Senior Application Security Engineer - DevSecOps, Cloud & Pen Testing
Resume:
SEETAIAH M
Senior Application Security Engineer DevSecOps Cloud Security (AWS/Azure) Penetration Testing
Contact: 214-***-****
Email: ********.**@*****.***
PROFESSIONAL SUMMARY
Over 10 Years of professional IT Experience in Application Security Testing particularly focused on performing technical activities such as Code review, Vulnerability Analysis, Penetration Testing, Secure Application Testing, SoC, DevSecOps, IAM in multi cloud environments i.e Azure, AWS
•Proven expertise in performing SAST, DAST, SCA, API Security Testing, Threat Modeling, Red Teaming, and Secure Code Reviews for enterprise-scale web, mobile, and cloud-native applications.
•Expertise in Black Box and White Box penetration tests. Threat Modeling (TMT). Vulnerability Detection and Remediation.
•Hands-on experience exploring AI-driven security use cases, including securing LLM-based applications, AI-assisted vulnerability management, and integrating intelligent automation into DevSecOps workflows.
•Extensive experience working with Checkmarx, Fortify, Veracode, Nexus IQ, J Frog Xray, Qualys, IBM App Scan, Burp Suite Pro, Metasploit, Splunk, and SIEM platforms.
•Skilled in designing enterprise security strategies aligned with ISO 27001/27002, NIST, PCI-DSS, SOX, and CIS benchmarks.
•Adept at vulnerability risk analysis using CVSS, CWE, OWASP Top 10, and OWASP API Top 10 frameworks.
•Good understanding of Amazon Web Services (AWS) including VPC, ELB, IAM, KMS, EC2, Config, CloudTrail, CloudFormation, Lambda.
•Experience in REST/SOAP API Security Testing.
•Utilized dynamic and static analysis techniques to assess internal and thirdparty applications for Security vulnerabilities.
•Performed Industry standard vulnerability severity and risk ranking using CWE, CVSS.
•Periodically review and update overall security strategy for the modernization program.
•Created security guide lines and security beast practices for JAVA, .NET, C, C++ and Angular JS frame works.
•Understand security requirements: areas of the application which deal with PII information in consultation with the business user/client and baseline the requirements
•Reverse engineered third party applications and developed proof of concept exploits. Assist developers in remediation efforts.
•Static, Dynamic & Forensics analysis for Mobile based applications.
•Security Incident handling, SIEM (ESEM) using RSA Envision/Arc Sight products.
•Excellent exposure to Database, VPN technologies, and Firewall
•Understand network protocols TCP/IP, SSH, SSL HTTP and HTTPS
•Analyze a variety of network and host-based Security appliance logs (Firewalls, NIDS, HIDS, Sys Logs, etc.) to determine the correct remediation actions and escalation paths for each incident.
•Threat modeling the new features and design controls to ensure web & mobile applications are secured.
•Expertise in Mobile application security assessment for Android and IOS platforms
•Provide security proficiency in authentication, authorization, audit, secure storage, encryption, input validation, and secure databases communication.
•Review application architecture and make recommendations to improve the enterprise security posture. Integrate assessments with the SDLC and project management cycles.
•Explanation of the security requirements to the design team in initial stages of SDLC to minimize the efforts to rework on issues identified during penetration tests.
•Planning, implementing, maintaining, and updating security measures for maintaining integrity of data
•Vulnerability Assessment includes analysis of bugs in various applications spread across entire on various domains by using both manual and Automation tools
•Conducting regular security audits and recommending up-gradation in hardware and software
•Conducted secure code training for developers.
•Worked on exploiting the recognized vulnerabilities and Performed Software Licensing audit.
•Perform periodic and on-demand system audits and vulnerability assessments, including user accounts, application access, file system and external Web integrity scans to determine compliance
•Experience in the areas of security to provide clients with a balanced understanding of their technical security as well as the processes required to ensure a successful implementation.
•Good Understanding of best practice control frameworks such as CoBIT, ISO, ITIL and PCI-DSS Compliance
•Insightful knowledge in Provisioning Operations and comfortable in interacting with multiple levels of organization, management and staff from different locations.
•Experienced in IAM governance across Active Directory, Azure AD, and AWS IAM, supporting least-privilege enforcement and access review processes.
•Possess Experience on Data Loss Prevention system, Endpoint Detection and Response, Anti-Virus Endpoint Security, Disk Encryption, ITIM, Windows active directory.
EDUCATION:
•Bachelors in Mechanical Engineer, Vignan institute of technology, India
•Masters in Information Systems Security & Assurance
CERTIFICATIONS:
•Certified Information Security Consultant (In progress)
•Certified Ethical Hacker
•AWS certified security
•Certified API Security
TECHNICAL SKILLS:
Security Testing & Methodologies
Application Security, Secure SDLC, DevSecOps, Threat Modeling (STRIDE/DREAD), OWASP Top 10, OWASP API Top 10, SAST, DAST, SCA, API Security Testing, Mobile Security Testing, Cloud Security, Network Security, Red Teaming, Vulnerability Management, Risk Assessment, Malware Analysis
Security Tools
Checkmarx, Fortify, Veracode, Black Duck, Snyk, Burp Suite Pro, Qualys WAS, Nessus, IBM AppScan, HP WebInspect, Nexus IQ, JFrog Xray, Metasploit, Cobalt Strike, Nmap, Splunk, Wireshark, Rapid7 Nexpose, Kali Linux, Whitehat, ArcSight
Cloud & DevSecOps
AWS (EC2, VPC, IAM, KMS, Lambda, CloudTrail, Config, ELB, CloudFormation), Azure Security, CI/CD Security, SonarQube
Programming / Scripting
Python, Java, C++, HTML, Django, CSS, SQL, Shell Scripting
Compliance & Frameworks
ISO 27001/27002, NIST SP 800-53, CIS Benchmarks, PCI-DSS, MITRE ATT&CK, CVSS, CWE
Operating Systems
Windows Server, Linux (RedHat, Ubuntu, Kali), macOS
PROFESSIONAL EXPERIENCE:
Client: Vanguard, Plano, TX March 2024 - present
Role: Application Security/Penetration Tester
Responsibilities:
•Led application security architecture design for cloud-native microservices across AWS & Azure, improving overall security posture and compliance alignment.
•Worked closely with engineering teams to embed security into the development lifecycle, ensuring issues are identified and fixed early rather than post-deployment.
•Integrated SAST (Checkmarx), SCA (Nexus IQ, JFrog Xray), and DAST tools into CI/CD pipelines (GitHub Actions, Bitbucket), enabling shift-left security and automated vulnerability detection.
•Conducted secure code reviews and triaged SAST and OSS vulnerabilities.
•Done Security Code Reviews and creating risk reports based on the criticality of the vulnerability.
•Evaluated security risks in AI/LLM-integrated applications, including prompt injection, data leakage, and insecure output handling.
•Conducting SAST, DAST, and SCA assessments and triaging vulnerabilities with development teams.
•Conducted API security testing using 42Crunch, aligning with OWASP API Top 10, identifying critical authentication and authorization flaws.
•Collaborated with application, network, and cyber security teams as a security champion to guide security strategy and remediation efforts.
•Developed Python-based automation tools to aggregate vulnerability data from SAST, SCA, and DAST platforms to improve vulnerability tracking and reporting.
•Used Wiz to scan Docker images and Kubernetes workloads for misconfigurations, exposed secrets, and overprivileged service accounts across Vanguard's cloud-hosted microservices, prioritizing findings by CVSS severity for remediation.
•Conducted threat modeling (STRIDE) for new features, ensuring proactive risk mitigation during design phase.m
•Performed Network and Web Application Penetration tests within the parameters defined by rules of engagement coordinated with the client.
•Provided detailed reports on the findings of network and application penetration tests including mitigation and remediation activities.
•Developed training materials for Strategic Security Online courses on the following subjects
•Responsible for internal Qualys WAS services and WhiteHat Security scans.
•Tools used: Qualys WAS, WhiteHat Security services.
•Worked on Mitre ATT&CT to strengthen the cyber defense and developed analytical techniques.
•Maintained the Strategic Security Online target lab network comprised of the following Operating Systems
•Explored AI-assisted approaches for vulnerability triage and security analysis to improve efficiency and reduce noise from tools.
•Analyze business requirements, convert it into technical needs, prepare budget, present solution, POC and coordinate with concerned stake holders.
•Assessed Kubernetes workloads for risks such as privileged containers, hostPath mounts, insecure capabilities, and namespace escape scenarios.
•Supported DevOps teams in integrating container security checks into CI/CD pipelines to prevent vulnerable images from reaching production.
•Compare different Security products & share report of POC to the management with suggested recommendation as per business needs.
Environment: AWS, Azure, GitHub Actions, Bitbucket, Checkmarx, Nexus IQ, JFrog Xray, Qualys WAS, WhiteHat, Wiz, Python, Linux, Windows Server, MITRE ATT&CK, OWASP, REST APIs
Client: Bank of America, Chicago, IL Feb 2022- Feb 2024
Role: Sr. Cybersecurity Engineer
Responsibilities:
•Performed comprehensive penetration testing on critical financial applications, uncovering vulnerabilities that could impact sensitive customer data. Conducted white-box, gray-box, and black-box penetration testing.
•Identified potential abuse scenarios in AI-powered features and recommended safeguards to prevent misuse.
•Worked directly with development and infrastructure teams to explain risks in simple terms and drive timely remediation.
•Conducted secure code reviews and validated fixes to ensure vulnerabilities were properly addressed before release.
•Worked within the Vulnerability Management team under the Information Security department, supporting enterprise-wide vulnerability assessment and remediation governance across on-premises and AWS-hosted environments.
•Implemented infrastructure security controls across AWS and on-prem systems including IAM policies, RBAC, and logging enforcement.
•Encryption-at-rest and in-transit controls using AES-256 and TLS 1.2/1.3 aligned with NIST SP 800-57
•Performed SAST using Fortify, Checkmarx, Veracode and validated remediation efforts.
•Provided occasional, assistance with the development and maintenance of internal Red Team methodology, to include training program.
•Secure integration requirements documentation + project milestone tracking with senior stakeholders
•Scanned financial database for Byte Security's clients for vulnerabilities based on the Restful architectures.
•Conducted white/gray box penetration testing on the financial systems using Kali Linux, Cobalt Strike.
•Combination of analysis, implementation and support.
•Distributed system troubleshooting — IAM policy misconfigurations and inter-service auth failures across multi-tier infrastructure
•Managed the cycle of project continuity, reviewed the technical work of the team, and ensured service deliverable.
•Performed SAST, DAST, and SCA analysis, validating and prioritizing vulnerabilities.
•Conducted end-to-end security reviews of containerized microservices environments using Docker and Kubernetes.
•Reviewed policies and act like Subject Matter Expert best practice. Verified SSL authentication for secure applications development on Web Servers.
•Performed dynamic and static analysis of web application using IBM AppScan. Analyze systems for potential vulnerabilities that may result from improper system configuration, hardware or software flaws, or operational.
•Skilled in customer relation, business requirement gathering and Threat modeling. Organize meetings and reviews.
•Reviewed security documentation and make recommendation. Assisted in conference cell meeting with Developer to mitigate vulnerability findings.
•Port scan servers using NMAP and close all unnecessary ports to reduce the attack surface.
•Worked with Development teams to mitigate/remediate the issues identified through SAST. Risk Assessment based on the assets/data classification.
•Done Security Code Reviews and creating risk reports based on the criticality of the vulnerability.
•Provided project planning, guidance and technical expertise in program, policy, process, and planning; risk management, auditing, and assessments; A&A; and quality planning and control.
•Researched and analyzed known hacker methodology, system exploits and vulnerabilities to support Red Team Assessment activities
•Performed advanced security testing of F5 load balancers, Websense V10K & BlueCoat Proxies using virtual machines, security tools, and URL generator.
•Assisted with the update and administration of all SOX audit requirements from an IT internal controls perspective.
•Developed Python automation scripts to aggregate monthly security metrics from Checkmarx, Nexus IQ, Qualys and Wiz for executive reporting.
•Performed security compliance assessments for all IT infrastructures (firewalls, routers, IDS/IPs, DLP, Linux/Windows security hardening).
•Provided with Threat profiling of the application to the Client and prepared combined reports of level of risks, their trend, and frequency to the client
•Conducted white/gray box penetration testing on the financial systems using Kali Linux, Cobalt Strike for OWASP top 10 Vulnerabilities like XSS, SQL Injection, CSRF, Privilege Escalation and all the test-case of a web application security testing
•Reviewed container networking, ingress controllers, and service mesh configurations to identify attack paths between microservices.
•Coordinated remediation tracking and vulnerability lifecycle management.
•Splunk licensing updates by adding new license under Admin and System and License Management.
Environment: Kali Linux, Cobalt Strike, Python, IBM AppScan, Fortify, Checkmarx, Veracode, Nmap, Splunk, F5, BlueCoat Proxy, Websense, Windows Server, Linux, SOX, OWASP, Financial Systems
Client: City National Bank, Los Angeles (Remote) Oct 2019- July 2021
Role: Information Security Engineer
Responsibilities:
•Conducted end-to-end security assessments for web, mobile, and cloud applications, identifying and mitigating key risks before production.
•Performed security assessments and threat modeling of assets, including various blockchain protocols, smart contracts, and other distributed ledger technologies.
•Led manual penetration testing efforts, uncovering complex vulnerabilities that automated tools often miss.
•Key management best practices across AWS KMS and Azure Key Vault — rotation schedules, access policies, cryptographic standards
•Integrated application security controls into CI/CD pipelines using GitHub and Jenkins, enabling automated SAST, DAST, and SCA scanning.
•Partner with software engineering teams to advise on code and infrastructure architecture to meet standards and regulations.
•Scanned Web applications, networks, and systems by Nessus and provided the reports.
•Analyzed email attributes such as Headers and applied appropriate countermeasures to enhance email defense.
•End-to-end security integration project management — deliverables, documentation, and InfoSec leadership reporting
•Conducted advanced manual pen testing on components such as web, mobile (iOS & Android), and thick/fat client applications, identifying major and exploitable vulnerabilities.
•Distributed system troubleshooting — OAuth 2.0, SAML, and certificate-based auth failures across microservices
•Wrote professional and comprehensive reports to showcase found vulnerabilities, providing the client with clear insight and recommendations on how to improve their security posture.
•Performed technical scoping with the client to facilitate proper documentation for application scope and preparation for testing, improving the overall scope coverage and quality of testing.
•Lead and mentored colleagues to ensure proper coverage of all test cases in manual and automated pen testing, maintaining the consistency of high-quality testing and deliverables
•Provide Cloud Security master level advice and mentorship related to all our activities including Information as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) initiatives, projects, plans, and reviews with a focus on Amazon Web Services (AWS) and Microsoft Azure.
•Participate in working groups of domain specialists for definition and review of security standards, guidelines, principles, governance, and controls
•Performed malware analysis using IDAPro, OllyDbg, Windbg.
•Conducted security assessments of firewalls, routers, VPNs, BlueCoat Proxy, IDS/IPS and verified its compliance to internal and external security standards.
•Experience with ISO 27001/27002 Certification for ISMS, Sarbanes Oxley (SOX) Compliance
•Doing multiple level of testing before production to ensure smooth deployment cycle.
•Creation of Generic Scripts for testing and reusability.
•Performed security hardening for Linux, Windows, Web servers, App Servers and
•Database servers in accordance with both internal and external standards (CIS benchmarks, PCI-DSS, NIST, FFIEC etc.,)
•Facilitated technical scoping and client-facing security reporting.
Client: AUJAS Cyber Security, India May 2016- Aug 2019
Role: Cybersecurity Analyst
Responsibilities:
•Responsible for conducting vulnerability assessment scans, assisting with penetration testing, exposing security vulnerabilities and risks, and recommending solutions to mitigate such vulnerabilities
•Contributes to building and delivering services, solutions, and processes that enable security defects to be found, fixed, or avoided before applications are released to production
•Identified security weaknesses and provided practical recommendations to reduce risk exposure.
•Conducted vulnerability assessment scans, exposing security vulnerabilities and risks and recommending solutions to mitigate such vulnerabilities
•Guide security strategy through interaction with and direction to, when necessary, other teams in Information Security (e.g., network operations, Cyber)
•Aid team members with enhancement and enrichment of security monitoring tools with contextual information
•Adhere to all policies and standards, as well as regulatory requirements regarding reporting and escalations
•Demonstrated advanced operations with master of two or more of the following: attack surface management, Security Operations Center (SOC) operations, Intrusion Detection/Intrusion Prevention Systems (IDS/IPS), Security Information and Event Management (SIEM) use, threats (including Advanced Persistent Threat (APT), insider), vulnerabilities, and exploits; incident response, investigations and remediation.
•Conducted ethical hacking and exploitation activities and penetration testing Introductory knowledge regarding security vulnerabilities, application analysis, and protocol analysis
•Familiarity with classes of vulnerabilities, appropriate remediation, and industry-standard classification schemes (CVE, CVSS, CPE)
•Ensured compliance with regulatory reporting and escalation policies.
•Worked closely with risk officers and IT teams to mitigate vulnerabilities.
Contact this candidate