Application Security Software Engineer

Raji Vailoppully

Mohanan

Senior Application Security Lead

Email: *********@*****.***

Mobile: 307-***-****

• Working with SPH Media LTD, Singapore as a Senior Application security Lead from June 2019 to May 2023

• Worked with DBS Bank, Singapore as an Application Security Consultant from May-2017 to May-2019.

• Worked with Wipro Technologies, Bangalore. as a Senior Software Engineer/Domain Lead Infosec from May 2011 to April 2017

• B.E with specialisation in Computer Science and Engineering from Acharya Institute of Technology

• Diploma in Computer Science from the Board of technical education Bangalore,

• Intermediate Education (+1 & +2) from CBSE.

• Currently working on secure SDLC implementation

• 12 years of working experience in the domain of Web Application Penetration Testing and Vulnerability Assessment and Source Code Review

• Expertise in manual and tool based web/API security testing

• 3+ years of working experience in the Bug Bounty Program Management.

• Good Knowledge of OWASP top 10 Web Application and API security vulnerabilities.

• Good Knowledge and Experience in configuring and running security tools related to SCA, SAST, DAST

• Experienced in Working on different types of Automation tasks such as - JIRA automation,GitHub Actions etc.

• Experienced in finding Business logic and Misuse of Functionality related security issues.

• Good Knowledge of Threat Modelling and Writing Security Test Cases based on the Application behaviour

• Good Knowledge of DevSecOps CI/CD Pipeline and Shif Lef Security.

• Worked with Incident Response Team and understand detecting the traces and Root Cause of the issues.

• Knowledge on WAF, DLP, IPS IDS, SIEM

• Analysis of findings and recommendations to mitigate the identified vulnerabilities.

• Preparing a detailed report of the vulnerability findings.

• Willing to carry out additional duties and responsibilities and extending working hours when the job demands.

• Ability to learn on the job in a fast paced environment and to work with minimal supervision.

• A team player with excellent communication, analytical & coordination skills.

• Good track record of excellent service delivery. Project Summary:

• Enable application security early in SDLC.

• Evaluate tools to perform SAST,SCA(Open source scanner), DAST, container security and mobile security solutions which can be integrated in DevOps pipeline.

• Preparing scope, request for quotation for new security tools.

• Shifting security to the left program by training developers on security, integrating security tools in DevOps pipeline, creating policy specific to SPH.

PROFILE SUMMARY

CORE COMPETENCY

Application and API

Security

DevSecOps

Security Tools

Secure code training

• Expertise in Application, API, webVAPT and Source Code Review (Java,php,golang,python).

• Good knowledge of OWASP TOP 10 Web and API security vulnerabilities and remediations.

• Understanding of Application Architecture Review and Threat Modelling.

• Expertise in Managing Public Bug Bounty Programs.

• Experienced in Shif Lef Security and Secure CI/CD Pipeline

• Understanding of configuring Pre-commit checks, SCA, SAST, DAST tools in CI/CD pipeline.

• DAST: Burp Suite Professional and Enterprise,HP

WebInspect, Core Impact Professional Version

• SAST: HP Fortify, Checkmarx

• SCA : NexusIQ Sonatype

• Network Testing: Wireshark, Nmap, Nessus

• API Testing: Postman, ZAP API Scanner

• Secure code warrior program management

DETAILED PROJECTS

SPH Media Ltd,

Singapore

Jun 2019 – May 2023

Client SPH Media Ltd, Singapore

Role Senior Application Security Lead

Role Description Enable application security early in SDLC. Evaluate tools to perform SAST,SCA(Open source scanner), DAST, container security and mobile security solutions which can be integrated in DevOps pipeline. Preparing scope, request for quotation for new security tools. Shifting security to the left program by training developers on security, integrating security tools in DevOps pipeline, managing bug bounty program, Leading the team and creating policy specific to SPH.

Operational

Responsibilities

Application Security:

• Evaluating and requesting quote for SAST/SCA/DAST tools

• Integrating security scan in pipeline. Shift Left program

• Secure code training program initiative and program management.

• Using Automated security scanning tool and Manual testing techniques for finding security vulnerabilities.

• Eliminating the false positives and reporting all the true-positive vulnerabilities present in the application to the respective development team by creating JIRA tickets.

• Communicate with the development team to fix the vulnerabilities and provide them solutions according to security best practices.

• Follow up on the reported vulnerabilities and take action on the vulnerabilities according to the development team.

• Working closely with the Chief information security officer, on security policies and improvements on application security

Bug Bounty Management:

• Handling and Managing SPH Media Bug Bounty Program and Follow up on the Bugs reported under Bug Bounty Program.

• Validating the findings and communicating all the updates to the researchers regarding the True-Positives, False-Positives, Duplicate Submissions and Out- Of-Scope issues.

• Creating JIRA tickets for True Positive submissions and working with the respective teams to close the vulnerabilities.

• Providing Bounties/Swag to the researchers based on the severity of the vulnerability they report.

Sciente Consulting,

Singapore

May 2017 – May 2019

Client DBS Bank, Singapore

Role Application Security Consultant

Role Description Performing source code review using Fortify(SAST). Analyzing for false positive. Arranging review meetings with the development team and guiding to fix the vulnerabilities. After the completion of the first phase we had to check whether vulnerability has been fixed or not by performing re-scan. Also analyzing and performing manual penetration testing for the Web inspect reported vulnerabilities(DAST). Involved in training the developers on security as part of a software security initiative. Responsibilities • Performed static code analysis using Fortify SSC.

• Automated using HP Web inspect and manual using Burp suite and other open tools.

• Removing false positive both for static and dynamic scans(SAST/DAST).

• Explaining the vulnerability to the developers and recommending to them how to fix the vulnerabilities.

• Also conducting sessions for the application team to trigger the scan and analyzing false positives.

• Nexus IQ OSS(Open Source Software) new security tool integration.

• Conducting training for security to developers as part of SSI(Software Security Initiative).

• Worked on machine learning for false positive prediction based on previous analyzed data – Audit Assistant feature in Fortify software security center (SSC). Wipro Technologies, Bangalore May 2011– April 2017 Client Banking and Finance, MEDIA AND ENTERTAINMENT, HEALTHCARE SERVICES,MANUFACTURING

Role Senior Software Engineer/Domain Lead Infosec

Role Description Worked in the domain of Web Application Security, Web Services Security, Network Security and

Source Code Review.

Responsibilities • Using Automated Security tools to review the application and source code vulnerabilities.

• Eliminating the false positives from the tool findings and reported the vulnerabilities present in the application and source code.

• Manually finding the vulnerabilities in the application and source code by performing VAPT

• Creating and submitting a well-formed report for the client.

• Involved in the transition phase for the VAPT project.

• Requirement and approach document creation for the new VAPT projects.

• Also installation of the VA scan engine in the customer end and troubleshooting the issue if it’s not reflected at the manager server.

• Involved in the cloud VA setup for Microsoft Azure.

• Helping the team in the WAF alert analysis.

• Helping the team create a custom signature in IPS IDS for the new attack.

• Also fixing some vulnerability of the IPS/IDS devices (McAfee NSM, IBM Site protector)

• Anti Phishing

• CISSP course completed in NUS-ISS, Singapore

I, Raji Vailoppully Mohanan declare that the information and facts stated above are true to the best of my knowledge and belief.

Date: 04/01/2024

Place: Laramie, WY, USA Raji

Degree Institution/School University/Board

B.E(Computer Science

and Engineering)

Acharya Institute of Technology,

Bangalore

VTU

Diploma in Computer Science

Acharya Polytechnic Board of technical

education

Bangalore

Higher Secondary SN Vidya Bahvan, Thrissur CBSE

High School Oriental, Thrissur CBSE

DECLARATION

Contact this candidate