Summary
A seasoned security architect with sixteen (16) years of practical experience in application and product security, with a primary objective to operationalize organizations to reduce security tech debt.
A Technologist with a strong background as a Software Developer and a Penetration Tester, with exposure to both offensive and defensive cybersecurity programs, with a penchant to adopt proactive approach to threat landscape.
Skills
Product Security Strategy
Cloud & Container Security
API & Mobile Security
Application & Product Security
Threat Modeling & Security Architecture
Penetration Testing & Red Teaming
Education
Masters of Science, Information Security,
The Johns Hopkins University, Baltimore, MD
Bachelors of Engineering, Electronics and Communications,
Sir M.Visvesvaraya Institute of Technology, Bengaluru, India
Certifications
Offensive Security Certified Professional
Offensive Security Certified Expert
Offensive Security Certified Expert
Offensive Security Web Expert
Offensive Security Explotiation Expert
GIAC Mobile Device Security Analyst
Professional Experience
Cybersecurity Architect
2022 - Present
SoFi, Remote, PA
- Worked on creating AWS Technical Security Standards, and enabled enforcement of evaluated cloud security policies, both as proactive and reactive security control.
- Led Security Design, Architecture and Threat Modeling activities for SoFi’s Banking, Credit Card, and other critical products/functions, and identified critical design defects and security loopholes.
- Drove Product Security Strategy roadmaps and improvements on programs including Bug Bounty and SAST.
- Led security improvements on Developer Environment, formulated a security risk matrix to help prioritize incoming review requests, and performed threat modeling on mission critical applications.
- Assisted in evaluating security posture during a critical merger, and formulated roadmap improvements post-merger
Lead Application Security Engineer (Architect)
2017 - 2022
PayPal, Remote, PA
- Established PayPal's Mergers and Acquisition Product Security program and evaluated 7 (seven) oncoming organization's app and cloud/container security posture, while formulating roadmaps to inculcate PayPal's security standards and requirements in all phases of their product life cycle
- Directed PayPal's Product Security program for enterprise and BU environments with primary objective to enable security automation, support zero trust architecture, and implement cloud migration guardrails.
- Advanced "Paved Road" or "Secure Default" initiative to scale application security efforts and remediation strategy by providing secure development frameworks, environments, and security tools as part of CI/CD.
- Incorporated PayPal's API security strategy to implement authorization and access control, identify business logic abuse cases, and engineered PayPal's microservices security with Service Mesh Architecture
- Operationalized container and application scanning as part of PayPal's CI/CD framework and created streamlined remediation/waiver process to reduce bottlenecks in product deployment process.
Security Manager - Application and Mobile Security
Jan 2014 - Apr 2017
Protiviti, Philadelphia, PA
- Spearheaded Application and Mobile Security practice and its transformation initiative by bringing in significant enhancements to proposed testing frameworks, methodologies, and remediation strategies.
- Accomplished Protiviti's novel end-to-end service capability for evaluating API, mobile, and IoT devices, provided reusable process and tech frameworks on Secure SDLC, surpassing $1.5 million in net revenues.
- Developed penetration testing and red teaming exercises with defined end goals to demonstrate attack vectors that penetrate perimeter defenses, gain total control of CDE/PHI zones to exfiltrate data.
- Proposed and implemented secure-SDLC methodologies for banking organizations; provided solutions to integrate application security processes and assessment tools as part of the continuous integration efforts supporting Agile/DevOps SDLC models;
- Supervised, mentored, and developed a team of penetration testers and application security engineers, building from 4 engineers to a 22 strong team over a span of 3 years.
Principal Application Security Engineer
Mar 2011 - Dec 2013
Financial Industry Regulatory Authority, Rockville, MD
- Led Application Security Assessments program handling 150 applications, performing security requirements review, application architecture and design review, threat modeling, secure code reviews, automated and manual penetration testing, and WAF policy reviews.
- Reviewed and illustrated critical-risk vulnerabilities to information security steering committee, discussed vulnerability remediation efforts with application and business stakeholders.
- Collaborated to develop application risk rating matrix for work prioritization and determining scope for penetration testing and source code assessments
- Configured and fine-tuned FINRA's WAF by monitoring for attack patterns and helping development team with interim remediation for detected vulnerabilities, and creating regex rule sets to block real-time attacks
Senior Software Developer, Security
Apr 2010 - Mar 2011
Social Security Administration, Woodlawn, MD
- Developed a new version of HSPD 12 PIV Card Management platform that provided administrators to full- fledged Identity and Access Management platform.
Software Engineer, Security
Dec 2005 - Jul 2008
Infosys, Bangalore, India
- Performed manual penetration testing for authorization, authentication, session management, and general-purpose modules, conducted extensive manual code reviews based on data flow, taint, and control flow graph analysis.
Public Speaking
Publications
Volunteering
Advisory Board Member, EC-Council,
July 2020
Editorial Advisory Board member, ISSA's Monthly Journals,
July 2020<
Editorial Reviewer, ISACA's Journals,
June 2020
Advisory Group Member, ISACA,
Jan 2021