Viraj Premaratne

I led a company-wide application security uplift by establishing a structured vulnerability management program across engineering repositories. I implemented SAST, SCA, and Infrastructure-as-Code scanning using Snyk, enabling consistent detection of code and dependency risks and improving visibility into security debt.

I also introduced governance for triage and remediation by categorizing findings and prioritizing client-facing/public endpoints first to reduce exposure and blast radius. I set up a clear workflow to assign issues to the proper engineering channels, track remediation progress, and improve closure predictability. I also coordinated periodic internal penetration testing to validate controls and uncover gaps not detected by automated tooling, and revamped the bug bounty process with defined SLAs, improved reporter communication, and clearer internal ownership to ensure timely, professional handling of inbound reports. Additionally, I complemented the program with developer security enablement, including secure coding training and practical guidelines for secure coding.

This project involved leading Testlio's ISO 27001:2022 certification program end-to-end, owning planning, execution, and audit readiness. I selected and implemented a compliance automation platform to reduce evidence-collection overhead and improve control traceability. I also designed and rolled out key controls across device management, asset inventory/registry, 3rd-party/vendor security management, operational security, and HR security (onboarding/offboarding).

I built and delivered security and privacy training for 200+ staff, increasing awareness and adoption of standardized processes, and partnered closely with the external audit team to ensure accurate scoping and evidence quality. I also drove remediation, so the final audit report reflected no unresolved high-severity issues. I also launched a trust center to strengthen customer confidence and support sales/prospect engagement, while institutionalizing policies, procedures, and governance to measurably elevate overall security maturity.

Conducted vulnerability research and responsible disclosure across multiple programs, contributing to real-world security improvements in production systems. Achieved quarterly Top 10 leaderboard ranking on Intigriti and maintained verified vulnerability submissions on HackerOne under my profile. Reported and validated impactful issues through coordinated disclosure, including identifying a critical vulnerability in a public-sector endpoint that was acknowledged by the Netherlands government. Demonstrated strong triage discipline, clear technical write-ups, and professional communication with security teams to drive timely remediation and measurable risk reduction.

I led the delivery of Sri Lanka's first commercial digital certificate-issuing platform, serving as both project manager and hands-on engineer. I owned the full lifecycle from RFP and stakeholder alignment through architecture, build, deployment, testing, and ongoing operations.

The project included implementing secure PKI certificate issuance and lifecycle processes on Microsoft Active Directory Certificate Services (AD CS), aligned to WebTrust principles for CA operations (governance, access control, auditing, and operational rigor). I also designed high availability with site-to-site replication and established a DR site, defining runbooks and conducting regular DR drills to validate recovery readiness. Additionally, I managed key lifecycle activities, including secure key ceremony coordination and controls to ensure integrity, continuity, and service availability.