Security Specialist Risk Management
Resume:
Madan Kanuganti
*****.***@*****.***
Professional Summary
Security Specialist with 10 years of experience in risk management, vulnerability assessment, secure coding practices, DevSecOps integration, and regulatory compliance (HIPAA, PCI DSS). Adept at leveraging frameworks like OWASP Top 10, CIS Benchmarks, and NIST Cybersecurity Framework to enhance security posture across cloud and on-prem environments.
Penetration Testing & Vulnerability Management
8+ years of experience in penetration testing of web applications, APIs, and application infrastructure, identifying vulnerabilities like SQL Injection (SQLi), Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF).
Conducted threat modeling using STRIDE and DREAD methodologies for web applications and cloud services; collaborated with teams to identify and mitigate architectural risks early in the SDLC.
Performed manual dynamic testing using Burp Suite and OWASP ZAP to uncover business logic flaws, session handling issues, and runtime vulnerabilities not detected by automated scans.
Additionally performed vulnerability assessments using Qualys (including WAS module) and Tenable Nessus.
Application, API & Cloud Security
Enforced secure coding standards based on OWASP, SANS CWE Top 25, and CERT guidelines.
Secured APIs using OAuth, SAML, JWT, Postman, and OWASP ZAP.
Applied security best practices across AWS, Azure, and GCP, including IAM, KMS, and cloud service hardening.
DevSecOps, CI/CD & Automation
Integrated security into CI/CD pipelines using Jenkins, GitLab CI, Azure DevOps, and Kubernetes.
Automated security testing with SAST, DAST, and IAST tools within infrastructure-as-code pipelines using Terraform.
Developed custom security scripts in Python, PowerShell, and Bash to automate scanning and compliance checks.
Security Operations & Threat Modeling
Hands-on experience with SIEM tools (Google Chronicle, MS Defender), IDS/IPS, and DLP solutions.
Applied secure coding practices aligned with OWASP and SANS guidelines.
Strong understanding of encryption principles and basic exposure to malware detection techniques.
Conducted threat modeling using STRIDE and PASTA methodologies, with a focus on AI threat vectors and mitigations.
IAM & Infrastructure Security
Deployed SSO/MFA solutions using CyberArk, Okta, and PingOne across hybrid environments.
Collaborated with infrastructure teams to review firewall rules, WAF configurations, and VPN setups to support secure deployments.
Worked with Docker and Kubernetes environments, supporting security best practices and collaborating with teams to assess container security risks.
Compliance, Training & Governance
Ensured compliance with HIPAA, PCI DSS, NIST, and ISO 27001 through audits, policies, and assessments.
Conducted internal security audits across cloud, DevOps, and application environments to ensure continuous compliance with internal policies and external regulations.
Delivered training on secure coding, DevSecOps, and threat modeling practices.
Collaborated cross-functionally to embed security across the Software Development Lifecycle (SDLC).
Education & Certification
Master of Science in Computer Science
Northwestern Polytechnic University, Fremont, CA
April 2014 – August 2015
Certification:
Certified Ethical Hacker (CEH)
AWS Certified Security – Specialty
Technical Skills
Front-End Technologies
JavaScript, HTML, CSS, Angular, React, Polymer, NodeJS, jQuery
Back-End & Programming
C, C++, C#, .NET, Java, Python, Django, SQL, Docker
Tools & Platforms
DevSecOps & CI/CD: Snyk, GitHub Enterprise, Azure DevOps, GitLab CI/CD, Jenkins, Terraform, Kubernetes
Application Security: Snyk, SonarQube, OWASP ZAP, Burp Suite, Fortify, WebInspect, Acunetix
Vulnerability Scanning: Qualys, Tenable, SQLmap, Nmap
Penetration Testing & Network Analysis: Wireshark, Metasploit, DirBuster
Cloud & IAM Security: Azure Security Center, Microsoft Defender, Azure Sentinel, Entra ID (Azure AD), AWS Security Hub
Container & IaC Security: Docker, Kubernetes,Snyk, Trivy, Falco, Terraform Sentinel, Open Policy Agent (OPA)
Threat Modeling Tools: Microsoft Threat Modeling Tool, OWASP Threat Dragon, IriusRisk, ThreatModeler
Compliance & Audits: NIST, CIS, ISO 27001, SOC 2, PCI DSS, HIPAA
Security Monitoring & Access: Google Chronicle, Microsoft Sentinel, ProofPoint, Palo Alto GlobalProtect
Automation & Scripting: Python, PowerShell, Bash, Jenkins, Terraform, AWS CloudFormation, Azure Resource Manager (ARM)
Motrex LLC — DevSecOps Engineer
September 2024 – Present. Remote (FL)
Led the integration of Snyk with GitHub Enterprise, Azure DevOps, and Jenkins to automate vulnerability scanning in open-source dependencies.
Configured Snyk integrations to enforce security policies across source code, containers, and infrastructure-as-code in CI/CD workflows.
Integrated Snyk with Jira and ServiceNow for automated vulnerability ticketing and streamlined remediation workflows.
Conducted risk assessments on third-party dependencies and implemented Software Composition Analysis (SCA) using Snyk and other tools.
Integrated SAST, DAST, IAST, and SCA tools into CI/CD pipelines using GitLab CI/CD, Azure DevOps, Terraform, and Kubernetes.
Configured security best practices across AWS services including EC2 (instance hardening), S3 (encryption and access policies), RDS (secure connectivity and auditing), and EKS (IAM roles for service accounts and runtime protection).
Performed manual dynamic testing using Burp Suite and OWASP ZAP to detect business logic flaws, session handling issues, and authentication weaknesses missed by automated scans.
Automated web and API vulnerability scanning using Burp Suite and OWASP ZAP.
Implemented IaC security controls using Terraform Sentinel and Open Policy Agent (OPA) to enforce cloud deployment compliance.
Performed Azure and AWS cloud security assessments and conducted audit reviews using Azure Security Center, Microsoft Defender, and Sentinel, ensuring compliance with NIST, CIS, and ISO 27001.
Configured AWS CloudWatch and AWS CloudTrail to enable centralized monitoring and logging, ensuring critical events are captured, aggregated, and analyzed to support timely detection and response to potential security incidents.
Managed IAM policies using Azure Entra ID (formerly Azure AD) and Privileged Identity Management (PIM) to enforce least privilege and conditional access.
Worked with compliance teams to remediate vulnerabilities from VA scans and ensure alignment with regulatory standards.
Provided audit evidence and security documentation for SOC 2, HIPAA, and PCI DSS compliance requirements.
Designed and implemented Zero Trust security models for cloud infrastructure and identity access.
Automated security log analysis and incident response using Google Chronicle, Microsoft Sentinel, and SIEM tools.
Participated in Red Team exercises and conducted threat modeling to identify and mitigate architectural weaknesses early in the SDLC.
Created and delivered security awareness training to development teams on secure coding and threat management practices.
CSAA (AAA Insurance) — DevSecOps / Security Engineer
April 2023 – August 2024
Led manual and automated penetration testing using white-box, grey-box, and black-box techniques with tools like Burp Suite and OWASP ZAP, identifying critical issues across web applications and APIs.
Conducted vulnerability assessments using Qualys WAS, identifying misconfigurations and vulnerabilities in both on-premises and cloud-hosted applications.
Authored a comprehensive DAST testing guide for web applications and APIs to standardize internal security testing practices.
Performed web application penetration testing on AWS-hosted applications using Burp Suite, validating security controls and identifying issues aligned with the OWASP Top 10.
Performed secure code reviews using Snyk, detecting and reporting logic flaws and vulnerabilities in Java, .NET, SQL, HTML, and CSS codebases.
Created Jira tickets for security issues and linked them to relevant application teams’ Jira boards, streamlining remediation tracking and follow-ups.
Evaluated and recommended suitable security vendors for CSAA through in-depth research and proof-of-concept testing.
Developed and enforced secure coding guidelines to reduce recurring security flaws and uplift development team practices.
Collaborated with development and compliance teams to drive remediation of high-risk findings, improving the organization’s overall security posture.
Performed API security testing using Postman and Burp Suite, including validation of SSO, OAuth, SAML, and JWT implementations for secure authentication and authorization.
Created and executed test strategies and test cases for application security aligned with OWASP Top 10 and CWE/SANS Top 25 best practices.
Provided secure coding and threat awareness training to development teams, helping them better understand and resolve identified vulnerabilities.
Actively collaborated with engineering and compliance teams to drive remediation of high-risk findings across infrastructure and applications.
Utilized ServiceNow to manage vulnerability and incident workflows, enabling accurate tracking of remediation and SLA adherence.
Manulife — Security Engineer
November 2021 – April 2023 · Remote (FL)
Conducted web application walkthroughs and performed penetration testing using Burp Suite, IBM AppScan, and HP WebInspect; collaborated with development teams for timely remediation.
Improved application-level logging and threat detection by integrating Google Chronicle into the SIEM pipeline for real-time monitoring.
Developed threat models for high-risk applications using Microsoft Threat Modeling Tool to identify architectural weaknesses and prioritize mitigations early in the SDLC.
Performed cloud security posture assessments across AWS, Azure, and GCP, identifying misconfigurations and enforcing policy-based controls.
Reviewed cloud IAM policies and applied least privilege principles to eliminate excessive access across multi-cloud environments.
Hardened Docker, Kubernetes, and OpenShift environments by applying container security best practices and identifying vulnerabilities with Trivy and Kube-hunter.
Designed and tuned Web Application Firewall (WAF) configurations to mitigate OWASP Top 10 risks and zero-day threats.
Developed and implemented secure coding guidelines for engineering teams based on OWASP ASVS and CIS benchmarks.
Conducted security validation of third-party APIs and integrations to mitigate supply chain and data exposure risks.
Integrated security tools like Snyk, Checkmarx, and SonarQube into CI/CD workflows via Azure DevOps, GitLab CI, and Jenkins.
Automated repetitive security tasks and reporting with Python, PowerShell, and Bash, improving efficiency in vulnerability management.
Led phishing simulation campaigns and delivered security awareness training to raise employee understanding of social engineering risks.
Responded to security incidents and supported remediation efforts for findings flagged by Fortify and other SAST/DAST tools, addressing issues like input validation and insecure configurations.
Implemented Privileged Access Management (PAM) using CyberArk to protect sensitive systems and credentials.
Developed and maintained incident response playbooks to standardize threat response procedures across the SOC team.
Dollar General Corporation — Lead Consultant / Application Security Engineer
October 2018 – October 2021 · Goodlettsville, TN
Project Description:
Led application security efforts for corporate applications, conducting vulnerability assessments, secure code reviews, and integrating security into the SDLC. Deployed and supported Fortify tooling, conducted both SAST and DAST testing, and worked closely with developers to triage and remediate findings. Oversaw threat modeling, mobile app security, and API hardening in a cloud-native environment with regulatory compliance (PCI, SOX).
Responsibilities:
Performed source code reviews and static analysis using HP Fortify to detect security vulnerabilities and logic flaws in applications developed in .NET, Java, and PHP.
Conducted DAST assessments with WebInspect and Burp Suite, along with manual penetration testing to identify OWASP Top 10 risks.
Deployed and maintained Fortify Software Security Center, supporting integration into CI/CD pipelines and assisting development teams with SAST tool usage and remediation.
Triaged and prioritized vulnerabilities, categorizing findings into critical, high, medium, and low severity, and collaborated with teams for timely resolution.
Guided secure coding practices and provided actionable remediation guidance for issues like SQL injection, XSS, and authentication flaws.
Served as a subject matter expert in threat modeling, collaborating with architects and developers during the design phase to identify and mitigate risks using ThreatModeler and IriusRisk.
Developed procedural documentation for Fortify SAST processes and maintained security trackers and aging reports to monitor unresolved vulnerabilities.
Enhanced API security with secure authentication and mitigated microservices risks in Azure.
Conducted security assessments for mobile applications built in Java, Objective-C, and Swift across iOS and Android platforms.
Managed Kubernetes-based deployments and supported container security practices using Docker for secure application delivery.
Worked with DevSecOps teams to secure cloud-hosted applications and ensure security gates were embedded within CI/CD workflows.
Collaborated with enterprise architecture, IT, and compliance teams to align security requirements with business and regulatory needs (PCI DSS, SOX).
Implemented Privileged Access Management (PAM) using CyberArk to restrict unauthorized access to sensitive systems.
First Data Corporation — Application Security Engineer
September 2017 – September 2018 · Omaha, NE
Conducted review meetings on Fortify On Demand reports with application teams and status calls with offshore teams to coordinate vulnerability remediation.
Performed static code analysis and collaborated with development teams to remediate vulnerabilities across large-scale Java applications.
Worked closely with Java Application Architects to analyze false positives and address over 8,000 security findings reported by Fortify.
Executed SAST and DAST testing using Fortify, WebInspect, and manual techniques to uncover vulnerabilities such as XSS, CSRF, SQL Injection, Open Redirects, and Header Manipulation.
Conducted peer reviews of Security Assessment Reports and contributed to requirements gathering for secure design implementation.
Provided security signoff and formal risk reporting prior to application deployment, ensuring alignment with organizational risk posture.
Participated in secure code reviews and design assessments of Java and .NET applications to detect logic flaws and security gaps.
Assisted in a significant merger activity by managing client data separation and ensuring secure handling of personally identifiable information during system integration.
Implemented data encryption and decryption using Voltage, and collaborated with teams using Cognos, Ab Initio, and Talend for secure data movement and reporting workflows.
Built a cloud risk assessment framework leveraging guidance from the Cloud Security Alliance, Microsoft, and other industry best practices.
Worked with development tools like IBM RAD and Eclipse during source code analysis and testing phases.
Facilitated collaboration between software development, hardware engineering, and cybersecurity engineering teams to drive timely project milestones.
Wells Fargo — Security Analyst
August 2016 – August 2017 · Charlotte, NC
Conducted static application security scans using HP Fortify on Java and .NET applications to identify coding vulnerabilities aligned with OWASP standards.
Collaborated with development teams to triage Fortify scan results, address false positives, and remediate high-priority findings throughout the SDLC.
Reviewed application designs, source code, and deployments to perform end-to-end vulnerability assessments on web applications and web services.
Participated in functional, integration, regression, and user acceptance testing (UAT), combining security testing with manual black box testing approaches.
Drafted security assessment reports detailing findings, risk levels (SEV1 to SEV5), and provided actionable remediation guidance to application teams.
Performed research on emerging application-layer threats and attack techniques, supporting mitigation planning and timely threat response.
Evaluated newly released patches, documented potential risks of delay, and recommended alternate mitigations when immediate application wasn't feasible.
Assisted developers in implementing Fortify's remediation guidance, promoting secure coding practices and risk-based vulnerability prioritization.
Collaborated with a dedicated security research and detection team to build defense mechanisms and raise awareness of application-layer attack vectors.
Provided regular vulnerability metrics categorized by severity (High, Medium, Low) to project stakeholders and development leads.
Citizens Bank — Penetration Tester
December 2015 – July 2016 · Providence, RI
Performed application and infrastructure penetration tests, including internal threat simulations, physical security reviews, and social engineering assessments for enterprise environments.
Conducted penetration testing on web applications based on OWASP Top 10 standards, targeting vulnerabilities such as XSS, SQL Injection, and insecure authentication mechanisms.
Utilized tools such as Burp Suite, Nmap, Metasploit, WebInspect, Fortify, and IBM AppScan to perform comprehensive security testing and vulnerability analysis.
Conducted static code analysis of application source code to identify insecure coding practices and logic flaws.
Assessed online applications for risks across categories including input validation, authentication, authorization, auditing, and logging.
Delivered security assessment results and remediation guidance to development teams and stakeholders.
Conducted onsite penetration tests from an insider threat perspective to simulate real-world attack vectors and assess internal security controls.
Actively supported the release management process, ensuring that all application changes underwent proper security assessment before deployment.
Proximo Tech Soft Private Limited — System Administrator
August 2012 – October 2013 · India
Configured, supported, and troubleshot network infrastructure including Cisco routers, switches, firewalls, wireless controllers, ACS, and ISE.
Built and maintained site-to-site VPNs for remote office and partner connectivity using Cisco Next-Generation Firewalls.
Installed and configured Cisco UCS, provisioned ESXi hosts and virtual machines for supporting store retail operations.
Monitored QRadar SIEM for potential security violations, escalating issues to the Information Security team as necessary.
Collaborated with the cybersecurity team to build foundational knowledge in threat detection, vulnerability analysis, and risk remediation planning.
Responded to regional data center and store-level network outages, coordinating with service desks, ISPs, and on-site technicians to restore connectivity.
Automated routine administrative tasks using Bash shell scripting, improving system monitoring and deployment efficiency.
Evaluated system vulnerabilities, documented risks, and contributed to mitigation action plans for production environments.
Provided network and systems support for application rollouts and device onboarding; captured new connectivity requirements for expanding retail operations.
Participated in Wi-Fi upgrade projects, deploying and certifying over 1,000 Cisco wireless access points using AirMagnet tools.
Supported new store openings, renovations, and lifecycle refresh initiatives from an IT infrastructure standpoint.
Contact this candidate