Senior Security Researcher at Sonatype.
Author at CSO Online, BleepingComputer, Ars Technica, CIO, Security Report, Hacker Noon, …
M.S. in Computer Science, Georgia Tech.
B.S. in Software Engineering, Drexel University
Endorsed an Exceptional Talent, a recognised leader in Tech by the British Government and frequently featured by leading media outlets like Fortune, The Register, and CIO, Ax Sharma is a Security Researcher, Threat Intel Analyst, and Tech Reporter who holds a passion for perpetual learning. In his spare time, he loves exploiting vulnerabilities, ethically, and educating a wide range of audiences via blogging and vlogging. He’s an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).
Ax’s expertise lies in malware analysis, vulnerability research, threat intelligence analysis, and web app security. Through responsible disclosure, he has previously exposed serious bugs and security vulnerabilities affecting national & global organisations like HM Government, Yodel, U.S. DHS, P.F. Chang’s, Planet Fitness, Comcast/Arris, Ellucian, and the popular restaurant chain, Buca di Beppo.
In early 2018, Ax helped prevent a massive data breach at Georgia Tech by going public with a serious flaw that was left unpatched for over a year. He hence earned himself a place on Tech’s Vulnerability Reporters “hall of fame” page.
To consult Ax for your next big security project or for media source requests, drop him a note here.
Ax’s hobbies include working out, reading, playing piano and developing innovative, upcoming web projects.
- Securing CI/CD pipelines: 6 best practices
Recent cyberattacks leveraging weaknesses in continuous integration/continuous delivery (CI/CD) pipelines and developer tooling warrant a need for increased security of the developer infrastructure. Prominently, the Codecov supply-chain attack has alerted everyone against storing secrets in CI/CD environment variables, no matter how safe the environment might be.To read this article in… Read more » - 15 top open-source intelligence tools
OSINT definition Open source intelligence (OSINT) is the practice of collecting information from published or otherwise publicly available sources. OSINT operations, whether practiced by IT security pros, malicious hackers, or state-sanctioned intelligence operatives, use advanced techniques to search through the vast haystack of visible data to find the needles they're looking… Read more » - 6 most common types of software supply chain attacks explained
Software supply chain incidents have been making headlines recently. Despite similarities among these security incidents, not all supply chain attacks are created equal.To read this article in full, please click here(Insider Story) Read more » - 5 ways hackers hide their tracks
CISOs have an array of ever-improving tools to help spot and stop malicious activity: network monitoring tools, virus scanners, software composition analysis (SCA) tools, digital forensics and incident response (DFIR) solutions, and more.But of course, cybersecurity is an ongoing battle between attack and defense, and the attackers continue to pose… Read more » - 15 open source GitHub projects for security pros
Whether you are a sysadmin, a threat intel analyst, a malware researcher, forensics expert, or even a software developer looking to build secure software, these 15 free tools from GitHub or GitLab can easily fit into your day-to-day work activities and provide added advantages.Editor's note: This article, originally published in… Read more » - DNS over HTTPS, DNS over TLS explained: Encrypting DNS traffic
Being the backbone of the internet, the Domain Name System (DNS) protocol has undergone a series of improvements and enhancements over the past few years. The lack of stringent protections in the original DNS specification and discovery of security weaknesses over time, such as the decade-old Kaminsky bug, gave birth… Read more » - 5 tips for a successful penetration testing program
With the rise in enterprise data breaches and ransomware cyberattacks making headlines, conducting thorough security assessments has become an inevitable part of running a business operation that handles customer data. The data protection requirements brought forth by compliance bills, both in the US and around the world have further put… Read more » - The state of the dark web: Insights from the underground
Lately, dark web actors have one more worry: getting caught by law enforcement. Tracking dark web illegal activities has been a cat-and-mouse game for authorities, but in the end, they often catch their adversaries and seize the dodgy money. On the night of the 2020 presidential election, for example, US… Read more » - The Windows Bad Neighbor vulnerability explained — and how to protect your network
In October 2020, Microsoft patched a set of vulnerabilities that included critical networking bugs CVE-2020-16898 and CVE-2020-16899. Known as “Bad Neighbor” or “Ping of Death Redux,” these flaws lurk in the TCP/IP networking implementation in Windows in how incoming ICMPv6 packets are handled under certain conditions.[ Keep up with 8… Read more » - Windows code-signing attacks explained (and how to defend against them)
Code signing is a mechanism by which software manufacturers assure their consumers that they are running legitimate software, signed by its manufacturer via cryptography. This ensures that the software release wasn’t tampered with while making its way from the manufacturer to the end-user and is especially relevant when downloading software… Read more »
- 5 ways cybersecurity awareness trainings can strengthen your organization
According to an InfoScales report, 95% of successful cyberattacks have human error as the leading cause – most notably company employees falling for phishing scams. This is an important observation as cybersecurity efforts often intuitively focus largely on strengthening the technical controls in an organization to prevent data leakage, willful… Read more » - 5 practical ways your organization can benefit from DevSecOps
It’s right there in the moniker: DevSecOps , a portmanteau of Development, Security and Operations, implies introducing security early on – as a part of a comprehensive, agile Software Development Life Cycle (SDLC) used by your organization, rather than doing so iteratively or waiting until after a release.Given how security… Read more » - Is our obsession with regulation killing the web?
Anybody who’s been paying attention has noticed just how much the internet has changed within the last 10 years.From the humble looks of Google’s homepage to the vast existence old-school message boards and a virtually irrelevant “social” media, the internet largely felt like an accessory, a toy you could play… Read more » - 7 steps to landing your first IT job, fast
IT is a constantly expanding sector with its ever-increasing demand for skilled talent and the projected scope for growth within the next few years. This is especially true for the Information Security subfield for which the vacancies are drastically going up while the workers are struggling to catch up in… Read more » - 7 ‘don’ts’ of diversity for fostering a healthy office culture
Change at a workplace is hard and often comes with improvements and challenges which cannot be ignored. Change can be a struggle for employees who often need time to gradually adapt themselves to it, rather than feeling forced into it. Even minor changes, for example, changing your company’s choice of… Read more » - 5 ways a global presence can benefit your tech company
If you run a successful tech startup or an established business, primarily offering digital products and services, chances are you have a significant customer presence worldwide. There also lies a high probability that you leverage a remote workforce ‘round-the-globe enabling increased collaboration over time zones. While staying local never hurt… Read more »
Medium: Go to Medium blog >