Sri Sai

Having 5 years of experience in the Application Security domain and a staunch believer in the shift-left approach to implement Secure-SDLC across the organization. Having strong experience in manual and automated source code reviews, SAST, DAST, SCA, internal & external Penetration Testing to name a few of my day-to-day responsibilities. Seeking suitable positions in a technology-driven organization that encourages innovative thinking, recognition, and career development

• Working as an Application Security Engineer to implement a Secure-SDLC and DevSecOps pipeline. Analyzing the scan results from the SAST, DAST & SCA tools to perform false-positive analysis and work with the engineering teams to remediate the true positives. 
• Performed Threat Modeling using STRIDE mode for proactive risk identification & mitigation.
• Found security vulnerabilities using manual source code review and reported vulnerabilities like Cross-Site Scripting, Business Logic vulnerabilities, CSRF, vulnerabilities related to HTTP headers, Clickjacking etc.
• Conducted internal penetration testing for all applications, identifying and reporting any security vulnerabilities discovered. Additionally, I collaborated with external vendors to conduct annual third-party penetration testing. This comprehensive approach helps ensure that all potential security issues are identified and addressed.
• Used Burp Suite to scan for the OWASP Top 10 web application vulnerabilities before releasing the features into production to perform the security regression testing.
• Reviewed the findings from SAST, DAST, SCA, Manual Pen Tests to perform False-Positive analysis and Vulnerability Management to ensure that any identified vulnerabilities are accurately assessed and effectively addressed
• Performed Risk Assessment for all the identified security risks to define the severity of the findings.
• Sharing security metrics and key insights to the senior leadership to align with our organization’s security goals and gauge our efforts to ensure that we are trending in the right direction
• Researched and implemented the security tools like Burp Suite, Veracode, Dependency Track, enabled them for the agile teams, and defined policies in the Security DoD for its effective usage by the agile teams.
• Worked with DevOps teams to get all the security tools integrated within the CI/CD pipeline for automated security testing and getting real-time feedback. Also, configured quality gates to fail the builds which do not conform to our security policies.
• Worked with the InfoSec teams to assist on the ISO-27001 and SOC2 audits.
• Experienced in identifying security vulnerabilities on the cloud assets like the servers, VMs etc. using a Cloud Security Posture Management tool like WIZ.
• Experienced in analyzing the threats reported by Sumologic (SIEM tool) from our SOC team to perform the false positive analysis for application related threats.
• Conducted multiple trainings sessions on the effective usage of the security tools, OWASP Top 10 vulns, security best practices, latest happenings in the security sphere, changes in the security policies etc.
• Speaker at multiple Security Brownbag sessions and actively creating programs to enhance the security culture.

b-tech 2014-2018 SRM institute of SCIENCE AND technology