Ranking Bugs, Saving Pigs

The man behind the SANS Top 20, Rohit Dhamankar, calls out bugs - and animal rights

His first hack may have been his most fortuitous: Rohit Dhamankar and his classmates in India had to hack into and use their engineering professors' email so they could apply to graduate schools in the U.S. "We didn't have email back then," he says of he and the other students at the Indian Institute of Technology in Kanpur who switched their names onto the accounts. "So we got into our professors' email accounts so we could send email. Some of them had never used email before, so they weren't checking it regularly."

Figure 1:

This is the same guy who today is responsible for choosing and ranking the world's top security vulnerabilities each week (as well as yearly) for the SANS Institute, and whose day job is senior manager of security research at TippingPoint. His desperate email crack back home in India landed him at the University of Texas at Austin, where he eventually switched from physics to electrical engineering. He got his first job in 1999 with Cisco Systems, where he worked as a software developer on intrusion detection and scanner products.

Dhamankar, 32, admits the SANS vulnerability list he compiles doesn't change drastically from week to week. About every six months, however, he witnesses a shift in the types of attacks underway. He's watched bug trends go from pervasive worms to phishing and spyware, and to client-side vulnerabilities in applications like Microsoft Office, he says.

Being the final word on vulnerability rankings isn't always a popular job, like the time in 2005 when he decided to put the MacOS on the SANS Top 20 list, a gutsy move that ticked off some rabid Mac users who cursed him and SANS publicly for calling out their beloved OS. But Dhamankar still stands by his then-controversial choice because he says he felt it was time MacOS users became aware of the bugs in the OS.

He thinks SANS' ranking system works, although it ultimately comes down to him to make the final call. Dhamankar sends out his strawman list to a panel of experts from enterprises, universities, security consultants, and vendors, who all put their heads together. "We seek out other users and ask if the list is useful to them," he says. "Nobody says 'you guys suck.'"

There is some overlap with his work at TippingPoint. Dhamankar basically manages the security research team responsible for TippingPoint's intrusion prevention systems. They analyze new vulnerabilities and attacks, and write signatures for the company's IPS products.

When he's not analyzing and ranking bugs, Dhamankar sings. He takes classical South Indian music vocal lessons and, from time to time, performs around Austin, where he's stayed since leaving India for UT. "I help promote the Indian classical music scene," he says. He also works with a battered women's organization. "These are women from ethnic backgrounds that come to the U.S. and are not treated well by their husbands."

Vulnerability is a theme with Dhamankar, for sure: He's also an animal lover, who wears a PETA t-shirt to work with a picture of a pig and "I Don't Have ANY Spare Ribs" emblazoned on it. Why People for the Ethical Treatment of Animals (PETA)? "There's the same problem with pigs and cows" and other animals being mistreated as there are with dogs and cats, he says. "Growing up in India, there were places where cows were in the cowshed, and they were very loving and intelligent, too." He witnessed cows who would only allow people they were familiar with to milk them, for instance.

Animal rights and security work sometimes mix, sometimes not, he says. "There are some people in the security industry that are like me, PETA supporters," he says. "And there are lot [who are not], with dark t-shirts, colored hair, and eating a lot of meat," he adds with a laugh.

Personality Bytes

  • What freaks him out: "We see a lot attacks come out of China, which freaks me out... They are going for all different kinds of attacks. It's kind of scary when you don't know what they are up to."

    • IDS dead?: "I do believe that technology is past its time. You should move to IPS now."

    • Phobia: "Hydrophobia. I've always had a fear of water, but I'm trying to get over it, taking swimming lessons. You see those kids at the pool out there, and you're petrified to go out into the deep and tread water. It's one of my challenges."

    • What his co-workers don't know about him: "They haven't heard my singing."

    • Favorite hangout: "Mozart's. It's right by the lake in Austin... a coffee place with live bands."

    • In his music player right now: "Indian classical music, but I'm trying to broaden my music range."

    • Comfort food: "Thai, Chinese, Indian, Italian."

    • Ride: "Honda Civic. It's a stick shift, nothing fancy."

    • Best Friend: "l love my dog -- Lance, an eight-year-old German Shepherd."

    • Next career: "I do hope someday to make enough money to retire and full-time work on learning music, and propagating that, and working more with nonprofits."

      — Kelly Jackson Higgins, Senior Editor, Dark Reading

    • Cisco Systems Inc. (Nasdaq: CSCO)

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights