar Kuppan. There are others as well whose work I follow and who make me realize every day that there is so much more to learn in the field of Computer Security.

  • Why do you attend security conferences?

Mostly to interact and meet the rest of the folks in the community. All year around we communicate over email and phone calls and seldom get a chance to meet each other because of geographical separation. Also, because conferences are a great place to learn and teach as well. Akash and I conduct our Xtreme Web Hacking course at conferences every year. We learn a bunch of new things while creating content for our training. Conferences are also a lot of fun in other ways. They let us break the monotony associated with work and other things.

  • How was your overall experience in c0c0n 2014 and NullCon 2015?

It was amazing. These are the 2 largest conferences in India anyways. The sheer number of computer security professionals I interacted with, the discussions around security issues and brainstorming for ideas was quite an experience in itself.

  • What is your take on students attending/participating in security conferences?

I finished my schooling and engineering in Goa. Back then there were no security conferences or communities as large as they are now. Being a student was crushing because you had so many ideas and not someone from the industry to talk to and ask about what is really happening out there. That has changed now. I think students in this period are lucky to have access to technology, conferences, communities and the folks in the industry who interact at these gatherings providing an unimaginable opportunity to the current student community. What the industry folks deal with in the real world is very very different from what is taught in schools and colleges. You cannot blame one single person for this because of the rapid changing face of security. By the time you add content to curriculum and let it reach the students, a lot of facets of the text would have changed. In which case, interaction through other means becomes a very realistic channel to know what’s actually going on out there.

  • When you are not Pentesting, what do you do?

Oh a lot of stuff! I travel. I like going to new places, meeting new people and experience new cultures. It is a very important and enriching experience for us humans to realize that the amount of time we have on this planet is finite. I’m an astronomy buff as well. I spend time with my telescope mapping the moon and planets. I also do photography, go rappelling and fishing. I try reading as well, but that doesn’t work out so well.

  • If not Web Application Security Engineer / Pentester / Network Security Architect, what would you be?

This is funny, but my idea of what I wanted to do when I grew up changed very often. I wanted to be a professor, doctor, fireman, stunt double in movies, policeman, astronaut, physicist and yoga teacher. In retrospect, I think I would have become an astrophysicist.

  • Rapid Fire:

Your favourite place in Bangalore: That would be Lalbagh. I started learning photography there. Rest of Bangalore is just too crowded.

Your favourite musician: There are many but I like listening to Yanni and Enya.

Your favourite books: Currently, the GoT series. Historically, Harry Potter and LoTR.

A must visit website for tech geeks: stackoverflow I guess. That site has taught me more stuff than a lot of tutorials on the Internet.

Would you like to visit SCIT? Sure. Why not? 😀