Arun is available for hire

Arun Pillai

Verified Expert in Engineering

DevSecOps Architect and Developer

Location

Dubai, United Arab Emirates

Toptal Member Since

December 1, 2022

Arun is a senior DevSecOps architect with 12 years of experience and a master's degree in IT. He has worked with government departments, banks, telecoms, healthcare companies, and small to medium-scale enterprises worldwide. Arun also has solid expertise in IT security consulting, focusing on DevSecOps, risk assessment, threat and vulnerability management, vulnerability assessment penetration testing, secure code review, security architecture review, and cloud security and migrations.

Portfolio

Standard Chartered Ventures - Furaha

Compliance, CISO, Amazon Web Services (AWS), Information Security...

Wipro

Security Architecture Review, Threat Modeling, Risk Assessment...

Accenture

Application Security, Technical Program Management, Security Orchestration...

Experience

Consulting - 11 years Risk Assessment - 10 years Security Architecture Review - 10 years Application Security - 10 years Security Architecture - 10 years DevSecOps - 8 years

Availability

Part-time

Preferred Environment

Azure DevOps Services, Threat Modeling, IT Security Architect, Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), AZ-900, Microsoft

The most amazing...

...thing I've developed is an application security framework for a software service provider as part of an incident investigation security consulting engagement.

Work Experience

DevSecOps Expert

2023 - PRESENT

Standard Chartered Ventures - Furaha

Implemented CIS controls for greenfield fintech startups. Wrote policies, standards, and procedures. Defined, established, and operationalized SLA and KPIs.
Implemented security tooling into SDLC and AWS cloud. Performed DevSecOps integration with Lambda, AWS Security Hub, SNS topics, AWS Inspector, Jira, Jira ITSM, and Github advanced security and action scripts.
Defined, established, and operationalized security governance, risk, and compliance. Faced CIS control readiness audit with internal and external stakeholders.

Technologies: Compliance, CISO, Amazon Web Services (AWS), Information Security, Configuration Management, Cloud Security, Stakeholder Management, Risk Assessment, Cybersecurity, Application Security, IT Deployments, Security, DevSecOps, Threat Modeling, Risk & Compliance, IT Security Architect, IT Audits, Vulnerability Assessment, Python, Critical Security Controls (CIS Controls), Business Risk Assessment, Governance, Consulting, Security Design, CI/CD Pipelines, System Development Life Cycle (SDLC), Endpoint Detection and Response (EDR), Vulnerability Management, OWASP, Managed Security Service Providers (MSSP), Cloud, Security Advisory

Senior DevSecOps Architect

2019 - 2024

Wipro

Built DevSecOps service offerings and a go-to-market strategy, achieving the revenue target of $2 million for DevSecOps offerings in the first year of role out.
Defined, standardized, and operationalized DevSecOps solutions for customer demos, presale collaterals, and sales enablement to position DevSecOps offerings.
Developed Wipro's application security framework to conduct threat modeling, architecture reviews, and control definition.
Established and operationalized the penetration testing center of excellence (COE) for an energy and manufacturing customer account, moving toward freelance-based resourcing capabilities.
Created and published skill-specific training programs for DevSecOps and architecture COE to increase the organization's enterprise security architecture skills.

Technologies: Security Architecture Review, Threat Modeling, Risk Assessment, Static Application Security Testing (SAST), Software Composition Analysis (SCA), DevSecOps, Security Breach Consulting, SAMM, Consulting, Vulnerability Assessment, Architecture, NIST, Azure, IT Security, Vulnerability Identification, APIs, Cloud, Information Security, Software Development Lifecycle (SDLC), DevOps, Security, Authentication, SAML, Azure DevOps, CISSP, Cybersecurity, Single Sign-on (SSO), Microsoft Azure, Security Assessment, Security Software Development, Security Testing, Security Policies & Procedures, Security Audits, HIPAA Compliance, Veracode, Aqua Security, Vulkan, Avocado, WhiteSource, HP Fortify, Nexus, Checkmarx, IT Security Architect, Cloud Security, Stakeholder Management, Critical Security Controls (CIS Controls), Business Risk Assessment, Governance, Security Design, E-learning, CI/CD Pipelines, Endpoint Detection and Response (EDR), Endpoint Security, Vulnerability Management, OWASP, Managed Security Service Providers (MSSP), Security Advisory, Bash, Java

Security Manager

2018 - 2019

Accenture

Led end-to-end security architecture analysis, design, and implementation and ensured that the product fulfilled requirements, working with the solution integration architect, other project team members, and client stakeholders as needed.
Identified and proactively managed security-related project risks.
Worked with the customer and end users to define security technical and functional requirements.
Liaised with the client security team to understand and follow security procedures and fulfill required control measures.
Defined the security architecture, ensuring it met the business requirements and performance goals defined by the client's long-term direction.
Collaborated with other architects and leads to ensure that the security components, including security technology, operations, and management, were integrated as defined in the requirements.
Analyzed the capabilities and limitations of the security components.
Obtained stakeholder buy-in and relevant sign-offs for the security requirements design.
Functioned as an information security architect to implement various security solutions and controls for banks to meet legal and regulatory compliance in various areas, including its internal employee or user authentication strategy.
Implemented security solutions and controls for banks to meet regulatory compliance in security orchestration, automation, and response; internal security awareness and training programs; and the security risk remediation project: Duo Uplift.

Technologies: Application Security, Technical Program Management, Security Orchestration, Automation, and Response (SOAR), Security Architecture, Risk Assessment, Vulnerability Assessment, IT Security, Vulnerability Identification, Information Security, Threat Modeling, Software Development Lifecycle (SDLC), DevOps, Security, Authentication, Architecture, Single Sign-on (SSO), SAML, Duo, Azure DevOps, CISSP, Cybersecurity, Security Architecture Review, Enterprise Architecture, Security Assessment, Security Software Development, Security Testing, Consulting, Security Policies & Procedures, Security Audits, HIPAA Compliance, Veracode, HP Fortify, Nexus, Checkmarx, IT Security Architect, Risk & Compliance, Stakeholder Management, Critical Security Controls (CIS Controls), Business Risk Assessment, Governance, Security Design, Endpoint Security, Vulnerability Management, OWASP, Managed Security Service Providers (MSSP), Cloud, Security Advisory, Python, Java

IT Security Architect

2016 - 2018

Cognizant

Worked with project teams to define security requirements for new systems in line with the enterprise information security architecture.
Provided security design recommendations based on enterprise information security architecture and solution patterns.
Guided and assisted in the development of security standards for IT platforms in line with the information security architecture.
Maintained an up-to-date understanding of emerging information security architecture trends and applied new techniques to the principle's information security architecture.
Performed control reviews and system assessments to develop risk profiles for IT systems and evaluate the efficiency and effectiveness of the IT control environment.
Identified efficiency to improve the performance and responsiveness of the ITSSR information security architecture function.
Prepared and presented security design and architectural review reports to system owners, business units, and others.
Evaluated the principle's current software security posture and proposed mitigation and remediation plans to meet software security assurance requirements.
Translated technical security deficiencies into business risks understandable by business stakeholders to get buy-in for security investments.
Collaborated with the certification and accreditation team in building and designing the DevOps pipeline and designed and delivered an Azure Identity solution across the World Bank Group's IT estate.

Technologies: Application Security, Mobile Security, Web App Security, Azure Cloud Services, Security Architecture, Vulnerability Assessment, Architecture, IT Security, Vulnerability Identification, Information Security, Threat Modeling, Software Development Lifecycle (SDLC), Security, Authentication, SAML, Azure DevOps, CISSP, Azure, Microsoft Azure, Security Architecture Review, Enterprise Architecture, Security Assessment, Security Software Development, Security Testing, Consulting, Veracode, HP Fortify, Nexus, Checkmarx, IT Security Architect, RAPID, Stakeholder Management, Business Risk Assessment, Risk & Compliance, Security Design, CI/CD Pipelines, Ethical Hacking, Vulnerability Management, OWASP, JavaScript, Cloud, Security Advisory, Python, Bash, Java, ISO 27001

IT Security Project Manager

2012 - 2016

QAssure Technologies

Reported to the CEO and, depending on the project, managed up to eight resources to set up consulting and advisory services on the IT security practice.
Led the team in security activities like security and vulnerability assessments, penetration testing, and security audit for applications and infrastructure.
Managed the development of in-house security toolkits and products to offer IT security consulting services for end-users and partners.
Coordinated with partners on the client security leadership team in the development of their security strategies and solutions that align business priorities with technology options.
Created a proposal and statement-of-work write-up and conducted a technical demonstration for professional service opportunities to support presales and sales activities during the tender bidding process.
Conducted information security awareness training and workshops to build and grow the offshore team of security professionals, addressing change on the accounts.
Developed the roadmap for offering consulting and advisory services within the IT security business unit.
Devised strategies for building a reputation as an IT security service provider by teaming up with sales and top management.
Delivered the vulnerability management program for a government cloud.
Built a hardware-based hacking toolkit for point-of-sale penetration testing.

Technologies: Penetration Testing, Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Threat Modeling, Web Security, Python, Java, Vulnerability Assessment, Information Security, IT Audits, Software Development Lifecycle (SDLC), Security, Architecture, CISSP, Security Architecture Review, Enterprise Architecture, Security Assessment, Security Software Development, Security Testing, Consulting, HIPAA Compliance, Veracode, HP Fortify, Checkmarx, IT Security Architect, Nexus, RAPID, IT Deployments, Stakeholder Management, Business Risk Assessment, Risk & Compliance, Ethical Hacking, NIST, Vulnerability Management, OWASP, Security Advisory, Bash, ISO 27001

Experience

Security Architecture Review for Medical Devices

I conducted a security architecture review (SAR) for medical devices such as blood glucose meters. I also implemented a compliance-based reference architecture framework and consolidated the threat modeling, risk assessment, and SAR template and process. Additionally, I supported the FDA auditing and certification documentation.

Annual Risk Assessment and Remediation for GRC

I interviewed customer stakeholders from SaaS development, change management, IT engineering, IT operations, security, and HR. I then captured potential risks and discussed prevailing threats to lower the risk score. I published an initial draft with the risk score and associated mitigations and issued the final risk assessment report. I also supported the remediation and advise team on efforts and coordination.

Incident Investigation for Field Apps

I conducted an incident investigation for field applications by interviewing relevant stakeholders and vendor staff. I then performed incident data analysis and assessment data reviews and presented my assessment findings of the software assurance maturity model and recommended roadmaps. Additionally, I developed an education and guidance program and the SAR for field applications, operationalized the penetration testing and threat modeling services annually, and conducted the SAR for 30 applications. I also set up the SAR and penetration testing process, standard operating procedures, and metrics.

Schneider Electric SDLC Policy Creation

I performed the initial stakeholder interview and understood the lay of the land, analyzing prevailing policy standards and procedures. Also worked on the following:
• Preparing policy table of content.
• Writing the SDLC framework that aligns with security, quality, marketing, legal, DevSecOps, and development practices followed within the client organization.
• Publishing SDLC framework for R&D and digital transformation group.
• Presenting SDLC policy to Schneider stakeholders.

DevSecOps Assessment and Roadmap Implementation

I conducted an initial DevSecOps assessment, engaging C-level executives and leaders as well as:
• Presented initial Hypothesis from the initial discussion.
• Conducted data analysis based on artifacts shared in the interview notes.
• Presented AS-IS report and reconciled findings based on stakeholder feedback.
• Wrote final recommendations and roadmaps and presented them to respective stakeholders.
• Built DevSecOps Blueprint and Sample Reference Architecture.
• Created SOW for Phase-1 and Phase-2 implementations.
• Implemented the Roadmap.

CloudEra Risk Assessment

I interviewed Customer Stakeholders from SAAS Development, Change Management, IT Engineering, IT Operations, Security, and HR. Additionally, my work involved:
• Calculating capture potential risk and discussing the prevailing risk to lower risk score.
• Publishing the initial draft with the risk score and associated mitigations.
• Publishing the final risk assessment report.
• Supporting remediation and advising the team on remediation efforts and coordination.

Skillset

Tools

HP Fortify, Checkmarx, Azure DevOps Services

Paradigms

DevSecOps, Penetration Testing, DevOps, HIPAA Compliance, Security Software Development, Security Orchestration, Automation, and Response (SOAR), Azure DevOps

Platforms

Nexus, Azure, Duo, Microsoft, Amazon Web Services (AWS)

Industry Expertise

Security Advisory, Cybersecurity, E-learning, System Development Life Cycle (SDLC)

Other

Application Security, Static Application Security Testing (SAST), Web Security, Security Architecture, Dynamic Application Security Testing (DAST), Risk Assessment, Risk Management, Security Assessment, Security Management, Security Architecture Review, SAMM, Web App Security, Threat Modeling, Consulting, Veracode, Vulnerability Assessment, IT Security, Information Security, Certified Information Systems Security Professional, Software Development Lifecycle (SDLC), Security, CISSP, Security Policies & Procedures, Axioma Risk Monitor, Monitoring, IT Systems Engineering, CI/CD Pipelines, Ethical Hacking, Endpoint Detection and Response (EDR), Endpoint Security, Vulnerability Management, OWASP, Managed Security Service Providers (MSSP), Mobile Security, Information Technology Enabled Services (ITES), Security Testing, Support & Maintenance, Enterprise Architecture, TOGAF ADM, Software Composition Analysis (SCA), Security Breach Consulting, Cloud Security, ISO 27001, Governance, WhiteSource, Aqua Security, Architecture, NIST, Vulnerability Identification, APIs, Cloud, IT Audits, Authentication, Single Sign-on (SSO), Microsoft Azure, Security Audits, Risk, Information Technology, Risk & Compliance, IT, Controls, Critical Security Controls (CIS Controls), Identity & Access Management (IAM), Technical Program Management, Avocado, Business Risk Assessment, Compliance, Communication, AZ-900, Assets, Operations, IT Security Architect, CISO, Configuration Management, Stakeholder Management, IT Deployments, Security Design

Languages

Python, Java, SAML, RAPID, Bash, JavaScript

Frameworks

TOGAF

Libraries/APIs

Vulkan

Storage

Azure Cloud Services

Education

2022 - 2022

Progress Toward a Doctorate in IT Security

Swiss School of Business and Management Geneva - Geneva, Switzerland

2006 - 2009

Master's Degree in Information Technology

Sikkim Manipal University - Manipal, India

2001 - 2004

Bachelor's Degree in Software System

Bharathiar University - Coimbatore, Tamil Nadu, India

Certifications

MARCH 2023 - PRESENT

Microsoft Certified: Security Operations Analyst Associate

Microsoft

MARCH 2023 - PRESENT

Microsoft Certified: Information Protection Administrator Associate

Microsoft

JANUARY 2023 - PRESENT

Microsoft Certified: Security, Compliance, and Identity Fundamentals

Microsoft

DECEMBER 2022 - PRESENT

Microsoft Azure Fundamentals

Microsoft

APRIL 2019 - PRESENT

Certified in Risk and Information Systems Control

ISACA

DECEMBER 2017 - PRESENT

The Open Group Certified: TOGAF 9 Certified

The Open Group

JULY 2017 - PRESENT

Certified Information Systems Security Professional

(ISC)²

Collaboration That Works

How to Work with Toptal

Toptal matches you directly with global industry experts from our network in hours—not weeks or months.

Share your needs

Discuss your requirements and refine your scope in a call with a Toptal domain expert.

Choose your talent

Get a short list of expertly matched talent within 24 hours to review, interview, and choose from.

Start your risk-free talent trial

Work with your chosen talent on a trial basis for up to two weeks. Pay only if you decide to hire them.

Top talent is in high demand.

Start hiring