Shubham Shah is co-founder and CTO of Assetnote, a cybersecurity tool used by companies like Atlassian, Qantas, and Australia Post.
Shubham’s career in cybersecurity had very humble beginnings: he first learned to hack computer games as a kid so he could beat his brother.
Shubham chats with Cole Cornford about video game exploits and what they can teach us about appsec, bug bounty hunting, the challenges of founding a company, and plenty more.
2:30 – Benefits of shared workspace.
5:30 – Shubham’s background.
9:00 – Bug bounty hunting.
10:45 – Developing a good work ethic from crappy jobs.
15:00 – Video game hacking.
21:00 – Tying video game hacking to cybersecurity.
22:40 – Shubham: got in trouble for hacking in high school.
24:20 – Shubham: had to convince his parents to let him study computer science.
26:00 – Shubham was working an unpaid internship.
26:50 – Cole: pros and cons of uni education.
29:20 – Shubham: I don’t discourage people from going to uni.
32:00 – Assetnote – discussing the company.
34:00 – Shubham started commercialising but “had no idea what I was doing”.
36:45 – Cole reflects on his early naivety when starting Galah Cyber.
38:30 – Pros and challenges of bootstrapping a business.
39:00 – Shubham: came close to running out of money.
40:45 – Cole: I see a vacuum for app sec talent in smaller orgs.
41:30 – Cole: software has eaten the world. Now AI is eating software.
43:10 – Shubham: division of work between Shubham and co-founder.
44:30 – Doing any job to move the business forward.
47:00 – Rapid-fire questions.
Shubham Shah:
At the time, I had just managed to convince my parents that there is a legitimate industry for computer security and they should let me study computer science, which I was grateful for that they came around to that. But it took a lot of convincing. Nowadays, it’s a different world. Everyone knows that cybersecurity is a hot field.
Cole Cornford:
Hi, I’m Cole Cornford, and this is Secured, the podcast that dives deep into the world of application security. On this episode, I’m joined by Shubham Shah, more commonly known in the industry as Shubs. Shubs the co-founder and chief technology officer of Assetnote, an attack surface management product used by companies like Atlassian, Qantas, and Australia Post. Shub’s career in cybersecurity had humble beginnings. He told me he first learned to hack computer games, just his way to beat his brother as a kid. We chat a bit more about video game exploits and what we can learn about application security from them, about being effective with bug bounties, the challenges of founding companies and plenty more. So let’s jump right in. Hey, how you going, Shubs?
Shubham Shah:
Yeah, good. Just in sunny Brisbane enjoying rhe weather and excited to chat to you.
Cole Cornford:
Brisbane’s beautiful. Why a change from Sydney to Brisbane in particular?
Shubham Shah:
Well, actually it was mostly because most of my team work here in Brisbane, and even though we’re a fully remote company, I decided to move over to be closer to them, especially my co-founder as well.
Cole Cornford:
Yeah, because I know that I’m in Newcastle, so I’m not terribly far away from Brisbane. It’s a 30-minute flight. So I really understand the wanting to be close to your family and your friends and your team members especially. I’ve always with a remote first company, struggled a little bit with building their camaraderie. So it makes sense to just be co-located where you can.
Shubham Shah:
Yeah, absolutely. We’ve been seeing a bunch of companies move back to working in the office and things like that. But they all claim that creativity is something that only gets spawned in an office. I don’t know if I fully agree with that/ but I do love making relationships with my team and I do love spending time with them when possible.
Cole Cornford:
Yeah, I think I really miss … When I was working at the ATO and at Westpac, there was just going out for pub lunches and playing pool or at Westpac, we used to go to a place called The Office, which is a pub across the road from Westpac. So you could tell your misses that you’re at the office all day.
Shubham Shah:
That’s a good one.
Cole Cornford:
I know. They’re really smart branding there. But the thing is you build those connections and people from all sorts of different parts of cybersecurity that you otherwise wouldn’t have been able to remotely. And I do feel that working with a remote company that I don’t get those relationships anymore. But Brisbane, anyway, sounds like it’s the right place to be. So first question I usually ask people come onto the podcast is, what kind of bird are you and why?
Shubham Shah:
I’m a kookaburra, and the reason why is because there are just so many things that can bring you down in life and it’s important to remember to laugh. And kookaburras love laughing, so that’s all.
Cole Cornford:
I love that answer. I get kookaburras outside my house quite frequently.
Shubham Shah:
I think that they’re a gem of a native bird in Australia, for sure.
Cole Cornford:
It sounds like you’ve got a smile and look at … Have you had some harder times since, so you’ve had to adopt that persona yourself, like to get through those? Is that how it is with the kookaburra or?
Shubham Shah:
Yeah, I think generally, I’ve been pretty happy person and I think even though there have been a lot of setbacks throughout my journey and career, I’ve always found ways to make those things a positive influence in my life and usually find that if I move forward, not backwards, and have a positive attitude, smiling as much as I can, as long as I still feel that way, then things end up working out quite well. One of my friends used to always say to me, he says that, “Adversity builds character, but I don’t need any more character.”
Cole Cornford:
You got to make sure. I think that it’s a good attitude to be positive and to look at things, but not to the point where you just a positive when things are collapsing around you.
Shubham Shah:
Yeah.
Cole Cornford:
And I think that betrayed a lot of people, are taught … It’s called toxic positivity, I think. I’m not really an armchair psychologist guy, so I don’t really know.
Shubham Shah:
No, but I do think there’s a level of pragmatism required with all of this. I try to be positive about the things that I can control, and if there are things that I can’t control, I try and figure out what I can do about them as best as I can. But at the end of the day, we still always have our sad periods.
Cole Cornford:
That’s it. God, give me the serenity. Right?
Shubham Shah:
Yeah.
Cole Cornford:
I need to learn that one and stick it up on my wall so I don’t just have heaps of glass everywhere, is my only thing. Next question’s going to be about your career. So could you tell us about where you came from and just a bit about yourself, your background and how you came to be a founder of a company?
Shubham Shah:
Yeah, sure. So I come from an immigrant family that moved to Australia in the year 2000. I was around three years old. And when my parents came here, they basically only had one bag of luggage and us two kids, my older brother and myself. And we moved to the suburb of Campsie in New South Wales. And basically back then, we were staying at one of our cousins places and we didn’t have much money. My dad went through multiple different jobs to provide for the family. All sorts of odd jobs, things, all the way ranging from cutting out plastic keychains to working in factories and all sorts of things like that. Through their hard work, eventually we were able to get our own apartment and we weren’t all sleeping in one room, and that was tremendous for us. My parents always tried very hard to provide for us. But at the age of maybe 11 or 12, my dad had bought a computer for us and that computer was very, very expensive at the time.
I’m pretty sure he used quite a lot of his savings for us. And as usual, my older brother was the one who usually was using that computer with very little opportunity for me to use it as well. But I still got to watch him play games. And that was a really important part of my early life playing online games with my brother. And eventually, I realized that I am absolutely terrible at games. I cannot beat my brother for the world of me. He is a few years older than me, but that was no excuse for me. I really wanted to beat him at all costs. So I got into game hacking and I was probably 12, 13 back then. And all sorts of game hacking, FPS games, online games, things like that. And started joining these forums on the internet, which would discuss different techniques, different tools that you could use.
At the time, I was engineering custom cheat engines for games so that they would be undetected by the anti-cheat engines that these games were using online. Doing this work. I started to really fall in love with all sorts of different areas of computers and programming and how everything works and everything fits together. I still had a very spotty picture. I came from no fundamentals, just dived straight into it and tried to figure things out along the way. After finally beating my brother by cheating and games successfully, I realized that there was more areas of computer security adjacent to game security that I was very interested in, specifically web application security. And while I was learning all of this stuff at the time, there were a number of forums that had tutorials on different things regarding web application security. While I was learning all of this stuff, I had also started working at Hungry Jack’s, which for the Americans, that’s the equivalent of Burger King in Australia.
And yeah, I was there for around eight months. I worked there basically on the backend and just I guess prepping burgers and things like that, making $6.50 an hour. And at the time, I was really grateful that I even got that job. I was stoked that they gave me a chance, which is in retrospect, I’m sure they would’ve hired any 14-year-old kid for $6.50 an hour. But at the time I felt very, very grateful. And I tried doing my best at Hungry Jack’s, but I worked there for around eight months, made around $800. And at the time, I was also reporting vulnerabilities to bug bounties. Now, bug bounties was just a relatively new concept at the time. We had Microsoft, which had their bug bounty and PayPal that followed shortly after. With the PayPal Bug Bounty, I had reported several bugs that didn’t get accepted by them. But it wasn’t something that stopped me from reporting more issues or looking for more issues.
Also, I’ll have to say that at the time, I really didn’t know what I was doing. Some of the bugs that I was reporting to them had little to no security impact. And if today I got bug reports like that, I would immediately mark them as informative or not applicable. But even then, I still pursued this line of bug bounty hunting at the time. And eventually, I did find a relatively serious bug, a service side request, forgery bug inside Bill Me Later, which is a acquisition of PayPal. And that service side request forgery bug let me access any internal host inside the Bill Me Later and PayPal Network. Overnight, they paid 1.5K USD. And basically, I never showed up at Hungry Jack’s after that.
Cole Cornford:
It’s funny that you mentioned Hungry Jack’s to me because my last podcast guest also told me that he had a lot of character development specifically for working for Hungry Jack’s for three years.
Shubham Shah:
Three years is a lot longer than I was able to stick it out. So I have to give him props for that.
Cole Cornford:
A lot to unpack there, man. So I also grew up in a family where, honestly, my parents weren’t terribly computer-literate. So my mom was a laundry worker. So she was packing laundry for hospitals basically. And she met my dad, who’s a truck driver, who was driving this linen and laundry between hospitals. And it’s like for them, I think a big lesson I learned is that people need to do shit jobs sometimes. It doesn’t matter what, if you’re doing, you’re running your own company or if you are … You just have to accept that there’s going to be parts of work that suck and you just need to do it right. And I know that my dad would. He was super disciplined getting up at two to three every six to seven days a week, working overtime, 60 hours a week, just delivering laundry between hospitals.
So I didn’t see him as much as I would’ve liked to. And I’m hoping to change that dynamic, now to have the ability to work remotely so I can spend time with my kids. But it’s still instilled in me about wanting to work really hard for my family.
Shubham Shah:
Yeah, I really resonate with that. It’s a very similar experience to me because my dad had to work so hard, similar to your dad putting in these overtime hours. I really rarely got to see him growing up, and it was actually very difficult for me to actually come to terms with all of that and understand that the reality of the situation was without his hard work, we wouldn’t have had all the good things in life. But I know that you said that this reminds you of doing shit work. But really for me, I think that for both of us, I think what we’ve learned from this is having a solid work ethic, which is something that is quite hard to build up. And we’ve been fortunate enough to see our family, our parents, go through such hardship and have this work ethic at all costs, to provide for the family that we’ve been moved, inspired, instilled, with the same sort of work ethic in our day-to-day lives.
Cole Cornford:
I feel like I’m incredibly privileged at I get to do a lot of different things. I get to run a podcast. That’s pretty good where I just talk to cool people about the backgrounds and interesting cybersecurity tidbits. But just if you think about the broad range of things we do of an app sec, I speak with engineers and help them design systems. I do code reviews. So I sit there and I look at source code and put their headphones on and just run through where are these bugs at? I work to help people architect and make right design choices. I teach developers. I get a variety of things that are all really fun and interesting to do in their own unique way. And sometimes, that work can become monotonous or bad in some way. But you look back and you say, “Hang on a second. Actually, I’m incredibly privileged because right now I’m not driving trucks of linen between hospitals and doing this at 3:00 AM in the morning, six days a week.”
Shubham Shah:
Yeah, totally agree with you there. Sometimes I even feel bad when speaking, especially during the COVID times, when I would get into an Uber or something and I would say, “What did you do for work?” And they’d be like, “I just lost my job due to COVID. I was at a factory or something.” And then they ask me what I do for work. I’m like, “I work remotely and I don’t have these issues.” I’d almost feel bad talking about it because so many people have to struggle with the harsh realities of this economic climate as well as not being privileged enough to be able to work from any location like you and I can. So it is very good to remember that, and I do understand that we have it quite well when it comes to the sort of work we’re doing and the flexibility that we have with our work. It’s good to remember that.
Cole Cornford:
So if anybody’s listening and they just need someone to talk to about cybersecurity being hard, hit me or Shubs up. I’ll be happy to have a listen to you guys. I heard game hacking and I got really interested. I don’t know. I’m not as interesting as you, but I do lot speed running of computer games and across a wide variety of platforms, so generally older ones. I did play competitive Team Fortress Two for about five, seven years, and so I do understand how the anti-cheat system works for VAC and all of that kind of stuff, and also knew what a lot of people were doing in that game specifically to effectively give them an advantage. So that is an area that’s really interesting to me too. Obviously, speed runs, it’s about finding ways that programmers didn’t intend for people to play the game, and sometimes it’s just very, very silly little things.
In Chrono Trigger, if you use an elixir on the final boss, an Elixir just heals max integer. But the boss’ hit points is actually higher than max integer, so it overflows and then they just die in one hit because it heals over the max integer.
Shubham Shah:
Yeah, that’s awesome.
Cole Cornford:
There’s a lot of little bugs like that for speed and finishing all these games really quickly. What kind of bugs did you identify or vulnerabilities did you find for game hacking that were interesting to you?
Shubham Shah:
I was mostly looking at values that were controlled on the client side, that had a real impact on the service side as well. So most of the online games that I was looking at, I think at the time, mainly I was focusing on two online games and they were made by the same game developer, which was Softnyx at the time, and the games were Gunbound and GunZ. I don’t know if they’re super popular these days, but it was extremely popular back then. And I was looking at things like, basically I was creating undetected cheat engines. So Cheat Engine is the software that you can use to modify values and memory to maybe modify your health or maybe modify other values within the game. It attaches to a process and then it lets you modify these memory values and addresses. Essentially what Softnyx had built was, or what they had was something called N Protect, which was a anti sheet engine, which was basically any hacking it would try to prevent, detect and ban you. And the regular cheat engine that you can download would get automatically detected immediately.
So there was a huge process involved in creating undetected cheat engines, which would involve you compiling the cheat engine project in a way that would prevent and protect from being able to detect it. And once you had Cheat Engine going, you could start doing things like unlimited life hacks and things like that. I also briefly got into aimbotting as well and learning how to make aimbots for this game. For some context, Gunbound is a game just like Worms, if you ever played Worms before. Yeah, it’s very similar to that. So an aimbot goes a long way.
Cole Cornford:
Oh, Worms. For those who don’t really know, basically it’s a game where it’s a 2D map and you just have a bunch of different worms who need to shoot each other with weapons. And a big part of it is actually the ability to understand physics, because it’s about how do I move rockets from here to here without hitting random obstacles? And if you are able to get the trajectory and the power … I think there was another one called Pocket Tanks. It’s very similar. I used to play back when I was in high school. If you could do that accurately every single time, you absolutely mercilessly crush the opponents. So I do like that idea of … I knew a lot about game hacking that was more passive. There was a few ways that people still to this day do it.
So ones I can talk to is in PUBG, which is a battleground game. I think this has been patched now, but one of the big parts of the game was actually having the ability to listen to audio and then be able to use that audio to understand the direction that a gunshot came from.
Shubham Shah:
Oh, wow.
Cole Cornford:
But what they would send to you as a packet on the network effectively is the exact position. So you could on a second monitor, split the network traffic to go to the other monitor and just pretty much have a compass direction point where the person is going.
Shubham Shah:
That’s very cool.
Cole Cornford:
And it’s completely undetectable, man, because all that’s happening is you’re passively listening for traffic that’s coming in. There’s no interaction with the game client. All that they’re seeing is it’s going to your router and then the traffic’s being set to wherever it needs to go. It’s pretty foolproof. And I know there was a lot of people who got caught out at some of the worlds because they didn’t have access to this. And suddenly they’re like, “Hang on a second. How come you’ve completely lost your ability to have spatial reasoning?” And it’s like, “Yeah, I don’t have a monitor tell me at all points in time where anyone who shoots a bullet is actually at.” Because the other thing I had is the level of audio, so then you can use the … Level of audio is the distance.
So you literally had the ability to triangulate someone’s position. And in PUBG, when the maps … The game’s all about positioning and being on high ground and knowing where people’s at. Yeah, it’s bloody ridiculous. Team Fortress Two, here is newer. The other ones I had as well with here is a newer … I think the one that was pretty common was [inaudible] sending. There’s this item in the game that was called a manor battery or something. And basically whenever someone was in range of the manor battery, if they cast an ability, you got a charge on your battery and you can always use your battery to get yourself some health back. But there’s that area of effect around the manor battery. So basically to have a flag that’s sending to you, that if someone’s in the area of effect, then you know that someone’s near you.
So then you’re able to actually determine if there are people in the fog hiding away from you using abilities because … And you can just have an indicator appear on the screen pretty much saying that someone’s near you. So I remember that being super dodge.
Shubham Shah:
That’s really cool.
Cole Cornford:
And it’s like it’s funny to think about these kind of things, which to me is subversions of how the games are supposed to be played. But at the end of the day, it’s a [inaudible] model problem, because this information, you can obfuscate it, you can make it harder to be able to work with it, or you can build it directly into the games that everyone has this player advantage. There’s one in Team Fortress Two that was really common for a long time, and they actually built dysfunctionality into Team Fortress Two because they got sick of people doing particle hacking. Particles in a game weren’t actually part of SV Pure, which is the ability to effectively run a server with just base bug-standard stuff without modifications.
So people had it so that if you had overheal, then you would have a giant square above your head. And if you were not overhealed, you would not have a square. And then it just meant that competitive players would choose who to fight and who not to fight in the game, because they’d be like, “Oh, you have a square above your head. I’m not going to fight you because you have far more health than I anticipate. So I already noted this is a bad idea.” So Valve actually took that and made it just create particle effects around people if they’re over healed now by default as part of the game.
Shubham Shah:
Oh, that’s sweet.
Cole Cornford:
But that didn’t exist for the first four years of Team Fortress Two. So you just had a bunch of notes who had these particle hacks fucking installed and just like … Oh, this. I love game hacking. It’s just so many ways that it just goes a bit crazy.
Shubham Shah:
That’s very cool, man. What you’re describing to me, I first I want to say that some of the game hackers that I met and some of these techniques that you’re describing to me are extremely clever and things that surprisingly they don’t constitute vulnerabilities in the purest sense. But they’re in many ways what I would think of as oversights or misconfigurations or something that leads to an advantage. And if we look at our industry and some of the vulnerabilities that we see in our industry as well, we’ll also notice that some of the most successful ways of compromising something may not even involve having a vulnerability there to compromise something. And I know that a lot of the three letter agencies, they really rely on things like misconfigurations and intended functionality many times, that lets them do things that they probably shouldn’t be able to do, which is what you’re describing to me with these game hacks that you’ve just gone through, which is very, very interesting because I see them in a very similar vein.
Cole Cornford:
So maybe we should just … For all our three letter agencies, just be like, “Did you play computer games? Were you hacking in high school?” Okay, well off you go to go work for our TL8s over there. Yeah Red Spice, right? Go find all the nerds who play Overwatch Two or the new Breath of the Wild game that’s coming out and just bring them across so they’ll figure it out. Oh, dear. So you moved into bug bounty after that, and that’s where you stayed for quite a while?
Shubham Shah:
Yeah, so I got into bug bounties at around 14 and after the PayPal bug that motivated me to continue working on this, I did have some issues briefly with just computer hacking at school and things like that, which is not an uncommon story for a lot of people in this industry. But unfortunately, that was something that really turned off my parents from letting me enter the field. In fact, my parents were insistent that I become a pharmacist, and they did not let me take any computer subjects in the last two years of high school.
So I was basically doing all the sciences. And one of the other things that also happened during that time was my older brother had already graduated and he had received a really good mark in his final exam in year 12. And one of the things that was quite common for me to hear within my family due to how disruptive I was and how many issues I had with computer hacking and stuff and everything else. Was that I probably won’t be able to make it to university, but at least my brothers made it in, sort of thing. So that was something that I heard a lot back then.
But when year 11 and year 12 hit, I decided that I would definitely beat my brother at any and all costs. So I started studying very, very hard. And I realized at that point that I can’t learn things the same way that other people can in class. I can’t just listen to someone talking to me for 30 minutes and learn a bunch of things. I have to be the one doing it in some way or form, and that’s the only way I learn. And yeah, I started making videos. So I made I think a hundred and something videos for all of the subjects that I was doing, which was biology, chemistry, and all sorts of things. But I made a lot of these videos and I shared them with people in my class, to help teach them about the concepts that we were learning.
And I did fairly well. In my final exam, I beat my brother, which is all I was aiming for. And after that, I was able to get accepted to University of New South Wales for computer science, which was my number one goal. At the time, I had just managed to convince my parents that there is a legitimate industry out there for computer security and they should let me study computer science. Which I was grateful for that they came around to that, but it took a lot of convincing. Nowadays, it’s a different world. Everyone knows that cybersecurity is a hot field and everyone knows that there’s a lot of need for talent in this area. But back then, they wouldn’t even really know about what we’re talking about these days. And I don’t think they fully understood that there was a real industry available for something like this.
And that’s not to their fault. They’re obviously not people that have gone through the education system here in Australia, nor do they understand these things back then. They wasn’t that popular. It’s not in the media or anything like that. So I’m not saying that this was necessarily their fault, but back then it was a different world. And convincing them after I did, I was at University of New South Wales for around a year. And at the same time, as soon as I finished high school and I got my marks, I immediately emailed every infosec consultancy I could find in Sydney. And I listed a bunch of things that I’d done. I gave them a resume, explained to them that I had done a lot of bug bounty work, had a bunch of vulnerabilities submitted to companies like Adobe, Microsoft, PayPal that had been accepted. And out of all the consultancies that I emailed, only one consultancy got back to me, which was Hack Labs at the time. And they agreed to put me on as an intern.
But the journey there and back was dreadful. Three hours usually all up traveling from my place in Western Sydney to all the way in Manly, which is a long way away. And it was an unpaid internship, so I didn’t get paid for it at all. And I was there for around … I think it was around three to six months I’d say. But I was grateful for that nonetheless. I was able to learn a lot about security consulting, getting to do pen tests myself, getting to write reports, getting to work with a team of other security enthusiasts as well. So I was very grateful for that opportunity and grateful that I was able to step into the industry at such a young age. I was just 17 at the time. But yeah, essentially I went to university and I ended up dropping out because as I said earlier, I really struggle with learning things if I’m not really doing everything myself. And that was something that I really struggled with at university.
Cole Cornford:
I know a lot of people have a similar story in a lot of ways. When I was at high school, I wasn’t the best student. I liked getting out on Fridays and going and sprinting to fish and chip shop and playing cards. Usually, I think we played a game called President or Nintendo DS, Metroid Prime Hunters and Mario Kart DS. That’s all we did. And I think I came out with an ATAR of 70 because I got lucky, but I got into university and I just went for a normal IT degree. And my parents just were happy because I was the first in my family to ever go to university, honestly. So I was just in achievement as far as they were concerned, and they were just happy to see me at uni. They didn’t really know, understand computers. And honestly, when I went to uni, I didn’t really understand anything about … Well, anything real, to be honest.
I learned all my education through that. I just had a gear switch in my head where I said, “Wait a second. I don’t want to be this nerd who just plays games all the time, doesn’t care. I just want to actually just go and do really good. This is a good way to reset and move forward in life.” So I just worked really hard at university and it came out well, and I got a good job in the public sector after that.
But yeah, I know that university’s not for everybody, but I do encourage people to go speak with a uni and see if it is for you, because some of the education, you don’t have to get a full qualification or accreditation at a university to be successful. Sometimes, it’s just those base skills around what is an array, how do you do a UML model, how do we talk about architecture and what is a DNS record? Those things, that baseline skillset set, is often missing from a lot of entry-level professionals. And I see that a lot with cybersecurity graduates. I’m always worried when I see someone turns up with a masters of cybersecurity to an interview at my company and I’m just like, “Oh, no. Have you guys done any IT programming, software engineering, whatever, hands-on stuff?” And the answer’s pretty abysmal usually. So it scares me. But yeah, I like the video content as well. So why did you choose to make videos at high school, by the way?
Shubham Shah:
It was because that was the only way that I could learn. So the videos that I was creating, I had bought a Wacom tablet, which would let me write onto my screen and record it, and I would basically write out all of the things you needed to learn for whatever subjects. And the process of making these videos, I had to become an expert at any cost at any of these different areas. So for me, it was something that just through sheer discipline and hard work, I would release maybe one or two videos every day or two. And I did it as frequently as possible. But throughout the year, I only released around a hundred or something videos. Even then, it was something that for me it had a significant positive impact in learning. Now, just to circle back a little bit on your university experience. I certainly don’t discourage people from getting a university degree in any way or form.
And there are benefits that go beyond just this baseline skillset, which is the ability to work in almost any country you want. Being in Australia, if you have a university degree, if you want to move to somewhere, having that university degree is sometimes the difference between being able to get a long-term visa and not being able to move there at all. So for the people that have been fortunate enough to make their way through university and not just fortunate, worked hard to make their way through university, I think they should be quite happy because it opens up a world of possibilities for them and opportunities in other countries as well.
Cole Cornford:
And that’s actually super accurate. I went through an interview process at Facebook. And one of the pieces was you needed a university qualification to actually get, apply for the E-3 Visa to even get across to there. So that was one of the screening questions after I did the on-sites basically. So yeah, they’ve got a pretty cool campus, by the way. Just very smelly salt flats, not the greatest at Menlo Park. And even with going to change.org at Canada, my visa sponsor, which didn’t happen because of the COVID pandemic messing all that up, I still had to have a university qualification to even be considered by the Canadian government as someone to be able to move there. So if you want to go travel, go get a uni degree.
Shubham Shah:
Yeah, no, for sure.
Cole Cornford:
I’m sure that there’s other reasons as well, but I do think that baseline level across a wide variety of things and some theory that in practice you wouldn’t really pick up a lot of the theory stuff in my view. I was talking to one of my friends who’s a entry level programmer who’s just self-taught. And he can build React apps, he can build Python applications. But then I ask him what’s the difference between using an array and a link list and why would you consider using either of these? And it’s a bit of a [inaudible] question. In fact, they don’t even know what the concept of an array is because they’re a Python developer. It’s like, “Wait a second, this is different. Is this a slice? This is a splice for Golang? So these basic computer science concepts do come up in security a lot. It’s the little nuances between how things actually work and how people think that they work, that actually lead to bugs being introduced into apps.
Shubham Shah:
Yeah, fully agree with you. And on my side, I’ve been doing a lot of engineering as a part of Assetnote, and I’ve just started to learn over time how much of a knowledge gap I do have because I didn’t go to university. And it’s been very humbling bridging this gap. But as you said, you’d probably cover a lot of it if you went to a university and did a computer science degree.
Cole Cornford:
That’s probably a good transition. So you’re the CTO of Assetnote. Do you want us to tell us a bit about Assetnote itself and why you decided to start a company in the ASM space?
Shubham Shah:
Yeah, sure. So Assetnote, we produce one product or attack surface management product. We automatically map out and discover every asset on the internet that belongs to your organization, and we scan it for security exposures on a hourly basis. So very, very continuous. We’re doing all of this discovery and security analysis 24/7, 365 days a year. It’s completely automated and it’s a platform that we’ve built from ground up over the last four and a half years. It’s something that’s capable of finding all the different subdomains, IPs, APIs, across your attack surface at any given point in time. And yeah, it’s something that we started originally. Well, the background is I was doing a lot of bug bounties and doing a lot of automation for bug bounties. And when I was doing this, I came up with the concept of Assetnote initially as an open source project that I released at BSides Canberra, I think 2016 if I remember correctly.
And yeah, I was going to stop working on it. I was going to completely stop working on it. I was done with it, I’d released it. I was still using it, but I was not really planning to go further with it. One of my friends from Sweden, Mathias, he reached out to me and he said, “This idea that you have around collecting recon data from a bunch of different sources and continuously monitoring it, it’s a really good idea. You should continue working on it.” And because he had faith in me and he had faith in the idea, it really motivated me to keep going. And at the time, his girlfriend was a project manager. So she basically set up a bunch of Trello boards. And Mathias and I just started programming more and more things into Assetnote. Although after a while, I think Mathias had other things going on as well.
But I kept continuing working on Assetnote and it then started becoming really, really good at discovering vulnerabilities in an automated fashion. So we were talking about vulnerabilities in Uber, Slack, all sorts of really large companies. And one day, it even found a vulnerability in Slack that disclosed all of their source code and all of their hard-coded secret keys within the source code. And I think at that point, I realized, “Wow, this has real legs.” The concepts that we’ve built here and the whole idea of automatic reconnaissance on a continuous basis and finding vulnerabilities on a continuous automated basis, has some real legs as the two components fit in nicely together, where the reconnaissance feeds into the ability to find things rapidly as they’re being deployed. At that point, I’d tried getting the company off the ground and started trying to commercialize it. But to be frank, I had no idea what I was doing.
I didn’t have any of the business skills that I needed when it comes to sales, when it comes to legal, when it comes to accounting, and even just a general idea of how I would go to market with a product like this. And my whole worldview at the time was completely based off my technical roles and experience technically. And it’s great for me to be able to program something that has real commercial value. But bringing it to market is a completely different skillset and requires a completely different mindset to what I had at the time. Unfortunately, I failed the first few times taking it off the ground. And it was really interesting because I would tell my family, “I’m going to quit my job and I’m going to focus on this.” And they would say, “What are you doing? You could work for a nice company like Microsoft to have a sweet life, wake up a decent time, sleep at a decent time, have a good family.” Whatever, all this stuff.
And it was really battling uphill from all different perspectives. In fact, most of the people that I told this idea to at the time didn’t really believe or understand what I was talking about. And often, they would claim that there were risks for this idea that would trump this idea in a matter of years. For example, one of the things that I would often get told is this is not a viable business. In a few years time, AWS and Azure will build something like this and they’ll take over this entire segment. And they’ll tell me about all these different things. So at the time, I had a lot of uphill battles even convincing the people around me that this had value. There were a few people that did see some value in it. I’m grateful for that. And one of those people was what is my current co-founder, Michael.
And when I started working on the business with Michael, we were able to actually commercialize this. We rewrote it from ground up. We built in everything that an enterprise customer would expect from something like this, because one of the things we recognized early was what I had built for the bug bounty automation is not the same as what an enterprise customer wants, and it’s not going to necessarily fit their needs. But that’s how Assetnote came to be. And Michael and I have been working on it for just over four and a half years. And it’s been going excellently so far.
Cole Cornford:
That’s a fantastic story, man. There’s a few things I really want to talk through there as well. But as a founder myself, also had a similar situation to you, in that, “Oh yeah, I’m great at app sec. People will just buy app sec services. Done. That’s it. I don’t either go to market, I don’t need to do sales, I don’t need to do marketing.” Turns out that that’s bloody stupid and that I have now learned that I’m my best salesman effectively, and I need to be actively soliciting and finding pipeline to work with. So you learn these things as you start a business and fail and then pick it up and then fail. And the setbacks and also people telling you that it’s risky, I really see that a lot as well. I would argue that if you’re working for a big company, that is also risky because we’ve seen in the last year that tons of large institutions are laying off really good people.
So are you really in control of your own destiny if you are working for a big corporate like a Microsoft or Google, when they can just let you go at any point? Or would you prefer to take it into your own hands, build your own client base, and then have shorty and success in yourself? I think it’s actually more of a risk to just cruise, than it is … Because your skills will degrade over time. You’ll have a smaller network, you’re not doing the things you need to do to set yourself up in the future. So it’s really good that you’re able to push past lot of negativity and criticism and say, “Actually, I really do have confidence in my idea. I don’t know why other people aren’t seeing that.” And the other thing, people just don’t want to put money on the table for stuff. They’re going to be very afraid to invest in things. But you found some early investors who really did see that there was a lot of potential in your business and that’s really helped you move.
Shubham Shah:
No. So we’re a completely bootstrapped business,
Cole Cornford:
That’s the best place to be, man, if you’re bootstrapped. You are set.
Shubham Shah:
And it’s the same for you, Cole. Coming from the bootstrapped world, I think Michael and I did have to put quite a bit of money in initially to get some of the initial funding for the company off the ground. But that wasn’t anything significant. Nothing like what a seed round would be or a Series A would be or anything like that. And surprisingly, we have had instances where the company was on the brink of extinction, because we just didn’t have any more money left in the tank, Michael and I. We had this one situation where our bills for our cloud providers were going up because we were starting to onboard people. We didn’t necessarily have that much money coming in. And we were speaking to an investor here in Sydney. And we flew to Sydney, we pitched them, we talked to everyone there. And they were like, “Yeah, we just don’t see it.” And we were like, “Oh, okay, no worries.”
And at the time, if they had given us seed funding, due to the dire situation we were in, we probably would’ve taken it. But because they didn’t give it to us, we ended up actually contacting a friend of a friend who worked at AWS. And they were able to give us a hundred thousand dollars credits in AWS Cloud Compute. And that was all we needed to ensure that the company didn’t need any external funding really, because after that, and I’m really grateful for this because normally, this is only given to AWS customers that have been funded by VCs. But the team at AWS had made an exception after seeing some of the customers that were onboarding with us.
And I’m really grateful for that decision because it meant that Michael and I could focus on actually building the product and business, without having to worry about our huge infrastructure spends that we had early on. But yeah, I’m really grateful for the fact that it’s a bootstrap business. It means that both Michael and I can drive this business however we want. and I’m sure it’s the same for you, Cole, if you have any thoughts on this and your bootstrap journey. I’d love to hear them.
Cole Cornford:
So there’s a lot of things that I’ve messed up. One thing I really struggled with early on was I really wanted to get good talent and I had really strong values. I still do. I really want to look after people and help to nurture them and grow and build talent. And especially in app sec, I see a vacuum at the moment where people get taken to big technology companies on ludicrous wages and then that’s it. They’re there. And I think that that’s really bad for the industry because it means that we have so many other areas that just have no mind share about where product security application security is, and it’s just not even a concern. And they’re getting constantly breached in the space. So I could have quite easily taken a role at some big tech company and sat there as a product security engineer and half a million a year or something stupid.
But I think that as soon as you do that kind of stuff, you’re not really committing to what I really wanted to do, which is to get this on as a national conversation for people and say like, “Hey, I need to get this moving.” So I still really believe that that is the trend. Software has eaten the world and now AI’s eating software. We’re moving in that direction. So I’m really trying to promote that vision and get that mind share going. But what I did really badly was I took my values and vision too far without commercializing it successfully a few things I don’t recommend doing is having a baby when you’re just getting a business off the ground. Turns out that if you can’t be a hundred percent committed, you’re screwed.
Paying attention to finances is actually really important. I tried to delegate that responsibility away and it’s bitten me. So I now am actively chasing invoices, sending out statements at work, and making sure people pay things upfront and managing cash flow, building future pipeline. That’s one of the things that kills small business owners, is that they don’t think through. They’re just like, “Oh, I’m a security consultant. My wage is this. This is great.” And then there’s downturns, there’s tax, there’s staff contributions and payroll. There’s a lot of things you need to be aware of that.
And I wouldn’t … Not discouraging people from starting a business and learning all of these things. What I am saying is that you need to be hands on and wear many different hats. And if you’re not prepared to put on the sales hat and go up to someone and say, “Actually, I’m great at application security. I can solve problems for you. I notice the sales. Just let me help you.” And if you are just going to say, “Actually, they’re going to come to me”, that’s not going to happen. And you found out as well when you’re trying to commercialize Assetnote too. You’re like you’re number one bug bounty hacker person in the world, yet still unable to sell your product, because the people who respect you are not the ones who are purchasing authority in these large enterprises.
Shubham Shah:
So surprisingly, it’s been different for us for that specific aspect. Firstly, I just want to touch on your point around all the other things you need to do to have a successful business, which is, as you mentioned earlier, managing cash flow, payroll, all that sort of stuff. I’m really fortunate that Michael helps a ton with that, in fact, does most of that. But we get a lot of external help for that as well. He hired BDO for all of our accounting purposes. We have a virtual CFO that we consult with on a regular basis to learn about how we are doing as a business and things like that. But as a solo founder, I really, really know that you would have to have done so much of this work, alongside all of the other work you need to do. And Michael, my co-founder, he manages basically everything to do with the business and sales, and I manage pretty much everything to do with technology.
Michael often also really gets involved with product decisions as well and designing user experience and things like that as well. And one of the things that I love about this stuff is we’re not afraid of doing anything that’s necessary. Really for me, what that looks like is I’m often dealing with support tickets all the time. And some people might think, “Oh, I’m the CTO of a business. Why do I have to do all the support tickets?” And sure, you can feel that sometimes, but I know that with me doing that work, it’s going to have the most positive impact possible for our customers. And I know that it’s going to be something that leads to a lot of positive reviews of our software and our work. And there’s also a bunch of things that I like doing that means that our developers get to do what they’re supposed to do, which is actually engineering, as opposed to investigations and customer support and other things like that, that I don’t want them to be spending as much time on.
And I know that you’re very similar in this vein where you try and take on a lot of responsibilities, that it’s anything and everything that you need to do for the business. It’s not about what the job is. It’s just about getting it done and moving forward. And we’re not so precious to think, “Oh, my role is this, so I’m only going to do this, or it’s not worth my time or anything like that.” We don’t think that way. And I think that it loops back to what you were talking about earlier around thinking about our background and our parents who had to do these really mundane things and jobs that they had to work very hard, wake up at 2:00 AM every day, whatever it may be.
And we compare that situation to us and we still have it really good at the end of the day. Anyways, that’s a bit of a tangent, but I just wanted to touch on that point because I think that you, like what you’re saying to me is again, really resonating with me as something that I’ve had to do as a founder, a co-founder as well.
Cole Cornford:
Yeah. Thank you so much. I really appreciate the kind words. And I encourage people to go and actually start businesses. Start small. There’s nothing wrong with having it as a side hustle. Go build a product and just try to sell it to people and see how it goes. I guarantee that the majority of people that you speak with will give you feedback in one way or another. But the thing is, it’s still feedback.
So if it’s a bunch of LinkedIn connections sending nasty messages to you, then you’re probably not solving a problem that is actually relevant to them. It could be your pitch, it could be your tech. It could be the fact that you are sending, using sales navigator badly and targeting the wrong personas. But these are all things that you need to be able to work out for part of your sales strategy, as well as what product or service am I actually trying to sell? It’s a journey and I think that it’d be very difficult for me to go back to a corporate position, now that I’ve been running a business for a few years now. So I imagine that you’re in a similar boat.
Shubham Shah:
Yeah, for sure. It’ll be a huge transition, but I don’t think I’ll enjoy it as much for sure.
Cole Cornford:
All right. So I’m going to move into the rapid fire questions that we have.
Shubham Shah:
Okay.
Cole Cornford:
Question number one, if you were to give a book to someone at Christmas, what book is it and why?
Shubham Shah:
Tangled Web and because it covers a lot of really unique concepts with web application security.
Cole Cornford:
That’s Michal Zalewski, is it?
Shubham Shah:
Yes, I think so. Yep.
Cole Cornford:
He wrote another book recently called Doom, didn’t he? Doomsday or something?
Shubham Shah:
Yes, I think yes he did. He wrote a doomsday prepping guidebook. So he has a wide range of skills ranging from web application security to doomsday prep.
Cole Cornford:
Oh, dear. Maybe I should pick up both of those books. So what’s so good about the Tangled Web though? Is it still relevant? Because I remember it came out 2013 or ’12, didn’t it? So the web’s changed a lot since then.
Shubham Shah:
Yeah, so it’s not as relevant. The web’s changed way too much for it to be super relevant today. But what I found when I was working at Bishop Fox as a security consultant was I would come up with these really gnarly client side exploitation techniques and I’d mention it in the group company chat. And they’d say, “Hey man, that’s on page 96 of the Tangled Web.” And I’d be like, “Really. Damn it.” I thought I came up with something really unique and really new. So I would always get referred back to this book, and I read through the whole book. And it’s just the mindset that he teaches about how to approach client side security that I really love.
Cole Cornford:
I think I need to pick it up as well. The books I’ve been reading lately is How to Design Secure Software and also books about how to enroll kids in private schools, which is not terribly interesting. But maybe one day you’ll be at that point in your life where you have to think about that. Cool. Next question, what’s the best purchase you’ve made for under a hundred bucks and why?
Shubham Shah:
Under a hundred bucks? I think the best purchase I’ve made for under a hundred bucks is a cheap digital watch really. It’s been quite useful for me. There’s not that many things I can think of under a hundred bucks, but if I can say over a hundred bucks, then it would probably have to be my Mac Studio probably.
Cole Cornford:
What’s a Mac studio?
Shubham Shah:
So it’s a desktop Mac basically that was released a year or two ago. It’s been incredibly good when it comes to source code auditing and really heavy workloads. I would always find that any machine that I would use wouldn’t be able to handle the amount of ADHD energy that I had. So this Mac Studio does that quite well.
Cole Cornford:
It’s going to go on everyone’s procurement list. We need these Mac Studios and every single professional pen tester’s lab. Done. I just have a bunch of bad monitors, so I’ve got two Dell ones. They cost me like $12 each. So I picked it at a secondhand store and I’ve just shove them monitors and they do what they need to do. And yeah, a lot of the source code auditing I do is about just spending the time working with engineers initially, to just really understand the history of the application before I actually ever dig into it. But I think from a bug bounty perspective, you don’t get to have one-on-one time with engineers to actually talk through why is it like this?
Shubham Shah:
And also you’re spinning up heaps of VMs. You are de-compiling source code, and you’ve got 50 things going on at once. But I would love to be … I was actually, when I was working at Bishop Fox, I was doing what you were doing with source code analysis and I was speaking to customers and auditing their code. And that was excellent. I think I learned the most when I was doing that, by actually having that interaction with the customers. Nowadays, I’m just sitting here guessing, trying to figure out what the developer was trying to do at that point in time when he wrote that code. So it’s a lot more guesswork these days.
Cole Cornford:
When you have access to the developers who are still writing the source code, they’ll probably question, “Why didn’t the previous developers do this in the first place?” So I swear there’s a market for a product that does code archeology. So you just dump a Git repository there and you say, “Give me the history of this. Why did people do all of these things? Tell me more.”
Shubham Shah:
Yeah, for sure.
Cole Cornford:
Maybe that’s our next startup idea together. I don’t know how I’d sell it. I’ll just steal Michael. So Shubs, one more final question. Our audience leans towards younger viewers, but I also think it’s important to cater for some of the more senior members of the crew. So maybe there’s two questions then. Question one, what tip would you give to people who relatively new to cybersecurity, who are looking to get better at bug bounty? And number two would be if you’re a senior leader in cybersecurity, what can you do to help others?
Shubham Shah:
Okay. For the people coming into the industry and wanting to get into bug bounties, I recommend just diving into it, not being discouraged, being persistent, and trying to learn as many fundamentals as possible before you dive into it, obviously. Things like PentesterLab, Web Security Academy, TryHackMe, Hack The Box, all of these are great resources for beginners. Just really diving into it. Even if you don’t find anything at all for a week, you’ve still learned a lot in that week. So that’s my opinion on it. And I think that’s the best way to do it. And when it comes to the older crew or the people that are in more senior positions in this industry, I would just say don’t be hesitant to give people a shot, even if they’re very young.
And I think that as time goes on, we’re seeing the barrier of entry decrease. I was incredibly fortunate that someone gave me a shot when I was 17, and I don’t think I’d be here necessarily in the position I am today if I hadn’t had that opportunity. So yeah, don’t be afraid to give younger people a shot if they show promise. I’m not saying just give a random 17-year old a job. But if they come to the table with some good experience that they’ve got from recreational activities or things they done in their free time, I would really consider giving them a shot.
Cole Cornford:
It’s good to be open-minded. I think that it’s pretty easy as a security professional to have this negative closed-minded attitude because that’s effectively what the industry is reinforcing. We say, “No, we try to stop things from happening. We’re here to make things slow and implement guardrails so people can’t shoot themselves in the foot.” And that mindset does permeate into hiring decisions. These people need to have an OSCP. They need to be able to explain what’s the difference between a CMNA and [inaudible]. And I’m sitting there thinking to myself, “I pretty certain that my early job interviews were just pretty silly now.” It’s just what is a computer? How do I compute? And then I seem, “All right, here you go.” So I’m fortunate as well. So yeah, really great answers, Shubs. Thank you so much for coming on to the Secured podcast, and we’ll stay in touch. I’ll have you on in the future.
Shubham Shah:
All right. Thanks for having me, Cole.
Cole Cornford:
Thank you for listening to this episode of Secured. We hope you enjoyed today’s conversation. Don’t forget to follow the podcast on your favorite platform and leave us a review. Want some more content like the above? Why not subscribe to our newsletter@galahcyber.com.au/newsletter and get high quality apps and content straight to your mailbox. Stay safe, stay secure. I’ll see you next episode.