Aug 2021 – May 2022 · 9 mos · Bangalore

• Responsible for building and securing crowd-sourced security testing and responsible disclosure platform(https://www.pentabug.com/). The tasks includes:
• 1. Designing, building, testing and deploying(AWS) the complete back-end of our crowdsourced security
• testing and responsible disclosure platform (https://www.pentabug.com/) from ground up. Responsible
• for securing the platform as well.
• 2. Organised an internal 5 days long hacking event before go-live primarily aimed at hardening the
• security of the platform and learning hacking for fun.
• 3. Configured three-member replica set in MongoDB on AWS EC2 as per their official security checklist.
• Worked on Beanstalk, S3, Lambda, Route53, Load Balancer and EC2(Linux) during the process of
• application deployment and monitoring.
• Other Tasks Include:
• 1. Web application penetration testing, source-code review, VAPT report preparation and reviewing/proof-reading VAPT reports.
• 2. Interacting and coordinating with clients to understand their application's security architecture.

Jan 2019 – Aug 2021 · 2 yrs 7 mos

• 1. Had responsibility for understanding requirements, implementing technical solutions and interacting with clientele primarily spread across US and Asia region in an agile development environment.
• 2. Headed the security engineering team responsible for securing PHI and PII data as per the regulatory requirements set forth by HIPAA, GDPR, PCPA etc.
• 3. Built a framework for implementing attribute-based access control(ABAC) using Drools rule engine. This was the core for our product's compliance with the many laws, acts and decrees that regulate patient data protection and privacy across geographical boundaries.
• 4. Investigated detections of Microsoft Azure web application firewall(WAF) configured with OWASP CRS 3.1 and refined ruleset as per our application to minimise false positives.
• 5. Designed a unified security audit logging of the web application which records all the events - audit of access(user interactions) and audit of change(modification of entities). This fulfilled the primary requirement of making us ONC compliant and was crucial during active investigations of security incidents and post mortem analysis.
• 6. Initiated security-aware codebase refactoring. This includes adding strict validations after taint analysis, building XSS/SQL/NoSQL injection filters and SSRF defences, malicious PDF upload prevention etc.
• 7. Strengthened Content Security Policy (CSP) majorly by disallowing all inline JavaScript and refactoring such code pieces.
• 8. Performed web application security hardening and testing, vulnerability scanning and coordinating with external VAPT vendors at the end of every release cycle. Used tools like BurpSuite, Nmap, Metasploit, Snyk, Dirbuster, Postman, SQLMap and SonarQube.
• 9. Conducted dozens of inter-team training sessions on penetration testing of web/mobile applications, APIs and secure coding.

Jul 2017 – Dec 2018 · 1 yr 5 mos

• As an entry level software engineer, my primary job function was to implement product features and client requirements on their existing Healthcare Data Platform-as-a-Service written in Java, Groovy/Grails and AngularJS with MongoDB and MySQL database.

Jun 2016 – Aug 2016 · 2 mos · Gurgaon, India

• Eneo Technologies was my first foray into software development. I built RESTful API and an Asynchronous Task Management System on Django. This was a garage startup aimed at providing motorised vehicle on rent.

Dec 2015 – Jun 2016 · 6 mos · Delhi Area, India

• Worked as a web developer and built a website of this college startup where folks had a novel and ahead of its time idea of building a new internet named "Grid" backed by a powerful AI which can help people optimise their daily life. Grid is a peer-to-peer network which harnesses the data collected from all the nodes on the network and provide useful insights while maintaining complete privacy.
• Website: https://shwetankarora.github.io/
• Detailed info: Watch Silicon Valley!!!