Nov 2022 – Jun 2023 · 7 mos

• Built and Lead a central security engineering team, whose activity comprises primarily of
• setting up SAST and DAST for the organisation
• SAST
• drafting manual source code review plays
• triaging findings from SAST tool
• integrating SAST to DevSecOps at every pull-request (CI)
• variant analysis using Semgrep and CodeQL
• DAST
• configuring tools for running scans on cloud deployments
• building API inventory
• triaging findings from DAST tools
• integrating DAST to DevSecOps at every pull-request (CD)
• FEDRAMP Compliance
• Managed a team
• which is data-driven, metricized the security engineering workload in a dashboard.
• which is highly agile, and can span across different product suites/technology stacks.
• which offers consistent security engineering services across the board.
• Vocalizing the team's value addition using -
• number of SAST and DAST Reviews completed.
• number of components on-boarded (CI/CD), and PR level checks enabled for SAST.
• number of source code review plays drafted.
• reduction of false positives
• number of bugs reported, split based on criticality.
• $ per security bug expense. Compare with expenses via Bug bounty, external events and reports.
• Resourcing per product / offering / solution.
• Audit aging security issues per product / offering / solution. Fix rate product / offering / solution. Drive them to closure.
• Building a Root Cause and Corrective Action (RCCA) feedback loop to imbibe learning from external reports, findings and threat intelligence.

Jun 2021 – Nov 2022 · 1 yr 5 mos

• Built and Leading a central security engineering team,
• whose activity comprises primarily of design review and penetration testing. (full-system and feature levels)
• which is data-driven, metricized the security engineering workload in a dashboard.
• which is highly agile, and can span across different product suites/technology stacks.
• which offers consistent security engineering services across the board.
• Vocalizing the team's value addition using -
• The number of Secure Design Reviews conducted.
• The number of Penetration tests scoped and conducted.
• Number of feature level reviews completed.
• Number of Security bugs reported by the team.
• $ per security bug expense. Compare with expenses via Bug bounty, external events and reports.
• Resourcing per product / offering / solution.
• Audit aging security issues per product / offering / solution. Fix rate product / offering / solution. Drive them to closure.
• Building a Root Cause and Corrective Action (RCCA) feedback loop to imbibe learning from external reports, findings and threat intelligence.
• Hiring and On-boarding -
• Experience in running highly efficient interview process (including automated Capture-The-Flag(CTF) type validation), which helps identify amazing talent.
• Running effective university connect programs, across India, to identify and cherry-pick budding security engineers. Currently 6 of them are interning with us, this year alone.
• Evangelized preparation content for New College Graduates and potential hires, to help them fill any knowledge gaps.
• Framed and run 4 to 8 week on-boarding plan for new-hires, to address any technical gaps which they might have, to introduce them to new technologies / products / services, and to bring in parity to offer consistent security engineering services across all Business Units in VMware.

Jul 2016 – Jun 2021 · 4 yrs 11 mos

• Roles and responsibilities performed as Senior Security Engineer: (along with the ones mentioned in junior roles)
• Lead security engineering effort for End User Computing (EUC) Business unit at VMware.
• Played significant role in securing the EUC BU's journey to cloud, on Azure, AWS and Softlayer.
• Scoped and Executed full-system penetration tests.
• Automation of repeatable security engineering tests.
• Plugged-in SAST, DAST and SCA scanner tools into DevOps pipeline - Shift Left.
• Provided subject matter expertise on Scoping for penetration tests by identifying attack surfaces, entry points, critical assets and functionality.
• Contributed towards Product Security Policy creation.
• Contributed towards Security workshop and trainings to evangelise best practices.
• Mentoring and on-boarding junior engineers

Jul 2009 – Jul 2016 · 7 yrs

• Career Progression in junior engineering roles:
• Associate Member of Technical Staff
• Member of Technical Staff - 1
• Member of Technical Staff - 2
• Member of Technical Staff - 3
• Roles and responsibilities as a Security Engineer.
• Secure Design Reviews - Threat Modeling
• Source Code Reviews - Manual and using automated tools, such as Fortify, Coverity
• Dynamic Application Security Testing (DAST) - Using scanners such as Nessus
• Vulnerability Analysis and Penetration Testing (VAPT)
• Software Composition Analysis (SCA) - Using BlackDuck(Appcheck)
• Analysis of externally reported issues
• Provide remediation for security vulnerabilities.
• During the initial phases of my career, I was involved in performing the above mentioned activities on securing VMware Horizon suite. This suite included varied building blocks/products such as VMware Unified Access Gateway (UAG), VMware Horizon Connection Server, VMware Horizon Enrollment Server, VMware Horizon Agent and Clients, VMware AppVolumes, Horizon DaaS and Horizon Cloud Services (HCS).
• This enabled varied technical exposure towards - Web Security, Network Security and Cloud Security. I was also exposed to securing various web services, web applications, databases, APIs, micro-services, docker-containers, protocols and networks.

Jul 2008 – Jul 2009 · 1 yr

• Contributed towards building automated validation of VMware ESXi hypervisor.
• Bare metal support
• Sanity security validation - SSL, keys, encryption algorithm etc.
• Boundary and smoke tests.

Jun 2006 – May 2007 · 11 mos · Bangalore Urban, Karnataka, India

• Built a Optical Character Recognition(OCR) software to edit scanned Kannada and Tamil language texts.