Jul 2023 – Dec 2023 · 5 mos · Delhi, India · On-site

Apr 2021 – Jul 2023 · 2 yrs 3 mos · Gurugram, Haryana, India · Remote

• Head of product security. Leading everything from IPO readiness, and internal product/cloud /app security to the HackerOne program.

Nov 2020 – Apr 2021 · 5 mos · Remote

• Collaborating with Product Management in defining the product vision and guiding teams on planning, designing, and building software
• Driving the hiring process by owning the recruiting process as well as developing the employee on-boarding process
• Managing team members including setting objectives, reviewing performance, and establishing a positive working environment

Jan 2020 – Oct 2020 · 9 mos · Remote

• Leading the team for attribute based access control and synchronised security.
• Led the team for Optix integration with Central platform and delivered ahead of time.
• Thread modelling, technical security assessment of web application and fixing the security issues.
• Technical demonstration of vulnerabilities and secure design patterns to developers.
• Developing libraries and services to enhance strong security posture of the product.
• Services Hardening as per POLP, encryption of customer data with key rotation, hardening of APIs.
• Ensuring protection from OWASP Top 10 (2017) risks and other commons risks including CSRF, SSRF etc.
• Designed Role based access control for the product with fail safe approach.
• Implemented MFA (Totp based), SAML login (Okta as idp), Google Sign in using Oauth (2.0) and brute force protection.
• Member of Sophos Bug Bounty Program.

Jan 2019 – Dec 2019 · 11 mos · Remote

• Founding Engineer at Cloud security start-up Avid Secure which was acquired by Sophos in Jan 2019.

Jul 2018 – Apr 2021 · 2 yrs 9 mos · Remote

• Founding engineer for the multi-cloud security start-up and built the first version (MVP) of the security platform using SpringBoot over AWS.
• Acquired by Sophos in Jan 2019.

May 2016 – Jul 2018 · 2 yrs 2 mos · New Delhi Area, India · On-site

• Conducting internal security trainings to make fellow employees aware about internet threats like phishing, social engineering and how to stay safe from them.
• Conducting external trainings on writing secure code, catching and fixing security vulnerabilities in web applications.
• Ensuring the digital security of critical information infrastructure by reviewing the source code, threat modelling, and conducting penetration tests against the websites.
• Research on automated security audit of web applications to ensure government websites are secure.

May 2015 – Jul 2015 · 2 mos · Bengaluru Area, India

• Designed a vulnerability scanner for windows.
• Got the Pre Placement offer (full time).

May 2014 – Jul 2014 · 2 mos · Bengaluru Area, India

• Supervisor - Mrityunjay Gautam
• Mentor - Achin Kulshrestha
• The typical time developers and IT admins spend doing productive and non-productive work on their computers is 12 to 14 hours a day. But, the computers in any organization, where the servers and desktops are always switched on, have a HUGE percentage of idle time, other than the human sleeping hours. Why not use the idle computation power for Fuzzing ?
• We created a centrally controlled GRID of all machines in any globally distributed organization. We would be identifying the idle state of these machines in real time and using that to achieve fuzzing and consequently, finding security vulnerabilities in any target product. This system combines the idle time of all the grid machines and gets bursts of huge computational power along with the capability of parallel processing which can allow us to find software vulnerabilities in a faster and more effective without any additional financial expense. The system can be combined with any fuzzing framework and it would greatly amplify the capabilities of the fuzzers by proper scheduling and parallel processing.
• The project was presented by Mrityunjay Gautam in c0c0n - (International Cyber Security and Policing Conference) on 22nd August,2014.