About
As the Director of Security Engineering at Security Innovation, I provide managerial…
Activity
7K followers
-
Dinesh Shetty shared thisI'm really excited to share something we've been working on at Bureau Veritas Cybersecurity! As you know, for years now, pentesting has had a built-in constraint - TIME! No matter how skilled the tester, limited engagement windows mean trade-offs. This could be depth vs coverage, known paths vs unexplored ones. Well... WE'RE CHANGING THAT! Through our new partnership between Bureau Veritas Cybersecurity and XBOW, we're introducing our Human in the Lead AI-Augmented Pentesting service. With this we combine autonomous AI-driven exploration with our top notch human expertise. So what does that actually mean in practice? - AI scales the process -> Mapping the full attack surface and systematically exploring applications and APIs - Our Human testers focus where it matters most -> business logic, context, and creative attack paths - Together -> we get broader coverage, deeper insight, and higher-quality outcomes It’s not about replacing human testers, it’s about amplifying them. Letting machines handle the scale, so experts can focus on judgment, and core HACKING as they say! Personally, what stands out to me is this shift is that we are no longer forced to choose between breadth and depth. This does feels like a real step forward for how we approach application security! We're investing more into every engagement because we believe this is the future. More depth, zero false positives, and a much clearer picture of your risk. Curious to hear how others see AI shaping the future of pentesting? Take a look here to learn more : https://lnkd.in/dbKiuKq5 #CyberSecurity #Pentesting #AI #AppSec #Innovation
-
Dinesh Shetty shared thisQuadraInspect is an Android framework that combines AndroPass, APKUtil, RMS, and MobFS to assess the security of Android applications. It provides a comprehensive approach to vulnerability analysis, facilitating the analysis of authentication and authorization mechanisms, extraction of valuable information from APK files, and the analysis of an application's filesystem. The framework can be used by developers, security researchers, and penetration testers to assess the security of their own or third-party applications. QuadraInspect aims to increase the security of Android applications and protect users' sensitive data from potential threats. Tool Link : https://lnkd.in/eRPFn-Rq #MobileSecurity #Android
-
Dinesh Shetty shared thisGood read on Android Deep Link Issues And WebView Exploitation by the team at 8kSec - https://lnkd.in/esaVK74f #MobileSecurityDinesh Shetty shared thisDid you know that Android Deep Links and WebViews could be putting your personal data on the Android phones at risk? Learn how to secure against these attacks in our latest blog post - https://lnkd.in/eGKw2tQi #androidsecurity #DeepLink #WebView #mobilesecurity #android
-
Dinesh Shetty posted thisAre you a smart contract developer or auditor working with ERC20 tokens? You won't believe the surprising and unexpected behavior these tokens can exhibit! Here are some weird ERC20 Tokens details you might find useful along with information on how to avoid potential exploits and vulnerabilities in your code. Make sure to read through this post if you plan on safely integrating ERC20 into your contracts. - ERC20 tokens are widely used in the Ethereum ecosystem, but their "specification" is so loosely defined that it amounts to little more than an interface declaration. This makes building smart contracts that interface directly with ERC20 tokens challenging to say the least. - To help developers and auditors, a repository of minimal example implementations of ERC20 tokens with surprising or unexpected behavior has been created. These tokens are based on real tokens, many of which have been used to exploit smart contract systems in the past. - Some tokens allow reentrant calls on transfer, which has been exploited in the wild on multiple occasions. Other tokens do not return a bool on ERC20 methods or return a false value even when the transfer was successful. Some tokens take a transfer fee or may make arbitrary balance modifications outside of transfers. - Upgradable tokens, allowing the token owners to make arbitrary modifications to the logic of the token at any point in time, can break any smart contract that depends on the past behavior. Tokens that can be flash minted could potentially have a total supply of max uint256. - Some tokens have a contract level admin-controlled address blocklist, which can be used by malicious or compromised token owners to trap funds in a contract. Some tokens can be paused by an admin. - When interacting with external code, smart contract developers should default to a contract-level allowlist of known good tokens. Direct interaction with tokens should be performed in dedicated wrapper contracts at the edge of the system. - In some cases, an on-chain allowlist is not feasible, and in these cases, developers must take great care to make interactions in a highly defensive manner. An off-chain allowlist in the official UI can also protect unsophisticated users from tokens that violate the contract's expectations. - It's strongly advised that token developers avoid behaviors such as the ones described above. For more information, developers can refer to the Trail of Bits token integration checklist and Consensys Diligence token integration checklist. Take a look at https://lnkd.in/eJsi5BHt for additional information if you plan on safely integrating ERC20 into your contracts. Follow me for more such information. #ERC20 #SmartContract #TokenDevelopment #SecurityTips #tokenization #cryptocurrency #blockchain
-
Dinesh Shetty posted thisAs the year comes to a close, it's important to reflect on your personal and professional growth. As a Security lead for a high performance team here are 7 philosophical but technical questions I ask myself at the end of the year for self-reflection: - What ethical dilemmas have I faced in my work this year, and how did I handle them? - In what ways have I applied my technical skills and knowledge to benefit others or make a positive impact on the world using subliminal messaging? - Have I fostered a culture of continuous learning, innovation and research within my team or organization? - How have I adapted to change and overcome challenges as a research manager this year? What strategies have been most effective for me in times of change? - Have I embraced a growth mindset and sought out opportunities for continual improvement and development? - How have I balanced the demands of technical work with the need for self-care, professional growth, along with personal values and beliefs? - How have I effectively communicated with my team and stakeholders this year, especially on difficult/controversial topics? What could I have done differently to improve communication? Self-reflection is a powerful tool for personal and professional growth. I hope these questions have provided some food for thought as you look back on your achievements and challenges from the past year. #tech #endofyear #cybersecurity #leadership #culture
-
Dinesh Shetty shared thisWant to learn how to use Frida Without Jailbreak on devices running Latest iOS 12.4? Take a look at https://lnkd.in/eUnhAmB #iOS #MobileSecurity #iOSsecurity #Frida #Jailbreak #JailbreakiOS12
-
Dinesh Shetty shared thisPreparing to jailbreak your iOS 11 or iOS 12 device? Want to downgrade your iOS 12.1.4 devices to iOS 12.1.1b3? Detailed guide is up on https://lnkd.in/eJX8b86 #iOS #Jailbreak #JailbreakiOS12 #MobileSecurity #iOSsecurity #ios12
-
Dinesh Shetty liked thisThis was a fantastic discussion with Larry Whiteside Jr. and Venu Rao Koyyada. #Practical #cybersecurity advice to implement TODAY to help better secure your enterprise and #development processes. Particular focus on to properly implement and manage #adversary #emulation and #threat #exposure #assessment programs. #CTEM #BAS #ASM #EAP #AEVDinesh Shetty liked thisWe are live. Ed Adams, Larry Whiteside Jr., and Venu Rao Koyyada Rao are in the middle of it right now, getting into what a real CTEM program looks like in 2026 and where most organizations are still exposed. If you are not in yet, you still have time. Jump in here: https://lnkd.in/dwGE65fW #CTEM
-
Dinesh Shetty liked thisDinesh Shetty liked thisThe wait is over: aimGRC Version 4.0 is here! We are thrilled to officially announce the launch of aimGRC V4.0, a major leap forward in how organizations manage risk and governance. Unveiled at our Synradar Annual Event yesterday, this version introduces two massive additions to our ecosystem: 🤝 Integrated SynTPRM: Seamlessly manage third-party risk and orchestrate vendor assessments alongside internal vulnerabilities. 🤖☁️ Synradar.AI Platform: Our cloud-native, AI-first Compliance-as-a-Service (CaaS) platform, providing the infrastructure for the new era of AI governance. We’re not just building tools; we’re bridging the gap between technical security and boardroom priorities. A huge thank you to the team and our partners for making this possible! Stronger Control. Smarter Decisions. Thank you Ashish Rao Paresh Jain Vijay Banda #Synradar #aimGRC #SynradarAI #CyberSecurity #AIGovernance #ProductLaunch #ThirdPartyRisk #CaaS #AI #CyberGovernance #CISO #GRC #CloudSecurity
-
Dinesh Shetty reacted on thisDinesh Shetty reacted on thisIt’s a surreal feeling to lay yourself off*. As we complete the restructuring started at the beginning of the year and pivot our organization to align with the evolving market landscape, we had to part ways with too many folks, from individual contributors to managers. It became very clear through this process that we need a team of specialized individual engineers, and preserving as much of our existing team is imperative to our future success. My manager, Floris Duvekot, and I had some incredibly tough conversations regarding our new structure, which resulted in the elimination of my own role. I firmly believe that this realignment gives our organization its best chance for success, and today is my last day with Bureau Veritas. Obviously, I’m sad. I’ve spent 14+ years at Security Innovation (now Bureau Veritas Cybersecurity NAM), so it’s a key part of my personal identity. Starting out as a security engineer, I didn’t think I would be here this long or reach the level I did. What kept me here was the ongoing opportunities to grow and advance in my career. So thank you to Joe Basirico, Jeffrey Emig, and Ed Adams for always giving me those options. I built and scaled my organization to over 100 engineers, but I was only able to do it thanks to the solid foundation I was given and the fantastic team members who made it easy to do so. I always enjoyed my job because it felt like I was working with my friends. Layoffs are hard, and I appreciate the flexibility and grace that I’ve been given during this time by Bureau Veritas. I’m also sad about everyone impacted, and I remain committed to helping you land your next jobs. For everyone still at BV Cyber, we have the right team in place to succeed. I know you're in good hands with Floris, Dinesh Shetty, Geoffrey Vaughan, Satish S, and Anthony Follett. What’s next for me? I know I’m a really good manager (at least, that’s what my engineers keep telling me), so I’m open to new opportunities in AppSec and product security. I really love to build security teams, so if you have a role for me, I’d love to hear about it. Also Google Gemini says that LinkedIn Recommendations are important. So if you and I have worked together in the past, do me a favor and please write me one. Until then, I’m going to enjoy the silver lining of getting to spend extra time with my newborn. * I recognize that starting a post like this might get me featured on /r/LinkedInLunatics
-
Dinesh Shetty liked thisDinesh Shetty liked thisAI agents are changing offensive security faster than most teams realize. I recently published my thoughts on AI agent driven offensive security and swarm-based attacks. https://lnkd.in/gBVFn_nK Worked on this project with Shantanu Ghumade Dhiraj Mishra Vishal Panchani Rotimi Akinyele David Usher Rahul Sumbly Weng Onn TanHow we built an AI agent security swarm for offensive security testingHow we built an AI agent security swarm for offensive security testing
-
Dinesh Shetty liked thisDinesh Shetty liked thisJust open-sourced something I’ve been building lately: https://lnkd.in/dnNJm86m Mobilytix is an MCP-powered framework that turns AI into a structured assistant for mobile pentesting. Key idea: raw chat ≠ reliable assessments. This introduces : - Tool-driven workflows instead of prompt guessing - Stateful sessions per APK - Structured outputs and usable reports - Extensible design for adding new analysis modules Think of it as moving from “asking AI questions” to “driving an AI-assisted assessment pipeline”. Curious to hear thoughts from others working on AI + security tooling. Keep in mind that it is still a work in progress project with quite a lot of future work to be done. Currently the static and dynamic analysis parts for Android should work fine. If you are interested to see how it bemchmarked against known vulnerable apps check: https://lnkd.in/d9rvUjq7GitHub - erev0s/Mobilytix: Mobilytix is an MCP server for AI-assisted mobile application penetration testing.GitHub - erev0s/Mobilytix: Mobilytix is an MCP server for AI-assisted mobile application penetration testing.
-
Dinesh Shetty liked thisDinesh Shetty liked thisWe're excited to introduce our new Cyber Range Trial, giving security teams a faster, hands-on way to evaluate their defenses in action. 👏🎯 Step inside and see it for yourself. Get a guided, hands-on preview of CMD+CTRL's DarkMoney cyber range—where real-world scenarios, interactive missions, and self-paced exploration come together in one immersive experience. 👉 Read the announcement: https://lnkd.in/en9GiYXg 🛡️ Step into the experience: https://lnkd.in/eew8JDCy #CyberRange #CyberSecurity #GamifiedTraining #Infosec #SecurityTraining #AppSec
-
Dinesh Shetty liked thisDinesh Shetty liked thisLife has shifted in a big way recently, and I wanted to share a brief update with my network. Over the past few weeks, I’ve been navigating the loss of my father. I’m incredibly grateful that I had the chance to spend meaningful time with him at the end, but it’s still been a heavy and reflective season. Sharing one of my favorite photos of him below. At the same time, I’ve relocated back to the East Coast and am getting settled into this next chapter. With that transition, I’m actively exploring new opportunities where I can continue to grow and make an impact. My focus remains in offensive security, application security, and emerging areas like AI security. I’m especially interested in roles that value practical, principle-driven testing approaches and strong collaboration with engineering teams. I’m open to roles that are either local in the Hampton Roads area (in-office or hybrid) or fully remote. If you know of teams doing meaningful work in these spaces or just want to reconnect, I’d love to hear from you. Appreciate this community more than you know. 🤍🤍
-
Dinesh Shetty liked thisDinesh Shetty liked thisAny #technology firm looking for a superstar #Inside #Sales resource should reach out to Zoran Kostic. I worked with Zo for 5+ years, and he was one of the best I've seen: professional, efficient, courteous, loyal, tenacious, respectful, and best of all he gets #results. Highly recommended. Please DM me if you want to discuss Zoran directly.
Experience
-
Security Innovation
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Education
-
Ramrao Adik Institute of Technology,University of Mumbai
-
-
-
-
-
-
-
Licenses & Certifications
-
-
-
Hands-On Hardware Hacking
DakotaCon - Joe Grand
Issued -
-
-
-
-
IPSolutions certified CCNA
IPSolutions
Issued -
Advance Diploma in Software Engineering
CMIT
-
Certified in RedHat Linux
Aptech Computers
Publications
-
Demystifying IoT Attack Vectors
Security Innovation Blog
See publicationBlog post that explains the various attack vectors that can be used to compromise an IoT device. Also includes a IoT Tipsheet that can be used to secure your IoT devices.
-
OWASP Mobile Risks 2014 vs. OWASP Mobile 2016 RC
Security Innovation Blog
See publicationIn March of this year, OWASP released their 2016 edition of the Mobile Top Ten. Now that organizations have had some time to get acclimated to it, I wanted to provide some of my thoughts on it.
-
QuadRooter: The 4-Headed Monster That Threatens 900 Million Android Users
Security Innovation Blog
See publicationA detailed account on QuadRooter - that is a collection of four exploits in Qualcomm's popular graphics and media chipset, which is in more than 900 million mobile devices globally.
-
Jailbreaking your iPhone: Worth the Security Risk?
Security Innovation Blog
See publicationWhat are the Benefits and Risks Gained by Jailbreaking an iOS device.
-
The Blessing and Curse of Apple Security
Security Innovation Blog
See publicationA lot has been written about whether Apple should comply with the recently publicized FBI demands surrounding the San Bernardino attack last year. However, I’m going to avoid the political side of the debate and focus on the technology instead via this article.
-
Android vs. iOS: Security Comparison
Palisade : Application Security Intelligence
See publicationSmartphones are enjoying an ever-increasing popularity due to the technological advancement taking place on a day-to-day basis and have become a basic need for users, just as a desktop computer. In this article, we shall discuss some of the differences in the security aspects of Google’s Android and Apple’s iOS platforms.
-
Demystifying The Android Malware
Multiple International Security journals and magazines
See publicationEarlier, cybercriminals around the world used to create programs that could create havoc on your network and steal important data. But, now with the immense growth of mobile technology every individual needs to not only worry about the device being stolen but also of malwares that effect their mobile device.
In this paper, we are going to take you through the various phases so as to understand how and what these malwares are exactly made up of. First of all, we will start with discussing the…Earlier, cybercriminals around the world used to create programs that could create havoc on your network and steal important data. But, now with the immense growth of mobile technology every individual needs to not only worry about the device being stolen but also of malwares that effect their mobile device.
In this paper, we are going to take you through the various phases so as to understand how and what these malwares are exactly made up of. First of all, we will start with discussing the background of Android and then move on to the basics of how an Android package architecture is developed.
We shall then analyze an android malware in complete detail. In the end we will discuss on the steps to counter these kinds of malware attacks. -
Penetration Testing With Metasploit Framework
Multiple International security journals and magazines
See publicationToday security is just an illusion. However safe you think you are, you might just be wrong. Penetration testing of your web application helps you know the vulnerability in your application and you might as well try to find out solutions for it once you know the vulnerability. Metasploit is the leading tool used by penetration testers today which helps test your application security and save you from possible intruders and attacks.
This paper tried to explain how Metasploit framework…Today security is just an illusion. However safe you think you are, you might just be wrong. Penetration testing of your web application helps you know the vulnerability in your application and you might as well try to find out solutions for it once you know the vulnerability. Metasploit is the leading tool used by penetration testers today which helps test your application security and save you from possible intruders and attacks.
This paper tried to explain how Metasploit framework can be used by penetration testers to exploit flaws in the web application which could be really difficult to find if done manually. -
Route Optimized Ad-Hoc On-Demand Distance Vector Routing Protocol
Multiple International security journals and magazines
See publicationWe suggest a novel approach to constrain route request broadcast which by means of route optimization using cache mechanism.
The performance of AODV has been modified by using route optimizing technique and thus called Route Optimised AODV (RO-AODV). This protocol optimizes AODV to perform effectively in terms of routing overhead, power consumption and delay during high load. -
Social Engineering - The Human Factor
Multiple International Journals and Magazines
See publicationEarlier, cybercriminals around the world used to create programs that could create havoc on your network and steal important data and the Security Consultants would try and block every mode of access for these attackers.
But, now with the immense growth of society, Merely trying to prevent infiltration on a technical level and ignoring the physical-social level, cent percent security can never be achieved. To ensure complete security of an organization from all kinds of internal and…Earlier, cybercriminals around the world used to create programs that could create havoc on your network and steal important data and the Security Consultants would try and block every mode of access for these attackers.
But, now with the immense growth of society, Merely trying to prevent infiltration on a technical level and ignoring the physical-social level, cent percent security can never be achieved. To ensure complete security of an organization from all kinds of internal and external factors, the security consultant must have complete knowledge of the Social Engineering cycle, the techniques that can be used by an attacker and the counter-measures to reduce the likelihood of success of the attack.
In this paper we are going to take you through the various phases so as to understand what is Social Engineering, Social Engineering Lifecycle, the various Techniques used in Social Engineering attack with detailed examples and then finally conclude with the counter-measures to protect against each of the Social Engineering attack techniques.
Projects
-
Detailed Guide to Hacking iOS Applications
See projectA comprehensive guide created to give hackers, developers and managers alike with an in-depth knowledge about the different kinds of iOS hacking tools and techniques. Explains manual as well as automated techniques of mobile application exploitation.
-
Android-InsecureBankv2
-
See projectThis is a major update to one of my previous projects - "InsecureBank". This vulnerable Android application is named "InsecureBankv2" and is made for security enthusiasts and developers to learn the Android insecurities by testing this vulnerable application. Its back-end server component is written in python. The client component i.e. the Android InsecureBank.apk can be downloaded along with the source. The list of vulnerabilities that are currently included in this release are:
…This is a major update to one of my previous projects - "InsecureBank". This vulnerable Android application is named "InsecureBankv2" and is made for security enthusiasts and developers to learn the Android insecurities by testing this vulnerable application. Its back-end server component is written in python. The client component i.e. the Android InsecureBank.apk can be downloaded along with the source. The list of vulnerabilities that are currently included in this release are:
Flawed Broadcast Receivers
Intent Sniffing and Injection
Weak Authorization mechanism
Local Encryption issues
Vulnerable Activity Components
Root Detection and Bypass
Insecure Content Provider access
Insecure Webview implementation
Weak Cryptography implementation
Application Patching
Sensitive Information in Memory
Insecure Logging mechanism
Android Pasteboard vulnerability
Application Debuggable
Android keyboard cache issues
Android Backup vulnerability
Runtime Manipulation
Insecure SDCard storage
Insecure HTTP connections
Parameter Manipulation
Hardcoded secrets
Username Enumeration issue
Developer Backdoors
Weak change password implementation
Below are some of the other vulnerabilities that I am working on currently - and will be added as soon as I make sure that it does not break any of the other existing features:
Weak Pseudo Random Implementation
Path Traversal
Local SQL Injection
Intent based Denial-Of-Service - SMS
LockScreen Bypass
Location Spoofing
Dead Code
Honors & Awards
-
Invited as Trainer at Black Hat USA 2025, 2024, 2023, 2022, 2021, 2020 on Offensive Mobile Exploitation & Reversing
Black Hat USA
The class starts with a basic introduction to the ARM instruction set and calling conventions followed by some reverse engineering exercises. We then learn how to write simple exploits for the ARM64 environment. Next, we move to Mobile browser security, understand some of the browser mitigations followed by writing some simple exploits for the mobile browser. We then cover iOS and Android internals in further detail. We then discuss some of the exploitation techniques using real-world…
The class starts with a basic introduction to the ARM instruction set and calling conventions followed by some reverse engineering exercises. We then learn how to write simple exploits for the ARM64 environment. Next, we move to Mobile browser security, understand some of the browser mitigations followed by writing some simple exploits for the mobile browser. We then cover iOS and Android internals in further detail. We then discuss some of the exploitation techniques using real-world vulnerabilities (e.g., voucher_swap, checkm8, etc) followed by a walkthrough of how jailbreaks are written. We also discuss some of the common vulnerability types (Heap Overflows, Use-after-free, Uninitialized Stack variable, Race conditions).
The training then moves on to application security based on exploiting the Damn Vulnerable iOS app, Android-InsecureBankv2, and InsecurePass application written by the authors of this course in addition to a broad range of other real-world applications. We then cover a variety of mitigations deployed in real-world apps and discuss how to bypass them.
After the training, attendees will:
- Get an understanding of ARM64 instruction set (including ARM 8.3)
- Understand the Browser Security mitigations on Mobile Devices
- Understand some common vulnerabilities in Mobile Browsers and learn and how to exploit them
- Learn the internals of iOS and Android Kernel along with several Kernel security mitigations
- Understand some of the latest bugs and mitigations (PAC, CoreTrust, PPL, etc)
- Get an intro to some common bug categories UaF, Heap overflow, etc
- Understand how jailbreaks and exploits are written (including iOS 13)
- Reverse engineer iOS and Android binaries (Apps and system binaries)
- Do basic fuzz testing of iOS and Android apps
- Learn how to audit iOS and Android apps for security vulnerabilities
- Understand and bypass anti-debugging and obfuscation techniques
- Get a quick walkthrough on using IDA Pro, Hopper, Frida, etc -
Invited as Trainer at POC2019, on Offensive Mobile Exploitation & Reversing
POC - Seoul, Korea
This course is designed to introduce beginners as well as advanced security enthusiasts to
the world of mobile security using a fast-paced learning approach through intensive
hands-on labs. The class starts with a basic introduction to the ARM instruction set and an
intro to reverse engineering before moving on to the internals of iOS and Android. We then
discuss some of the latest exploitation techniques using real-world bugs (e.g.,
voucher_swap for iOS 12) followed by a…This course is designed to introduce beginners as well as advanced security enthusiasts to
the world of mobile security using a fast-paced learning approach through intensive
hands-on labs. The class starts with a basic introduction to the ARM instruction set and an
intro to reverse engineering before moving on to the internals of iOS and Android. We then
discuss some of the latest exploitation techniques using real-world bugs (e.g.,
voucher_swap for iOS 12) followed by a walkthrough of how jailbreaks are written. We
also discuss some of the common vulnerability types (Heap Overflows, Use-after-free,
Uninitialized Stack variable, Race conditions).
The training then moves on to application security and is based on exploiting Damn
Vulnerable iOS app, Android-InsecureBankv2, InsecurePass written by the authors of this course and a
broad range of other real-world applications. Slides and detailed documentation on the
labs will be provided to the students for practice after the class.
After the training, the attendees will:
- Get an understanding of ARM64 instruction set (including ARM 8.3)
- Learn the fundamentals of iOS IPC (XPC, Mach)
- Get an intro to some common bug categories UaF, Heap overflow, etc
- Understand how jailbreaks and exploits are written (including iOS 12)
- Reverse engineer iOS and Android binaries (Apps and system binaries)
- Be able to audit iOS and Android apps for security vulnerabilities
- Understand some of the latest bugs and mitigations (PAC, CoreTrust, Code Signing)
- Understand and bypass anti-debugging and obfuscation techniques
- Get a quick walkthrough on using IDA Pro, Hopper, Frida, etc -
Invited as Trainer at Black Hat USA 2019, on Offensive Mobile Exploitation & Reversing
Black Hat USA 2019
Sold out class that was designed to introduce beginners as well as advanced security enthusiasts to the world of mobile security using a fast-paced learning approach through intensive hands-on labs. The class started with a basic introduction to the ARM instruction set and an intro to reverse engineering before moving on to the internals of iOS and Android. We then discussed some of the latest exploitation techniques using real-world bugs (e.g., voucher_swap for iOS 12) followed by a…
Sold out class that was designed to introduce beginners as well as advanced security enthusiasts to the world of mobile security using a fast-paced learning approach through intensive hands-on labs. The class started with a basic introduction to the ARM instruction set and an intro to reverse engineering before moving on to the internals of iOS and Android. We then discussed some of the latest exploitation techniques using real-world bugs (e.g., voucher_swap for iOS 12) followed by a walkthrough of how jailbreaks are written. We also discussed some of the common vulnerability types (Heap Overflows, Use-after-free, Uninitialized Stack variable, Race conditions).
The training then moved on to application security and is based on exploiting Damn Vulnerable iOS app, Android-InsecureBankv2, Android-InsecurePass written by the authors of this course and a broad range of other real-world applications. -
Invited as Trainer at Black Hat USA 2018, on Offensive Mobile Exploitation & Reversing
Black Hat USA 2018
Sold-out class on the latest Android and iOS exploitation techniques. Updated course with hands-on for all of the iOS and Android vulnerabilities and attacks.
-
Invited as Trainer at FS-ISAC 2018 Annual Summit - Florida, on Introduction to Cyber Ranges
FS-ISAC 2018 Annual Summit
Ran an application security cyber range training to enable developers and security professionals in the financial services industry to stop hackers in their tracks by building more secure code.
Training was conducting using Security Innovation's CMD+CTRL Cyber Range. CMD+CTRL comprises real websites, traffic, technologies, and vulnerabilities that represent actual application behavior. This unmatched realism brings the immediate gratification and long-term memory benefits of “learning…Ran an application security cyber range training to enable developers and security professionals in the financial services industry to stop hackers in their tracks by building more secure code.
Training was conducting using Security Innovation's CMD+CTRL Cyber Range. CMD+CTRL comprises real websites, traffic, technologies, and vulnerabilities that represent actual application behavior. This unmatched realism brings the immediate gratification and long-term memory benefits of “learning by doing" teams need to protect the enterprise. -
Invited as Trainer at Hackfest Canada 2017, on Mobile Application Exploitation
HackFest
A 3 day handson class teaching manual as well as automated techniques for exploiting Mobile Applications. Covers testing on Jailbroken/Rooted as well as on non-Jailbroken devices.
-
Invited as Trainer at Black Hat USA 2017, on Offensive Mobile Application Exploitation
Black Hat USA 2017
-
Invited as Trainer at Def Con USA 2017, on Practical BLE Exploitation for Internet of Things
Def Con 25
The Practical BLE Exploitation for Internet of Things is a new training class focusing on exploiting the numerous IoT devices using BLE as the medium.
Bluetooth Low Energy (or BLE) is found in most of the popular IoT and smart devices - be it smart home automation, retail, medical devices and more. This class will go through the internals of BLE from a security perspective, and then jump right into how you could interact with BLE devices all the way to taking control over a complete IoT…The Practical BLE Exploitation for Internet of Things is a new training class focusing on exploiting the numerous IoT devices using BLE as the medium.
Bluetooth Low Energy (or BLE) is found in most of the popular IoT and smart devices - be it smart home automation, retail, medical devices and more. This class will go through the internals of BLE from a security perspective, and then jump right into how you could interact with BLE devices all the way to taking control over a complete IoT devices using BLE exploitation techniques.
At the end, we will also look at some of the automation tools and scripts you can use/write in order to make the process much faster - as it's required in a pentest. -
Invited as Trainer at OWASP AppsecEU2017 - Belfast, on Hands-on Mobile Application Exploitation
OWASP AppsecEU2017
After a sold-out class in OWASP Appsec USA 2016, we are bringing an updated version of the course with the latest tools & techniques. Hands-on for all of the iOS and Android vulnerabilities and attacks - on the latest Mobile operating systems.
-
Invited as Trainer at BloomCON USA 2017, on Offensive Android Application Exploitation
BloomCON
An introductory course on how to start attacking Android applications. Includes Threat Modeling, Static Analysis, Dynamic Analysis and Reverse Engineering of real world Android applications.
-
Invited as Trainer at OWASP AppSecUSA 2016, on Mobile Application Exploitation - iOS and Android
OWASP
This will be an introductory course on exploiting iOS and Android applications. The training will be based on exploiting Damn Vulnerable iOS app, Android-InsecureBankv2 and other vulnerable applications that are written by the trainers in order to give an in-depth knowledge about the different kinds of vulnerabilities in an Mobile applications. This course will also discuss how an attacker can compromise a mobile application. After the workshop, the students will be able to successfully pentest…
This will be an introductory course on exploiting iOS and Android applications. The training will be based on exploiting Damn Vulnerable iOS app, Android-InsecureBankv2 and other vulnerable applications that are written by the trainers in order to give an in-depth knowledge about the different kinds of vulnerabilities in an Mobile applications. This course will also discuss how an attacker can compromise a mobile application. After the workshop, the students will be able to successfully pentest and secure applications running on the various operating systems.
The training will also include a CTF challenge in the end where the attendees will use their skills learnt in the training to solve the CTF challenges. -
Invited as Speaker at Demo Labs - Defcon USA 2016, on Android Exploitation using InsecureBankv2
Demo Labs - Defcon USA 2016
Learn Exploiting Android applications using InsecureBankv2.
-
Invited as Trainer at Defcon USA 2016, on Practical Android Application Exploitation
Defcon USA 2016
This will be an detailed course with extensive hands-on on exploiting Android applications. The training will be based on exploiting Android-InsecureBankv2 and other vulnerable applications that are written by the trainer in order to give an in-depth knowledge about the different kinds of vulnerabilities in an Android applications. This course will also discuss how an attacker can compromise a mobile application. After the workshop, the students will be able to successfully pentest and secure…
This will be an detailed course with extensive hands-on on exploiting Android applications. The training will be based on exploiting Android-InsecureBankv2 and other vulnerable applications that are written by the trainer in order to give an in-depth knowledge about the different kinds of vulnerabilities in an Android applications. This course will also discuss how an attacker can compromise a mobile application. After the workshop, the students will be able to successfully pentest and secure applications running on the various operating systems.
The training will also include a CTF challenge in the end where the attendees will use their skills learnt in the training to solve the CTF challenges. -
Invited as Speaker at Arsenal - Black Hat USA 2016, on Android Exploitation using InsecureBankv2
Black Hat USA 2016 - Arsenal
Learn Exploiting Android applications using InsecureBankv2.
-
Invited as Trainer at Black Hat USA 2016, on Offensive Hands-on Internet of Things (IoT) Exploitation
Black Hat USA 2016
The training will cover different varieties of IoT devices, assessing their attack surfaces and writing exploits for them. The 2-day class will be hands-on giving attendees the ability to try things themselves rather than just watching the slides. We will start from the very beginning discussing about the architecture of IoT devices, and then slowly moving to firmware analysis, identifying attack surface, finding vulnerabilities and then finally exploiting the vulnerabilities
-
Invited as Speaker at BruCON - Belgium on PenTest for Mobile Applications!
Mobile Application Exploitation (iOS and Android)
This will be an comprehensive course on exploiting iOS and Android applications. The training will be based on exploiting Damn Vulnerable iOS app, Android-InsecureBankv2 and other vulnerable applications that are written by the trainers in order to give an in-depth knowledge about the different kinds of vulnerabilities in an Mobile applications. This course will also discuss how an attacker can compromise a mobile application. After the workshop, the students will be able to successfully…
This will be an comprehensive course on exploiting iOS and Android applications. The training will be based on exploiting Damn Vulnerable iOS app, Android-InsecureBankv2 and other vulnerable applications that are written by the trainers in order to give an in-depth knowledge about the different kinds of vulnerabilities in an Mobile applications. This course will also discuss how an attacker can compromise a mobile application. After the workshop, the students will be able to successfully pentest and secure applications running on the various operating systems.
The training will also include a CTF challenge in the end where the attendees will use their skills learnt in the training to solve the CTF challenges. -
Acknowledged by United Airlines Security Bug Bounty Program
United Airlines
Received 1 Million Miles for submitting critical security bug in one of the United Airlines services.
-
Invited as Speaker at Black Hat EU 2015 - Amsterdam, on Android - InsecureBankv2
Black Hat
Watch as Dinesh walks you through his new and shiny updated custom application - "Android-InsecureBank" and some other source code review tools, to help you understand some known and some not so known Android Security bugs and ways to exploit them.
This presentation will cover Mobile Application Security attacks that will get n00bs as well as 31337 attendees started on the path of Mobile Application Penetration testing. -
Invited as Speaker at SECoT 2015 - Boston, on Hacking IoT devices
The Security of Things Forum
This was a full day hands-on workshop on Hacking Internet Connected Devices (IoT) and CMD+CTRL which is a capture the flag contest to teach offensive security. In addition to presenting a variety of vulnerable web applications, a specialized hardware hacking module was debuted. It is a series of embedded hardware devices where players can score points by dumping firmware from common microcontrollers and routers, using a logic analyzer to decode unknown protocols, and a variety of other hardware…
This was a full day hands-on workshop on Hacking Internet Connected Devices (IoT) and CMD+CTRL which is a capture the flag contest to teach offensive security. In addition to presenting a variety of vulnerable web applications, a specialized hardware hacking module was debuted. It is a series of embedded hardware devices where players can score points by dumping firmware from common microcontrollers and routers, using a logic analyzer to decode unknown protocols, and a variety of other hardware level attacks.
-
Invited as Speaker at ISSA - Northeastern University, on Practical Android Application Security
ISSA - Northeastern University
Even wondered how different pentesting a Mobile application would be, from a traditional web application? Gone are the days when knowledge of just SQL Injection or XSS could help you land a lucrative high-paying infoSec job. Watch as Dinesh walks you through custom created demo applications and source code review tools, to help you understand some known and some not so known Android Security bugs. This presentation will cover Mobile Application Security ninja tricks that will get n00bs as well…
Even wondered how different pentesting a Mobile application would be, from a traditional web application? Gone are the days when knowledge of just SQL Injection or XSS could help you land a lucrative high-paying infoSec job. Watch as Dinesh walks you through custom created demo applications and source code review tools, to help you understand some known and some not so known Android Security bugs. This presentation will cover Mobile Application Security ninja tricks that will get n00bs as well as 31337 attendees to get started on the path of Mobile Application Penetration testing. Expect to see a lot of demos, tools and of-course fun.
-
Invited as Speaker at BSMCon - Boston on PenTest for Mobile Applications!
BSMCon #3
Expect to see a lot of demos, tools, hacking and a lot of fun.
The presentation focuses on problems of following bad Mobile development practice. During this session, you will learn how to perform a Code Assisted Pentest on Mobile applications and uncover some well-known and some other not so well known security issues. It is far easy to gain a practical knowledge of security vulnerabilities than it is to read about them.
We will use a custom created demo application in addition to…Expect to see a lot of demos, tools, hacking and a lot of fun.
The presentation focuses on problems of following bad Mobile development practice. During this session, you will learn how to perform a Code Assisted Pentest on Mobile applications and uncover some well-known and some other not so well known security issues. It is far easy to gain a practical knowledge of security vulnerabilities than it is to read about them.
We will use a custom created demo application in addition to some other open source mobile applications, to catch security flaws noted in the various hand-held devices. -
Invited as Speaker at OWASP - Boston AppSec Conference on Code Assisted PenTest for Mobile Applications
OWASP BASC 2014 - Boston
The presentation focuses on problems of following bad Mobile development practice. During this session, you will learn how to perform a Code Assisted PenTest on Mobile applications and uncover some well-known and some other not so well known security issues. It is far easy to gain a practical knowledge of security vulnerabilities than it is to read about them.
Watch as Dinesh walks you through custom created demo applications and source code review tools, to catch security flaws noted in…The presentation focuses on problems of following bad Mobile development practice. During this session, you will learn how to perform a Code Assisted PenTest on Mobile applications and uncover some well-known and some other not so well known security issues. It is far easy to gain a practical knowledge of security vulnerabilities than it is to read about them.
Watch as Dinesh walks you through custom created demo applications and source code review tools, to catch security flaws noted in the various hand-held devices. Expect to see a lot of demos, tools, hacking and a lot of fun. -
Part of Adobe Hall of Fame
Adobe Software and Products
Added to Adobe Hall of Fame for finding multiple critical security vulnerabilities in their product.
-
Invited as Trainer at ClubHack 2012 - India, on Securing Mobile applications – Exploits Demystified and Solutions Simplified
ClubHack
Title: Securing Mobile applications – Exploits Demystified and Solutions Simplified
A detailed workshop covering but not restricted to below concepts:
Threat Modeling
Understanding Security Vulnerabilities in Mobile Applications
Detecting Security Vulnerabilities - Introduction to Mobile Security Code Reviews
Scope for Automation in Mobile Security Code Reviews
Designing Secure Mobile Applications
Attendee Takeaways and Key Learning Objectives
An…Title: Securing Mobile applications – Exploits Demystified and Solutions Simplified
A detailed workshop covering but not restricted to below concepts:
Threat Modeling
Understanding Security Vulnerabilities in Mobile Applications
Detecting Security Vulnerabilities - Introduction to Mobile Security Code Reviews
Scope for Automation in Mobile Security Code Reviews
Designing Secure Mobile Applications
Attendee Takeaways and Key Learning Objectives
An overview of Android and iOS Technology
Threat Profile of Android and iOS
Vulnerability Checklist for Android and iOS
Code review approach
Custom Script to Automate Android and iOS source code reviews
Custom Vulnerable Bank Application
Solutions repository
Reference Materials
-
Part of Barracuda Networks Hall of Fame
Barracuda Networks
Added to Barracuda Networks Hall of Fame for finding multiple critical security vulnerabilities in their websites and web services as a part of Barracuda Networks Security Bug Bounty Program.
-
Part of Apple Hall of Fame
Apple Inc.
Acknowledged by Apple for finding critical security vulnerabilities in their products.
-
Invited as Speaker at OWASP AppSecAsiaPac2012 - Sydney on Advanced Mobile Application Code Review Techniques
OWASP AppSecAsiaPac2012 - Sydney
Learn how Mobile experts blend their techniques in order to accelerate code reviews. While reviewing Android or iOS applications, you will love these handy tricks that help in detecting famous and a few not-so-famous flaws.
Using demonstrations and code snippets, we will highlight the benefits of blended techniques in comparison with those of simple scanning or manual testing. You will also learn how to reduce the time taken for review and obtain a ready-to-use checklist. -
Invited as Trainer at OWASP AppSecAsiaPac2012 - Sydney, on Mobile Applications & Security
OWASP AppSecAsiaPac2012 - Sydney
This course covers security tests that are conducted on mobile applications with a focus on iOS and Android platforms.
Students will first learn the basics of mobile applications followed by a brief background of iOS and Android platforms, their security models and an overview of their development basics.
They will then learn how to model a threat profile for mobile applications and then test and debug the mobile applications for security vulnerabilities.
Reading locally…This course covers security tests that are conducted on mobile applications with a focus on iOS and Android platforms.
Students will first learn the basics of mobile applications followed by a brief background of iOS and Android platforms, their security models and an overview of their development basics.
They will then learn how to model a threat profile for mobile applications and then test and debug the mobile applications for security vulnerabilities.
Reading locally stored data in mobiles, setting up a proxy to intercept and test network traffic and reversing Android applications will be a few of the topics discussed. We will also discuss the challenges involved in reversing an iOS application. The course includes examples for both the platforms and sample code snippets will also be provided.
We will also discuss the best practices that have to be followed for secure development of mobile applications. The course would end with a discussion of the OWASP Mobile Top 10 risks. -
Invited as Speaker at National Institute of Bank Management on Operating System Security
National Institute of Bank Management
The purpose of this presentation was to give an overview of:
a) the need for a secure operating system and
b) the high-level design of a secure operating system that can be built and evaluated to the highest assurance levels.
c) discuss the various testcases and audit tests that should be performed so as to validate the security of the deployed architecture.
Recommendations received
3 people have recommended Dinesh
Join now to viewOther similar profiles
Explore more posts
-
Rahul Kumar
🚨 A Major Regulatory Shift Is Just Around the Corner for India's Surveillance Industry. #Cybersecurity #CCTV #Surveillance #MeitY #STQC #BISCertification #EssentialRequirements #IndiaCompliance #SmartSecurity #NationalSecurity #MakeInIndia #PhysicalSecurity #DataProtection #SecurityTechnology #RegulatoryCompliance #April2026 #SurveillanceTechnology #InfoSec #IoTSecurity #DigitalIndia
-
RiskLink | Data Protection as a Service
Incident Response Is Not a Document Almost every company has an “incident response plan.” Few have: • A tested executive communication flow • A mapped data exposure framework • A regulator-ready notification structure • Insurance pre-alignment Plans reduce anxiety. Preparation reduces damage. There’s a difference. #IncidentResponse #Preparedness #ExecutiveLeadership #RiskLink Book a meeting: https://lnkd.in/ewQk4jkf
-
TrendAI
☁️#Cloud IPS deployment just got easier. ☁️ You can now enable Trend-managed IPS rule groups effortlessly, eliminating the need for: ✅ Manual deployment ✅ Infrastructure changes ✅ Operational overhead Powered by Trend Micro™ Digital Vaccine™ program and backed by Trend Zero Day Initiative™ (Trend ZDI), stay ahead of threats with real-time updates and protection.🛡️It’s a strategic shift in cloud security, making proactive protection simple and efficient with out-of-the-box protection that fits seamlessly into existing workflows. Read #TrendMicro and #AWS Partner on Cloud IPS: One-Click Protection, Zero Complexity to get started https://spr.ly/6044795zo AWS Partners #AWSPartners
-
WeGrowIT
Your next 2 AM alert will test your architecture. If your firewall, endpoint, and cloud tools still operate in silos, the real risk isn’t the attack - it’s the delay. Under India’s Information Technology Act 2000 and Digital Personal Data Protection Act 2023, minutes matter. The firms responding in minutes aren’t buying more tools - they’re unifying them. When the alert hits, will you have noise… or clarity? #CyberSecurity #CTO #ZeroTrust #XDR #CloudSecurity #Infosec #Acronis #WeGrowIT #IT #ITes #DPDP #IoTSecurity #ManufacturingTech #DigitalTransformation
-
Sarat Lingamallu
🔐 SBOMs for SEBI CSRF Compliance — Made Simple with Flyingduck As SEBI rolls out the Cyber Security and Resilience Framework (CSRF) for regulated entities, one key control stands out: ✅ Maintaining Software Bills of Materials (SBOMs) to improve visibility and manage software supply chain risks. But creating and maintaining SBOMs isn’t just about compliance it's about knowing what’s inside your code, where it came from, and how vulnerable it might be. You might be using third party applications and software and SEBI requires that you gather their SBOMs and manage those as well. That’s where Flyingduck comes in 💡 Here’s how we help: 🧩 Auto-generate SBOMs in your applications and also manage your third party software SBOMs 🛠️ Track every open source package, license, and version in your application stack 🧬 Identify and flag vulnerabilities (SCA) and license violations 📦 Support for multiple ecosystems: Maven, npm, PyPI, Go, Ivy, and more 🔁 Keep SBOMs up-to-date throughout your DevSecOps lifecycle 📉 This not only helps meet SEBI compliance faster but also reduces risks in your application supply chain. Security isn’t just about fixing issues, it’s about knowing what you’re running. If you are a SEBI-regulated entity, let's talk. #Flyingduck #SEBI #CSRF #SBOM #DevSecOps #Compliance #SupplyChainSecurity #AppSec #CyberSecurity
-
OffSeq
🔒 New HIGH severity threat: CVE-2025-64701 impacts QualitySoft QND Premium, Advance & Standard (≤11.0.9i). Authenticated users can escalate privileges to admin, risking sensitive data, business disruption, and regulatory issues. No known exploits yet—act proactively: • Audit & restrict user privileges • Monitor for abnormal admin activity • Segment networks & enforce MFA • Prepare for rapid patch deployment Stay ahead of insider and compromised account risks. More info: https://lnkd.in/dfF2ggrf #OffSeq #CyberSecurity #Vulnerability #Infosec #RiskManagement
-
Roberto Carlos Herrera Lara
🔐 Do you know ISO 27037? When a security incident requires investigation, evidence handling is CRITICAL! ISO/IEC 27037 provides guidelines for DIGITAL EVIDENCE: 🔍 Evidence identification 📦 Evidence collection 💾 Evidence acquisition 🔒 Evidence preservation Key principles: → Maintain chain of custody → Ensure evidence integrity → Document all actions → Preserve original evidence → Use forensically sound methods Improperly handled evidence can destroy a legal case! Is your team trained in digital evidence procedures? #ISO27037 #DigitalEvidence #DigitalForensics #InformationSecurity #Cybersecurity #ISMS #ForensicInvestigation #EvidenceHandling #InfoSec #ChainOfCustody #IncidentInvestigation #CyberForensics #EvidenceCollection #ForensicAnalysis #LegalEvidence #DataPreservation #ForensicProcedures #EvidenceIntegrity #DigitalInvestigation #ForensicReadiness #EvidenceAcquisition #ComputerForensics #IncidentForensics #ForensicScience #EvidenceManagement
-
ᴘʀᴀꜱʜᴀɴᴛ ᴋ.
Title: Security Automation and SOAR Platforms Cyber threats are evolving faster than ever, and manual security operations can no longer keep pace. Security Automation and SOAR platforms enable organizations to detect, respond, and remediate threats with speed, consistency, and measurable efficiency. These 5 points highlight how Security Automation & SOAR platforms strengthen modern cybersecurity operations: 1️⃣ Incident Response Automation Automate alert triage, enrichment, and response actions to reduce Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR). SOAR platforms orchestrate tools across your security stack, ensuring faster containment and minimal business disruption. 2️⃣ Integrated Threat Intelligence Aggregate and correlate real-time threat intelligence feeds to enhance contextual awareness. Automated enrichment improves accuracy, reduces false positives, and empowers analysts with actionable insights. 3️⃣ Playbook-Driven Workflows Standardized, automated playbooks ensure consistent execution of security processes. From phishing response to endpoint isolation, repeatable workflows eliminate manual errors and increase operational efficiency. 4️⃣ Compliance & Audit Readiness Automated logging, documentation, and reporting simplify regulatory compliance. Security teams can generate audit trails and compliance reports effortlessly, ensuring alignment with industry frameworks. 5️⃣ Post-Incident Analysis & Optimization SOAR platforms provide detailed analytics and reporting dashboards. Continuous monitoring and incident trend analysis enable proactive improvements in security posture. #CyberSecurity #SecurityAutomation #SOAR #ThreatIntelligence #IncidentResponse #CyberDefense #InfoSec #Compliance #SecurityOperations #DigitalTransformation #VWorkerSolutions #EnterpriseSecurity
Explore top content on LinkedIn
Find curated posts and insights for relevant topics all in one place.
View top content