About
Rajat Swarup is an information security researcher having 20+ years of experience in offensive security. His entire life he has mostly been asking questions: How? Why?
Rajat finished his Bachelors in Computer Engineering from Fr. C.R. College of Engineering, Bandra, Mumbai and then moved across the world to pursue Computer Security coursework from USC. After completing Masters in Science from University of Southern California, Los Angeles, he soon left the beautiful, sunny Southern California to pursue his love for computer security research where he worked with the Advanced Security Centers in New York, Ernst & Young LLP. This was a team of incredible individuals who are still friends and doing amazing things in the world of Information Security. After working with E&Y for a couple of years, Rajat joined VeriSign Global Security Consulting which was acquired by AT&T Consulting Solutions in October 2009. After 11 years in security consulting and having newborn, Rajat could not travel as much (life got in the way!). Therefore, in January 2016, Rajat joined BlackRock Financial Management as the Global Head of Application Security and Adversarial Testing (Pen testing and Purple teaming). After working for the world’s largest asset manager, Rajat changed gears to work for Amazon Web Services for 3 years (that’s 24 cloud years!) Rajat helped secure the infrastructure of AWS cloud at its lowest levels (Infrastructure, Core) in New York City by creating a tiger team of researchers who found the most Internet-impacting vulnerabilities in components critical to the functioning of the Internet such as protocols built into backbone routers. Additionally, Rajat spent time managing the security a whole host of customer-facing AWS services that hundreds of millions of AWS customers use daily including the introduction of aws:SourceAccount
and aws:SourceArn
global context keys. Nowadays, Rajat is pursuing his Masters in Artificial Intelligence from University of Texas Austin to fulfill his learning appetite. Rajat is now responsible for protecting one of the world’s largest asset managers today – helping protect people’s retirement futures and loves it!
During his consulting days, apart from traveling the world, Rajat spent most of his time helping Fortune Top 100 customers with their information security needs from penetration testing (network, wireless, war dialing, reverse engineering), web application security assessments, social engineering assessments, Payment Card Industry Assessments (PA-DSS and PCI DSS), Federal Trade Commission (FTC) assessments, database and network security architecture reviews, security configuration reviews for routers and switches, web application security code reviews, teaching classes for awareness of OWASP Top 10 to developers, performing forensics investigations, breaking security of anything, etc. This has also evolved over a period of time but the love for security (operating systems, cryptography, kernel programming and exploit development) continues though a little bit slower than 17 years ago when he started blogging.
Rajat enjoys solving problems using code using languages such as C/C++, C#, Rust, Java, x86 ASM, Perl, Python, and even Unix bash scripts. Like most security people, Rajat believes that automating things to reduce time for testing for security vulnerabilities leaves people with more time to come up with newer, better and more efficient ideas. These days I mostly look at ways to improve cloud security. So while my day job is to ensure “security of the cloud”, I still like to read and research on “security in the cloud”. I consult with various security startups and talk about enterprise challenges such as migration to cloud, appropriately balancing security and usability needs and other general topics such as go-to-market strategy and essential features in products.
At work, my team and I work in discovering and, most importantly, patch exploitable flaws in core networking software and other vendor products via fuzzing. My team also do source code security audits, purple team engagements, threat modeling and consultations. This is mind-bending work in the cloud space and is incredibly interesting. Prior to this role, I helped secure the most critical financial systems such as BlackRock’s Aladdin (nowadays marketed as the “operating system of the financial world”). It is the software stack that processes majority of asset management portfolios of the world! When I was at BlackRock, I helped raise the posture of application security of the firm – it was fun and challenging most of the times to balance usability and security. Working in the cloud just helped elevate the stakes even higher and made things even more fun!
Other than technology, I love eating out at new restaurants, visiting new places to learn new cultures, playing cricket with my daughters in NJ, and philately. This consumes most of the time I have available on a day-to-day basis.
This blog is an attempt to share the information that might be helpful to anyone, but the information might be dated since Rajat does not have much time these days to keep the blog updated. I don’t keep this blog updated as much these days as the time is limited but feel free to reach out to me via Twitter / LinkedIn if you have any questions.
You can find him on Twitter : @rajats