Sandeep Jayashankar

I am a

Summary

A seasoned security architect with sixteen (16) years of practical experience in application and product security, with a primary objective to operationalize organizations to reduce security tech debt. A Technologist with a strong background as a Software Developer and a Penetration Tester, with exposure to both offensive and defensive cybersecurity programs, with a penchant to adopt proactive approach to threat landscape.

Skills

Product Security Strategy
Cloud & Container Security
API & Mobile Security
Application & Product Security
Threat Modeling & Security Architecture
Penetration Testing & Red Teaming

Education

Masters of Science, Information Security,

The Johns Hopkins University, Baltimore, MD


Bachelors of Engineering, Electronics and Communications,

Sir M.Visvesvaraya Institute of Technology, Bengaluru, India

Certifications

Offensive Security Certified Professional
Offensive Security Certified Expert
Offensive Security Certified Expert
Offensive Security Web Expert
Offensive Security Explotiation Expert
GIAC Mobile Device Security Analyst

Professional Experience

Cybersecurity Architect

2022 - Present

SoFi, Remote, PA

  • Worked on creating AWS Technical Security Standards, and enabled enforcement of evaluated cloud security policies, both as proactive and reactive security control.
  • Led Security Design, Architecture and Threat Modeling activities for SoFi’s Banking, Credit Card, and other critical products/functions, and identified critical design defects and security loopholes.
  • Drove Product Security Strategy roadmaps and improvements on programs including Bug Bounty and SAST.
  • Led security improvements on Developer Environment, formulated a security risk matrix to help prioritize incoming review requests, and performed threat modeling on mission critical applications.
  • Assisted in evaluating security posture during a critical merger, and formulated roadmap improvements post-merger

Lead Application Security Engineer (Architect)

2017 - 2022

PayPal, Remote, PA

  • Established PayPal's Mergers and Acquisition Product Security program and evaluated 7 (seven) oncoming organization's app and cloud/container security posture, while formulating roadmaps to inculcate PayPal's security standards and requirements in all phases of their product life cycle
  • Directed PayPal's Product Security program for enterprise and BU environments with primary objective to enable security automation, support zero trust architecture, and implement cloud migration guardrails.
  • Advanced "Paved Road" or "Secure Default" initiative to scale application security efforts and remediation strategy by providing secure development frameworks, environments, and security tools as part of CI/CD.
  • Incorporated PayPal's API security strategy to implement authorization and access control, identify business logic abuse cases, and engineered PayPal's microservices security with Service Mesh Architecture
  • Operationalized container and application scanning as part of PayPal's CI/CD framework and created streamlined remediation/waiver process to reduce bottlenecks in product deployment process.

Security Manager - Application and Mobile Security

Jan 2014 - Apr 2017

Protiviti, Philadelphia, PA

  • Spearheaded Application and Mobile Security practice and its transformation initiative by bringing in significant enhancements to proposed testing frameworks, methodologies, and remediation strategies.
  • Accomplished Protiviti's novel end-to-end service capability for evaluating API, mobile, and IoT devices, provided reusable process and tech frameworks on Secure SDLC, surpassing $1.5 million in net revenues.
  • Developed penetration testing and red teaming exercises with defined end goals to demonstrate attack vectors that penetrate perimeter defenses, gain total control of CDE/PHI zones to exfiltrate data.
  • Proposed and implemented secure-SDLC methodologies for banking organizations; provided solutions to integrate application security processes and assessment tools as part of the continuous integration efforts supporting Agile/DevOps SDLC models;
  • Supervised, mentored, and developed a team of penetration testers and application security engineers, building from 4 engineers to a 22 strong team over a span of 3 years.

Principal Application Security Engineer

Mar 2011 - Dec 2013

Financial Industry Regulatory Authority, Rockville, MD

  • Led Application Security Assessments program handling 150 applications, performing security requirements review, application architecture and design review, threat modeling, secure code reviews, automated and manual penetration testing, and WAF policy reviews.
  • Reviewed and illustrated critical-risk vulnerabilities to information security steering committee, discussed vulnerability remediation efforts with application and business stakeholders.
  • Collaborated to develop application risk rating matrix for work prioritization and determining scope for penetration testing and source code assessments
  • Configured and fine-tuned FINRA's WAF by monitoring for attack patterns and helping development team with interim remediation for detected vulnerabilities, and creating regex rule sets to block real-time attacks

Senior Software Developer, Security

Apr 2010 - Mar 2011

Social Security Administration, Woodlawn, MD

  • Developed a new version of HSPD 12 PIV Card Management platform that provided administrators to full- fledged Identity and Access Management platform.

Software Engineer, Security

Dec 2005 - Jul 2008

Infosys, Bangalore, India

  • Performed manual penetration testing for authorization, authentication, session management, and general-purpose modules, conducted extensive manual code reviews based on data flow, taint, and control flow graph analysis.

Public Speaking


Runtime Analysis on Mobile Applications

OWASP Philadelphia Chapter

Feb 2017


Android Aplication Penetration Testing

OWASP Philadelphia Chapter

June 2016

Publications

Implementing Granular Access Definitions in Log Records

Journal Publication for SAPUB

Oct 2020


Demystifying Tokens for Securing Enterprise APIs

Feature article for ISSA Journal

July 2020


Adopting MITRE ATT&CK Framework

Article for PenTest Magazine

June 2020


6 Ways HTTP/3 benefits security

Feature article for CSO Online Magazine

June 2020


Volunteering

Advisory Board Member, EC-Council,

July 2020


Editorial Advisory Board member, ISSA's Monthly Journals,

July 2020<


Editorial Reviewer, ISACA's Journals,

June 2020


Advisory Group Member, ISACA,

Jan 2021