Look at the websites - most look like they've not been upgraded since the 90s, with endless popups
Heck, firms that provide offensive security capabilities to Indian PDs can pay $40k-50k after poaching a junior pentester or exploit developer from a PD.
Culturually, doing something "well"(quality oriented, mindful of end-users) vs. "got it done" (transaction, pragmatic way of looking at things) is the heart of why outsourcing to many different geographical areas (India included) often results in something different than expected.
Also condemning every one in one part of the world as thinking one way is certainly not fair or true, but there are definitely unmistakable trends.
Really? I think your numbers for the local marker are overestimated.
Giving a Rs 60-80 lakh TC offer in BLR or HYD makes it easier to identify and hire good talent, and ik peer security firms (private and public) that are product first are offering similar TC offers in BLR, HYD, and NCR.
On top of that, there has been a reverse brain drain going on since the COVID layoffs in early 2020, so if we want to poach good talent that returned to India from the US, we need to be able to offer Western salaries, otherwise they'd either decide to help their former employer open a GCC or they'd start their own startup.
Realistically, I'd say a $35k-60k TC offer gets you the 50 to 75th percentile in talent in much of India for security, but most product-first companies tend to hire for quality not quantity, and depending on size of FDI and the state, a company can get a $10k-20k per head subsidy which makes it easier to offer higher salaries without impacting our bottom line.
That said, if you are being hired to be a SOC, a generic pentester, or a "detection engineer" you'd be lucky to break the $20k TC mark tbh, but the SOC-to-SWE or Pentester-to-SWE conversions have been our most successful ones because it's easier to build a product for security teams when your engineers were former security practitioners.
That said, the salary pressures for getting good talent in India is high simply because we're competing with Google, Microsoft, Citadel, Nvidia, etc for similar kind of talent within India.
Earning $70k-90k TC in Hyderabad or Bangalore is doable with 10 YoE if you have the right profile (the right jobs, work experience, track record, and luck). Heck, this is why companies like Zscaler have been hiring in Tier 1.5/2 cities like Pune or Chandigarh instead because you can get away with paying $35k-50k TCs for the kind of talent that would demand a $70k-90k TC in BLR or HYD.
Ypu get popups? What are you using to browse? IE5?
I sometimes get 'this site is trying to open another window -allow/ block?': answer is always 'No'.
Another example, financial services publicly traded company with a recent 99% profit decline:
The 'tech' for both these is by guess who? TCS!
Edit: For those who don't know the relation. Tata[1] is a conglomerate, which owns both Tata Motors (Jaguar, Land Rover) and also TCS (Tata Consultancy Services)
Then again, my experience may have left me a little jaded.
And people hire them and pay them for it!
The real issue is the last part. It’s why they can also get away with what they do.
Maybe they’ll replace their line devs with AI, but Indian devs are pretty cheap and are much more satisfying to yell at by Indian managers, so….
I stay and work in India. Yesterday, as part of a VAPT audit by a third party auditor, the auditors "recommended" that we do exactly this. I wonder if this directive comes as part of some outdated cyber security guidelines that are passed around here? Not entirely sure.
When I asked them about how I'd pass the secret to the client to do the client side encryption/decryption without that key being accessible to someone who is able to MITM intercept our HTTPS only API calls anyway, the guy basically couldn't understand my question and fumbled around in his 'Burp' suite pointing exasperatedly to how he is able to see the JSON body in POST requests.
Most of the security people we've met here, from what I can tell are really clueless. Internally, we call these guys "burp babies" (worse than "script kiddies") who just seem to know how to follow some cookie cutter instructions on using the Burp suite.
It’s semantics in terms of actual difference to an attacker, but it’s a world of difference when explaining to executives.
The counter-argument is, even if it’s not perfectly secure, that extra bit of friction before you can see the passwords is useful, and may just save your bacon if a casual thief has access to your computer for a few seconds.
The Chrome team eventually saw sense and added some client-side password protection.
As long as you don’t only have client-side protections, of course (and maybe your clueless auditors were making that mistake).
burp suite babies is crazy work
You install their Github app and give them access to your Github repo (private repos are ok too) and they run a Github workflow when each PR is submitted scanning for secrets that should not be in the code. Really happy with how their product works.
I worked for them a little bit and their product is really impressive and works great.
India is a karma society. Karma doesn't mean upvotes. It means, you get what you destined for, or what you deserve. People take things in their stride and keep moving, while keeping their eyes wide open. When you are moving through a jungle, there is no point in blaming thorns or getting angry on wild animals.
In practice most of Brahmins have been peasant agriculturists, teachers and clerics for centuries, and temple priests have been deservedly pretty poor unless they also had inherited land.
The current PM of India is from what is considered as "other backward caste".
Just noting it, so that your overly reductive american journalism won't convince you that India is a feudalist society where 5% "temple staff" rule over the 95% peasants or whatever. The caste system is mostly limited to ritual avtism and some nepotism (which happens among boomers across all castes but younger ones don't care).
India is not a "karma" society, India is a 'jugaad' society where everyone does just enough to get by. The lack of civilizational will power to fix things which slightly harm the entrenched elite is very well known. (case in point - the recent stray dogs issue where the life of common man was put in danger because some rich animal welfare aunties protested against it).
Thankfully Indian gen Z at least accepts these problems. Look at the memes on the gen Z spaces. Internet has let them know that living standards can be much better and other countries have risen from similar poverty levels. So there's some hope.
You can't keep doing this 'india is not for beginners' forever.
Some go on to sue such researchers.
Wonder how many others stumbled upon this prior, and makes me also wonder how many other sites have things like this hidden in plain sight. Insane.
In most cases, security and QA are essentially two sides of the same coin - and this is why I get pissed when devs treat testing and QA as bulls**t, becuase even a relatively simple XSS attack or cred misconfig can have a massive impact.
I would say they need to 'think like an attacker' at least some of the time. But this is still too high of a bar.
I think this is really a problem of rewarding people when they finish things. One way or the other. It works, so on to the next project...
I'm a cofounder of a data and identity security startup operating specifically in APAC. Data security in india a joke.
I would argue even with DPDPA, RBI C-Site and cyber resilience framework from SEBI, it is just going to not happen here.
The list PAN card the blog is taking about is probably already leaked by some other services.
The recent flipkart cash on delivery scams [1] are example of how your personal information is just out there in wild in india, open for exploitation.
There are lot of who do security in good faith (often driven by compliance) and lot of them are our customers too but I hope to see rest of indian tech ecosystem take security seriously.
[1] https://www.reddit.com/r/FuckFlipkart/comments/1hhrw9w/what_...
It also appears to be a side effect of compensation - why would mid-career security professional want to earn ₹15 LPA TC working for a legacy corporation if they have the skills to land at a security MNC that can afford to pay ₹35-50 LPA in TC.
Ofc, it's us foreign investors who are able to afford those higher TCs ;) - especially if we can convert someone who was mid-career in the US but had to return to India due to family or visa issues.
It reminds me of how the Israeli security scene was 10-15 years ago, with similar problems around compensation and brain drain to MNC offices.
Wow, they had to go out of their way and plead with Tata Motors to fix their own shit. I can only admire their patience. Can't say I would be that patient.
> September 1, 2023: Tata Motors shared with CERT-IN (who then shared with me) that the issues are remediated. September 3, 2023: I confirm only 2/4 issues were remediated and the AWS keys were still present on the websites, and active. October 22, 2023: After no updates and finding the AWS issues still not remediated, I send over some more specific steps on what must be done. October 23, 2023: They confirm receipt and are working on taking action. After this date and up until January 2, 2024, there were various back and forth emails trying to get Tata Motors to revoke the AWS keys. I am not sure if something was lost in translation, but it took a lot of pestering and specific instructions to get it done.
Stay classy TCS.
