Apr 2024 – Jul 2025 · 1 yr 3 mos · Mumbai, Maharashtra, India · On-site

• Creating, updating, and maintaining threat models for a wide variety of software projects
• Manual and Automated Secure Code Review, primarily in Java, Python and Javascript
• Development of security automation tools
• Adversarial security analysis using cutting-edge tools to augment manual effort
• Security training and outreach for internal development teams
• Security architecture and design guidance
• Independently solve security problems that require novel methods or approaches
• Influence my team’s and partners’ process, priorities, and choices to improve outcomes

May 2023 – Mar 2024 · 10 mos · Mumbai, Maharashtra, India · Remote

• Manage a Team of 5+ super heroes; providing expert-level technical peer review for application security and cloud security issues, coaching and guidance on methodologies, tactics, processes and findings
• Create and Coordinate quarterly planning process (OKRs – Objectives and Key Results), manage security debt/backlog, assignment and reprioritisation of resources.
• Driving security engineering engagements with a high degree of Engineering satisfaction and through org-wide communication strategy.
• Partnering closely with other functions including Product and Engineering, Communications, PR, Marketing, Revenue, HR, Talent for anything related to security.

Oct 2022 – Dec 2023 · 1 yr 2 mos

• Infrastructure as Code (IaC) is gaining popularity and developers today are deploying their application environments through IaC tools to the cloud. However, it can become extremely difficult and time-consuming to manage the state of the infrastructure that has been deployed. This book will provide a complete walkthrough of deploying a SpringBoot application on AWS with multiple environments like production, staging and development. Everything is orchestrated through GitHub Actions and executed through Terraform Cloud to monitor changes in your infrastructure and manage its state.
• You'll start by reviewing how your infrastructure can be stored in code by spinning up an EC2 server first through the console, then AWS CLI and then using Terraform. You'll then be presented with a practical scenario of setting up a simple EC2 server in a multi-environment (production, staging and development) using GitHub Actions and Terraform Cloud. In the advanced section that follows, this simple EC2 server is expanded into an application that is deployed on an AWS EKS (Elastic Kubernetes Service) using AWS RDS (Relational Database Service) exposed through an AWS ALB (Application Load Balancer) protected using AWS ACM (AWS Certificate Manager), and accessible by setting the AWS Route53.
• The book then builds up on this infrastructure and demonstrates how it can be deployed in a multi-environment scenario by implementing accounts through AWS organizations. You'll see how to put in restrictions through Service Control Policies, how to protect secrets using AWS Secrets Manager, and how to work with least privileges using IRSA (IAM Roles for Service Accounts). Finally, you'll make the infrastructure more observable using Graphana, Prometheus, and AWS OpenSearch, run security tools, host Route53 zones dynamically based on environments, and implement CloudWatch Alarms for various use cases.

Mar 2022 – May 2023 · 1 yr 2 mos · Mumbai, Maharashtra, India

• Manage a Team of 5+ super heroes; providing expert-level technical peer review for application security and cloud security issues, coaching and guidance on methodologies, tactics, processes and findings
• Create and Coordinate quarterly planning process (OKRs – Objectives and Key Results), manage security debt/backlog, assignment and reprioritisation of resources.
• Driving security engineering engagements with a high degree of Engineering satisfaction and through org-wide communication strategy.
• Driving initiatives and providing insightful data-driven strategic recommendations to leadership team.
• Partnering closely with other functions including Product and Engineering, Communications, PR, Marketing, Revenue, HR, Talent for anything related to security.
• Provide innovative solutions by working in an ambiguous environment thereby contributing to overall product design.
• Work as the incident manager co-ordinating various stakeholders and provide timely mitigation.
• Revolving my entire job/planning/execution around two simple mantras "Security by Default" and "All things security as code"

Jul 2021 – Mar 2022 · 8 mos · Mumbai, Maharashtra, India

• ● Working as a Security Architect for one of Claranet's premier client helping them to setup a Product Security team riding on the "Shift Left" paradigm
• ● Partner with multiple application development teams within client organization, to ensure
• secure development of applications.
• ● Develop a broad and deep technical understanding of applications, services and architectures
• pertaining to the client application organization.
• ● Interpret results from exercises such as code review and penetration testing stakeholders and
• advise on remediation and mitigation as well as incorporate learnings into future designs.
• ● Conduct architecture reviews, threat Modeling, design reviews, code review on web and mobile
• applications and web services as and when required.
• ● Develop documentation, and a knowledge base to be used by developers for implementing
• secure coding practices
• ● Research and maintain knowledge of changing landscape of application security, latest threats,
• and attacker tools, techniques, and procedures.
• ● Provide recommendations for missing application security controls and secure design patterns.
• ● Support and provide consultation to development teams in the areas of application security,
• cloud security, DevSecOps, mobile security.
• ● Act as subject matter expert and provide mentorship to team members.
• ● Develop and maintain strong working relationship with development teams, leadership, and
• product owners.
• ● Lead the efforts towards creation and successful functioning of an application security program
• for the client organisation.
• ● Lead long term initiatives of program such as automation, processes, and documentation for the client organisation.

Jan 2020 – Jul 2021 · 1 yr 6 mos

• Security Automation
• He loves automating his tasks and has also blogged about few of them in the Technology section.
• He is a big fan of DevOps methodology and he loves to play around with tools like Jenkins, Docker, Kubernetes, Vagrant and Ansible.
• Hence, he is responsible for identifying tasks which can be automated at NotSoSecure.
• Security Architecture/Threat Modelling
• Being a developer at heart Rohit has experience in understanding how a typical software development environment operates.
• He has performed architecture reviews of various such environments whether they are running in traditional IT or the modern DevOps stack.
• His architecture reviews involve understanding the current high-level architecture then drilling deep down into the technology stack and suggesting the security best practices.
• He has also worked with the STRIDE threat modelling approach by Microsoft in various projects.
• He has experience in performing architecture and configuration review from a security standpoint for on-premises as well as cloud infrastructure including technology like Kubernetes.
• Strategy
• Aligning research with pentesting and training content development to maximize revenue.
• He is also tasked in leading the ‘Protect and Detect’ segment to deliver strategic advises and consultancy to organizations for injecting security in their SDLC processes.
• Actively involved in recruitment process for hiring exceptional candidates who can grow along with the company
• Pentesting
• Web, Mobile and API pentesting of applications from various industries
• Researching for new tools and techniques for pentesting by and feeding it back to the team.
• Training
• Lead trainer for three of the most selling classes of NotSoSecure viz. Application Security for Developers, DevSecOps and AppSecOps and delivered this class across the globe i.e. UK, EU and USA.
• Developed the entire DevSecOps course from ground up and presented at OWASP Global APPSEC DC and many more places.

Jan 2019 – Dec 2019 · 11 mos

Jan 2018 – Dec 2018 · 11 mos

Nov 2016 – Dec 2017 · 1 yr 1 mo

Apr 2015 – Nov 2016 · 1 yr 7 mos · United Arab Emirates

• Serves as an internal Information Security consultant to the organization ensuring proper information security clearance amidst a constantly changing environment at the Bank and ensure its compliance with established organizational information security policies and regulatory requirements - Perform regular Security Assessments on the IT infrastructure, processes and procedures to ensure its compliance with the Groups Security policy. Proactively follow up for closure of the issues identified.
• Risk Assessment of New Business Initiatives (Products, Channels, Solutions) across the bank from an Information Security and Architecture perspective ensuring involvement at every stage of the project/imitative lifecycle.
• Third Party (Vendor) Assessments through RFP sessions helping select the best vendor from a Security and Architecture perspective.

Mar 2014 – Apr 2015 · 1 yr 1 mo · Mumbai Area, India

• Performing Vulnerability Assessment and Penetration testing for EYs clients in the Telecom, Media & Entertainment and Technology domains.
• Performed IT Audits for ensuring compliance with various regulatory standards and policies including SOX and TRAI
• Developing and Reviewing Minimum Baseline Security Standards for various technologies

Aug 2012 – Mar 2014 · 1 yr 7 mos · Mumbai Metropolitan Region

• Performing VAPT on web/mobile applications and servers for various clients in the Banking industry and advising them on various security issues.
• Conducted CSJD (Certified Secure Java Development) trainings for NII’s and IIS’s premier clients and CSI (Computer Society of India) Mumbai Chapter.
• Delivered Security Awareness training to the senior management of a major Oil and Gas Corporation in India.
• Single-handedly managed a 3-month engagement for a leading insurance company to perform Secure Code review and developing security guidelines for developers in J2EE technology.

Jul 2010 – Jul 2012 · 2 yrs · Mumbai Metropolitan Region

• Full stack developer in J2EE-Oracle technology with expertise in Spring,StrutsJPA,Hibernate,MySQL and Oracle
• Developed a suite of applications for MHADA Lottery 2012 following Secure Coding best practices as advised by the Security team over a period of 15 months.
• Developed PoC solutions on Liferay Platform
• Developed J2ME Mobile applications for bus-tracking as part of a hackathon