Editor’s Note: Bugcrowd community researcher, Duarte Silva, shares the story behind how he started working in information security. Duarte is one of Bugcrowd’s top researchers, you can follow him on Twitter at @serializingme.
It was a quite natural and simple evolution I guess. I have always been fond of understanding how things worked, breaking them down and getting them together, and hopefully back in working condition. Most of the times they wouldn’t end in such a condition, so I started moving away from hardware (electronics) to software. This move happened at high school, when I decided to follow an IT specific course for the three years that preceded college. I was also an avid online gamer and when in college I decided to apply my basic reverse engineering skills (previously used against basic executable packers and the likes) with the online FPS game Unreal Tournament. Granted that at the time, the Unreal Engine was already somewhat documented (community effort), but on the other-hand the anti-cheats systems were not. This was my first one hundred percent dedicated effort into the realm of IT security. Experience was gained into Windows internals and development, x86 assembly and the tools of the trade.
Later on, I started branching into other areas of IT security. After finishing my degree, I was focusing on Web based applications security when I took duties up as a software developer at a small consulting company. The company was small and diverse in activities, I was doing software development, middleware installation and support, and after my employers noticed my interest and skill in discovering security vulnerabilities in Web applications, I performed my first professional security assessment. It was a blast, much like opening presents on Christmas time, being the next better than the last. After that, I got to do more security assessments and had the possibility to grow professionally in a area that I have always only been able to dedicate my free time.
Since then, I have focused more and more in that area. Today I’m working as a Security Officer, focusing in IDS and SIEM installation, development and maintenance, malware analysis and reverse engineering, networking, forensics and incident response. I’m currently in the process of changing jobs, continuing my career evolution in the IT security area.
The first time I have participated in a bug bounty (The Gauntlet) was back in September 2013, when I was already working as a Security Officer. I had listened about Bugcrowd in the Risky Business podcast, but after my first submissions I didn’t take that much interest in continuing with bug bounties (I participated in other bounties, Tagged and Bugcrowd, but very lightly). My next submission, only happened in January 2015, in the Aruba Networks bug bounty. I ended up being responsible for increasing the total count of rewarded bugs in twenty two after fifty three bugs had already been reported. With that increase, I also increased my place in the leader board, up to 37th. Not only did I have a blast applying my reverse engineering, code analysis, development, and security assessment skills, but I also received rewards that made the forty hours and forty seven minutes spent of my free time worth every second. Currently, I’m actively participating in Bugcrowd organized bug bounties and always looking forward for the next challenge 🙂 .
Even though this is being posted on Bugcrowd’s blog, I should take this opportunity to give a “no strings attached” thumbs ups to the Bugcrowd team, they have been developing an excellent job over the last few years by helping in the creation of a new business model in the security industry: the bug bounties!
About the Author, by Duarte Silva: Curious, imaginative, hard worker and the willingness to spend time to learn, to diversify knowledge, investing in myself so that there are higher chances, that later in live, the reward to rip will be higher. These are the traits that come to my mind and I can safely say that I mostly blame LEGO and my childhood “way too power hog” RC car for it. In all seriousness though, not without faults and failings but these traits are the ones that I have been using through my whole life, and that are proving to be the most useful when creating, fixing or breaking stuff. The capabilities that are a requirement when you have a job with IT security on the description, whether its focus is on a operational level or on research level.