Aseem is available for hire

Aseem Shrey

Verified Expert in Engineering

Vulnerability Assessment Developer

Location

Bengaluru, Karnataka, India

Toptal Member Since

October 17, 2022

Aseem喜欢用Go构建DevSecOps管道和设置自动化, Python, Terraform, CI/CD pipelines, AWS Lambda, and Google Cloud Platform (GCP), among others. 有效管理大规模基础设施安全, 他经常在这些系统中构建容错系统和自动故障检测. Aseem会审查用于生产的代码更改，以解决安全问题，并经常参与web应用程序渗透测试.

Portfolio

自雇人士(与美国和欧洲的客户合作)

Android, Linux, Web, Web应用安全，红队，Burp套件，IT自动化...

高等教育可持续发展促进会

渗透测试，IT安全，安全，谷歌云平台(GCP)...

Yahoo! -偏执狂(网络安全)-印度

Python, JavaScript，亚马逊网络服务(AWS)， DevOps...

Experience

Vulnerability Assessment - 7 years Cybersecurity - 6 years Web Security - 6 years Burp Suite - 6 years Python - 5 years Go - 3 years Terraform - 2 years 谷歌云平台(GCP) - 1年

Availability

Full-time

Preferred Environment

Python, Go, Kali Linux, Burp Suite, OWASP Top 10, OWASP Zed Attack Proxy (ZAP), Android, Web Security, Red Teaming

The most amazing...

...我开发的是一个遵从性即代码框架，它根据CIS基准扫描整个Google云平台(GCP).

Work Experience

Security Engineer

2022 - PRESENT

自雇人士(与美国和欧洲的客户合作)

Created a CVE bot issue tracker, 基于库处理类似的问题，并在Jira上为相同的问题创建门票. Populated a CVE dashboard on Jira.
创建了一个Python程序来监视对生产Amazon S3 (AWS S3)存储桶的更改. 自动恢复任何危险配置. 使用Amazon EventBridge和AWS Lambda.
利用Trivy自动化CI/CD管道中的容器安全. 给客户提供了安全容器的实时信息.

Technologies: Android, Linux, Web, Web应用安全，红队，Burp套件，IT自动化, Python, Go, Google Cloud Platform (GCP), Security, Training, Jira, Confluence, IT Security, Security Testing, 静态应用安全测试(SAST), 动态应用安全测试(DAST), Penetration Testing, iOS, Authentication, Vulnerability Identification, Cloud, APIs, Cybersecurity, Risk Management, SaaS, DevOps, Scraping, Data Protection, Architecture, Data-level Security, Azure, Cloud Security, SIEM, Amazon Web Services (AWS), OpenID, Chef, Puppet, OAuth, Data Privacy, Privacy, 入侵防御系统(IPS), AWS CloudFormation, AWS Lambda, Amazon API Gateway, API Gateways, Amazon S3 (AWS S3), Amazon RDS, Amazon Athena, Data Lakes, Database Security, Vulnerability Assessment, Security Analysis, Threat Modeling, Application Security, NIST, Identity & Access Management (IAM), Single Sign-on (SSO), Cloud Architecture, Security Architecture, DevSecOps, Secure Containers, Vanta, Information Security, 托管安全服务提供商(MSSP), Google Webmaster Tools, eCommerce, Infrastructure Security, Network Architecture, Secure Access Service Edge (SASE), Endpoint Security, 端点检测和响应(EDR), Cloud Infrastructure, YAML, Automation, Azure Cloud Security, GitHub Actions, Azure Cloud Services, Azure DevOps, SOC 2

安全评估的黑盒渗透测试器

2024 - 2024

高等教育可持续发展促进会

帮助客户完成对其web应用程序的多个角色的黑盒测试. 这是一个有近20个不同页面的web应用程序, four different roles, 并获得参与用户的关键数据.
发现了一个关键的bug和一些高级和中级的bug，帮助客户保存了参与用户的敏感信息.
建议客户采取最好的措施和接下来的步骤来防止这些错误.

Technologies: 渗透测试，IT安全，安全，谷歌云平台(GCP), Web Security, Automation

Vulnerability Assessment Engineer

2023 - 2023

Yahoo! -偏执狂(网络安全)-印度

为漏洞日志管理系统重写并优化了Python工具. 这是一个跨团队的项目，我和其他团队在paranoid(雅虎的安全组织)工作。.
迁移了负责处理数十亿输入数据点的旧安全系统. 我和另外三个人，只能进入这些系统. 这有助于安全监控团队掌握任何发生的事件.
帮助开发StackStorm集成的自动化，以便在组织中得到更广泛的采用.

Technologies: Python, JavaScript，亚马逊网络服务(AWS)， DevOps, Infrastructure as Code (IaC), Vulnerability Management, Vulnerability Assessment, Kubernetes, CI/CD Pipelines, Docker Swarm, Amazon EKS, Amazon Virtual Private Cloud (VPC), Terraform, AWS CloudFormation, Information Security, Cybersecurity, Google Webmaster Tools, Infrastructure Security, Network Architecture, Secure Access Service Edge (SASE), Endpoint Security, Cloud Infrastructure, YAML, Automation, GitHub Actions, Azure Cloud Services, Azure DevOps

Security Engineer

2022 - 2023

Rippling

在SecInfra团队工作，通过代码构建安全自动化. 构建了由JIRA支持的漏洞管理系统(VMS)，用于集中我们所有的安全发现并对其实施.
作为保证团队的一部分，构建产品安全自动化. 这用于进行自动动态应用程序安全性测试(DAST)。. 它是一个自助门户网站，供开发人员上传他们的Postman收集以供扫描.
与ProdSec团队合作，进行威胁建模，代码审查等.

技术:亚马逊网络服务(AWS), Terraform, Cloud Security, Threat Modeling, Automation, Web Security, 动态应用安全测试(DAST), Web Application Firewall (WAF), Information Security, Cybersecurity, Google Webmaster Tools, Infrastructure Security, Network Architecture, Secure Access Service Edge (SASE), 端点检测和响应(EDR), Cloud Infrastructure, YAML, Azure Cloud Security, Azure Cloud Services, SOC 2

高级信息安全工程师

2021 - 2022

Gojek

在Google Cloud中构建了一个Go框架来遵循基准测试和自动修复. 优化成本和实时解决方案.
对Gojek web API后端和Gojek Android应用程序中的任何功能版本执行渗透测试.
发现了关键漏洞，并升级了权限，使用低权限的第三方账户获得了几乎所有Gojek基础设施的管理权限.
为Gojek API或移动应用程序中的任何功能版本启动定期代码审查.
为Gojek组织了第一次安全会议. 包括为期两天的夺旗(CTF)比赛和外部和内部演讲.
与数百名研究人员一起管理Bugcrowd项目.

Technologies: Python, Go, JavaScript, Figma, Dart, Google Cloud Platform (GCP), GitLab, GitLab CI/CD, Cybersecurity, Burp Suite, Web Security, Web App Security, Kali Linux, Red Teaming, Security, Training, Jira, Confluence, IT Security, Security Testing, 静态应用安全测试(SAST), 动态应用安全测试(DAST), Penetration Testing, OWASP, Mobile Security, Authentication, Vulnerability Identification, Cloud, APIs, Risk Management, SaaS, Scraping, Data Protection, Architecture, Data-level Security, Azure, Cloud Security, SIEM, Amazon Web Services (AWS), OpenID, Puppet, OAuth, Privacy, 入侵防御系统(IPS), AWS CloudFormation, AWS Lambda, Amazon API Gateway, API Gateways, Amazon S3 (AWS S3), Amazon RDS, Amazon Athena, Data Lakes, Database Security, Vulnerability Assessment, Bugcrowd, Security Analysis, Threat Modeling, Application Security, NIST, Identity & Access Management (IAM), Single Sign-on (SSO), Cloud Architecture, Security Architecture, DevSecOps, Information Security, Google Webmaster Tools, eCommerce, Infrastructure Security, Network Architecture, Cloud Infrastructure, YAML, Automation, Azure Cloud Security, Azure Cloud Services

Security Engineer

2019 - 2021

Blinkit

从零开始创建一个自动化管道. 使用Terraform在Cloudflare和Amazon Route 53中创建DNS条目，并提供故障转移选项，以便轻松切换到任何一个DNS提供商.
创建了一个左移的GitHub bot，使安全性更接近开发人员的工作流程. 扫描安全问题，比如硬编码的秘密. 设置模块化代码，便于团队成员进行添加.
与DB和GitHub集成的Vault，以便用户可以根据其GitHub团队为数据库生成临时凭据.
与多个团队合作，将Amazon Cognito与遗留api集成. 使用基于OAuth和otp的工作流提供了更好的身份验证工作流.
集成了一个OAuth代理，用于Google工作空间的身份验证，并符合我们的一些内部应用程序.
管理一个自托管的公共漏洞赏金计划, 与团队一起完成这些发现并维护SLA.

Technologies: Python, Go, GitHub API, HTML, JavaScript, React, Flutter, Dart, Terraform, Vault, Ansible, Cloudflare, Burp Suite, Web Security, Web App Security, Red Teaming, Security, Training, Jira, Confluence, IT Security, Security Testing, 静态应用安全测试(SAST), 动态应用安全测试(DAST), Penetration Testing, OWASP, Mobile Security, Authentication, Vulnerability Identification, Cloud, APIs, Cybersecurity, Risk Management, SaaS, DevOps, Scraping, Data Protection, Architecture, Data-level Security, Azure, Cloud Security, Amazon Web Services (AWS), OpenID, Chef, Puppet, OAuth, 入侵防御系统(IPS), AWS CloudFormation, AWS Lambda, Amazon API Gateway, API Gateways, Amazon S3 (AWS S3), Amazon RDS, Amazon Athena, Data Lakes, Vulnerability Assessment, Security Analysis, Threat Modeling, Application Security, NIST, Identity & Access Management (IAM), Cloud Architecture, Security Architecture, DevSecOps, Information Security, Google Webmaster Tools, eCommerce, Infrastructure Security, Network Architecture, Cloud Infrastructure, YAML, Automation, SOC 2

DevOps Intern

2018 - 2018

Innovaccer

将健康检查集成到应用程序中，这些应用程序的指标进一步填充在Kibana仪表板上，以便于管理服务.
基巴纳仪表板上的跟踪指标和自动报警系统. 集成Slack webhook，用于特定渠道的警报.
创建了一个带有webhook的通用Slackbot，供组织中的任何团队使用.

Technologies: Ansible, Automation, Jenkins, Authentication, Vulnerability Identification, Cloud, APIs, Cybersecurity, DevOps, Scraping, Architecture, Data-level Security, Azure, Cloud Security, Amazon Web Services (AWS), Chef, OAuth, AWS CloudFormation, AWS Lambda, Amazon API Gateway, API Gateways, Amazon S3 (AWS S3), Amazon RDS, Amazon Athena, Data Lakes, Database Security, Vulnerability Assessment, Security Analysis, Threat Modeling, Application Security, Cloud Architecture, Security Architecture, DevSecOps, Information Security, Cloud Infrastructure, YAML

Experience

统一支付接口(UPI)侦查命令行接口(CLI)

http://github.com/LuD1161/upi-recon-cli

开发了一个命令行工具，用于侦察使用虚拟支付地址. 这个工具利用UPI平台的开放性来发现:

1. 与手机号码相关联的UPI ID和名称
2. 与Gmail帐户相关联的UPI ID和名称
3. 与车辆登记号码相关联的UPI ID和名称.

我确保利用与FASTag关联的UPI ID.

自动遵从作为代码框架

http://www.gojek.io/blog/compliance-as-code

开发了一个Go框架(以前是Python)，以遵循Google Cloud中的基准测试和自动修复. 优化成本和实时解决方案.

该框架主动检查了350多个活动项目，不包括sys-项目.

Firewall rules > 4000.
Storage buckets > 1000.

扫描的所有指标被发送到ELK堆栈，并与Kibana仪表板一起显示，以便更容易地做出指标驱动的决策.

I also created automated ticketing based on these checks; if there was a new finding, 框架在各自团队的Jira队列上创建门票.

该框架是模块化的，因此工程师可以编写自己的检查，并在整个检查集运行时安排它们运行. 或者他们也可以将其标记为只在特定的GCP项目上运行.

OmniSec App

最初是作为React Native应用程序构建的，然后转换为我开发的Flutter应用程序，为所有应用程序订阅者提供每日安全更新.

数据库建立在Firebase和Cloud Functions上，每15分钟填充一次数据库. 前端是基于Flutter框架构建的.

它从30个来源(RSS订阅和网络抓取)收集新闻文章，每15分钟整理一个独特的文章列表.

顶级CTF玩家和Bug赏金研究员

http://aseemshrey.in/blog

我已经连续三次在纽约大学CSAW CTF(印度赛区)成为CTF世界决赛选手。. 我还进入了NullCon CTF 2017的世界前五名决赛, 由VMWare和沃尔玛实验室赞助.

Apart from CTFs, 我曾报告过安全漏洞，并获得了谷歌(Google)等顶级公司颁发的类似奖项, Myntra, IBM, Sony, GM, MakeMyTrip, Zoho, etc.

在印度政府的DigiLocker计划中发现了一个严重的错误(名人堂- http://developers).digitallocker.gov.in/credits-community-contribution.html)

在印度政府组织的DRDO CTF中排名前十(http://blog).mygov.在/ result-announcement-of-drdo-cyber-challenge / #: ~:文本= Pushpender % 20 yadav -,Aseem%20Shrey,-Abhishek%20Acharya).

DNS as Code

使用Terraform和Jenkins从零开始创建自动化管道，在Cloudflare和Route53中创建DNS条目，并提供故障转移选项，以便轻松切换到任何一个DNS提供商.
这有助于我们的左移方法，减少手动错误并改善开发人员体验.

G-Shield Security Bot

从头开始创建了一个GitHub机器人，目的是左移, 使安全性更接近开发人员的工作流程. 它扫描每个PR，寻找常见的安全问题，比如硬编码的秘密, code smells, vulnerable Docker images, sensitive mount points, etc. The code is modular; new modules have been easily added to it by other team members, e.g., a TFLint module.

GoSecCon -安全会议组织者[传福音]

http://www.gojek.io/blog/hacks-and-tips-to-deploy-ctfd-in-k8s

组织GoJek首次安全会议, 包括CTF比赛+为期两天的外部和内部演讲.
CTF平台托管在Kubernetes上，并使用CTFd作为开源的CTF平台.

挑战是由我和我的队友创造的. 这包括web应用程序的挑战, digital forensic challenges, steganography challenges, 易受攻击的Android应用挑战, etc.

Skills

Languages

Python, YAML, Go, HTML, JavaScript, Dart

Tools

Google Webmaster Tools, OWASP Zed Attack Proxy (ZAP), Terraform, Jira, Confluence, Chef, AWS CloudFormation, Amazon Athena, GitHub, Vault, Ansible, Figma, GitLab, GitLab CI/CD, ELK (Elastic Stack), Jenkins, Celery, SonarQube, Google Kubernetes Engine (GKE), Puppet, Docker Swarm, Amazon EKS, Amazon Virtual Private Cloud (VPC)

Paradigms

Automation, Penetration Testing, DevSecOps, Azure DevOps, DevOps, Continuous Integration (CI), Continuous Deployment

Platforms

Kali Linux, Burp Suite, Azure, Amazon Web Services (AWS), AWS Lambda, Android, Google Cloud Platform (GCP), Vanta, Linux, Web, Firebase, Docker, Kubernetes, iOS

Industry Expertise

Cybersecurity

Storage

Amazon S3 (AWS S3)、Azure云服务、数据湖、数据库安全

Other

OWASP Top 10, Web Security, Ethical Hacking, Security, Training, IT Security, Security Testing, 静态应用安全测试(SAST), OWASP, Mobile Security, Authentication, Vulnerability Identification, Cloud, APIs, Risk Management, SaaS, Scraping, Data-level Security, Cloud Security, OAuth, 入侵防御系统(IPS), Amazon API Gateway, API Gateways, Amazon RDS, Vulnerability Assessment, Security Analysis, Threat Modeling, Application Security, NIST, Identity & Access Management (IAM), Single Sign-on (SSO), Cloud Architecture, Security Architecture, Information Security, Infrastructure Security, Endpoint Security, Cloud Infrastructure, Azure Cloud Security, GitHub Actions, SOC 2, Red Teaming, 动态应用安全测试(DAST), Data Protection, Architecture, Data Privacy, Privacy, 托管安全服务提供商(MSSP), eCommerce, Network Architecture, 端点检测和响应(EDR), Networking, Web Development, Cloudflare, Design, Web App Security, English, Physics, IT Automation, Job Schedulers, Burp Proxy, Version Control Systems, Organization, Teamwork, Product Evangelism, Tech Conferences, SIEM, Bugcrowd, Infrastructure as Code (IaC), Vulnerability Management, CI/CD Pipelines, Web Application Firewall (WAF), Secure Containers, Secure Access Service Edge (SASE)

Libraries/APIs

OpenID, GitHub API, React, Jira REST API

Frameworks

Flutter, React Native

Education

2015 - 2019

计算机科学学士学位

印度信息技术学院-阿拉哈巴德，印度

2012 - 2014

高中物理、化学、数学文凭

Delhi Public School - Delhi, India

Collaboration That Works

How to Work with Toptal

在数小时内，而不是数周或数月，我们的网络将为您直接匹配全球行业专家.

Share your needs

在与Toptal领域专家的电话中讨论您的需求并细化您的范围.

Choose your talent

在24小时内获得专业匹配人才的简短列表，以进行审查，面试和选择.

Start your risk-free talent trial

与你选择的人才一起工作，试用最多两周. 只有当你决定雇佣他们时才付钱.

Top talent is in high demand.

Start hiring