Aseem is available for hire
Hire AseemAseem Shrey
Verified Expert in Engineering
Vulnerability Assessment Developer
Location
Bengaluru, Karnataka, India
Toptal Member Since
October 17, 2022
Aseem enjoys building DevSecOps pipelines and setting up automation using Go, Python, Terraform, CI/CD pipelines, AWS Lambda, and Google Cloud Platform (GCP), among others. To effectively manage infrastructure security at scale, he often builds fault-tolerant systems and automatic failure detection in these systems. Aseem reviews code changes going to production for security issues and often engages in web app penetration testing.
Application SecurityWeb SecuritySecuritySecurity ArchitectureSecurity TestingMobile SecurityAmazon API GatewayAmazon RDSCloud ArchitectureInformation SecurityCloud InfrastructureAuthenticationCloud SecurityNISTIdentity & Access Management (IAM)Vanta APIData PrivacySaaSInfrastructure SecurityVulnerability AssessmentCloudflarePenetration Testing
Portfolio
Self-employed (Working with Clients in the US and Europe)
Android, Linux, Web, Web App Security, Red Teaming, Burp Suite, IT Automation...
Association for the Advancement of Sustainability in Higher Education, Inc
Penetration Testing, IT Security, Security, Google Cloud Platform (GCP)...
Yahoo! - Paranoids (Cybersecurity) - India
Python, JavaScript, Amazon Web Services (AWS), DevOps...
Experience
Availability
Full-time
Preferred Environment
Python, Go, Kali Linux, Burp Suite, OWASP Top 10, OWASP Zed Attack Proxy (ZAP), Android, Web Security, Red Teaming
The most amazing...
...thing I’ve developed is a compliance-as-code framework that scanned the entire Google Cloud Platform (GCP) against CIS benchmarks.
Work Experience
Security Engineer
2022 - PRESENT
Self-employed (Working with Clients in the US and Europe)
- Created a CVE bot issue tracker, clubbing similar issues based on the library and creating tickets on Jira for the same. Populated a CVE dashboard on Jira.
- Created a Python program to monitor changes to production Amazon S3 (AWS S3) buckets. Auto-reverted any dangerous configurations. Used Amazon EventBridge and AWS Lambda.
- Leveraged Trivy to automate container security in CI/CD pipelines. Gave the client real-time information on their security containers.
Technologies: Android, Linux, Web, Web App Security, Red Teaming, Burp Suite, IT Automation, Python, Go, Google Cloud Platform (GCP), Security, Training, Jira, Confluence, IT Security, Security Testing, Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Penetration Testing, iOS, Authentication, Vulnerability Identification, Cloud, APIs, Cybersecurity, Risk Management, SaaS, DevOps, Scraping, Data Protection, Architecture, Data-level Security, Azure, Cloud Security, SIEM, Amazon Web Services (AWS), OpenID, Chef, Puppet, OAuth, Data Privacy, Privacy, Intrusion Prevention Systems (IPS), AWS CloudFormation, AWS Lambda, Amazon API Gateway, API Gateways, Amazon S3 (AWS S3), Amazon RDS, Amazon Athena, Data Lakes, Database Security, Vulnerability Assessment, Security Analysis, Threat Modeling, Application Security, NIST, Identity & Access Management (IAM), Single Sign-on (SSO), Cloud Architecture, Security Architecture, DevSecOps, Secure Containers, Vanta, Information Security, Managed Security Service Providers (MSSP), Google Webmaster Tools, eCommerce, Infrastructure Security, Network Architecture, Secure Access Service Edge (SASE), Endpoint Security, Endpoint Detection and Response (EDR), Cloud Infrastructure, YAML, Automation, Azure Cloud Security, GitHub Actions, Azure Cloud Services, Azure DevOps, SOC 2
Black-box Pen Tester for Security Assessment
2024 - 2024
Association for the Advancement of Sustainability in Higher Education, Inc
- Helped the client complete the black-box pentest with multiple roles for their web application. It was a web application with almost 20 different pages, four different roles, and access to critical data of their participating users.
- Found one critical and a few high and medium bugs that helped the client save sensitive info of their participating users.
- Advised the client on best measures and next steps to prevent these bugs in the future.
Technologies: Penetration Testing, IT Security, Security, Google Cloud Platform (GCP), Web Security, Automation
Vulnerability Assessment Engineer
2023 - 2023
Yahoo! - Paranoids (Cybersecurity) - India
- Rewrote and optimized Python tooling for a vulnerability log management system. This was a cross team project, where I worked with other teams in Paranoids (security org in Yahoo).
- Migrated old security systems which was responsible for handling billions of input data points. I, along with three other people, only had access to these systems. These helped the security monitoring team to stay on top of any incidents that happened.
- Helped develop automation for StackStorm integration for wider adoption in the organization.
Technologies: Python, JavaScript, Amazon Web Services (AWS), DevOps, Infrastructure as Code (IaC), Vulnerability Management, Vulnerability Assessment, Kubernetes, CI/CD Pipelines, Docker Swarm, Amazon EKS, Amazon Virtual Private Cloud (VPC), Terraform, AWS CloudFormation, Information Security, Cybersecurity, Google Webmaster Tools, Infrastructure Security, Network Architecture, Secure Access Service Edge (SASE), Endpoint Security, Cloud Infrastructure, YAML, Automation, GitHub Actions, Azure Cloud Services, Azure DevOps
Security Engineer
2022 - 2023
Rippling
- Worked in the SecInfra team and built security automations through code. Built the Vulnerability Management System (VMS) backed by JIRA for centralizing all our security findings and enacting on them.
- Built a product security automation as part of the assurance team. This was used for doing automated dynamic application security testing (DAST). It was a self-serve portal for developers to upload their Postman collection for scanning.
- Worked with the ProdSec team and did threat modeling, code reviews, etc.
Technologies: Amazon Web Services (AWS), Terraform, Cloud Security, Threat Modeling, Automation, Web Security, Dynamic Application Security Testing (DAST), Web Application Firewall (WAF), Information Security, Cybersecurity, Google Webmaster Tools, Infrastructure Security, Network Architecture, Secure Access Service Edge (SASE), Endpoint Detection and Response (EDR), Cloud Infrastructure, YAML, Azure Cloud Security, Azure Cloud Services, SOC 2
Senior Information Security Engineer
2021 - 2022
Gojek
- Built a Go framework to follow benchmarks and auto-remediation in Google Cloud. Optimized costs and real-time solutions.
- Executed pen tests for any feature release in the Gojek web API back end and Gojek Android application.
- Found critical vulnerabilities and escalated privileges to gain admin access to almost all Gojek infrastructure using a low-privileged 3rd-party account.
- Initiated regular code reviews for any feature release in the Gojek API or mobile application.
- Organized the first-ever security conference for Gojek. Included a Capture the Flag (CTF) competition and external and internal speakers over a span of two days.
- Managed Bugcrowd program with hundreds of researchers.
Technologies: Python, Go, JavaScript, Figma, Dart, Google Cloud Platform (GCP), GitLab, GitLab CI/CD, Cybersecurity, Burp Suite, Web Security, Web App Security, Kali Linux, Red Teaming, Security, Training, Jira, Confluence, IT Security, Security Testing, Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Penetration Testing, OWASP, Mobile Security, Authentication, Vulnerability Identification, Cloud, APIs, Risk Management, SaaS, Scraping, Data Protection, Architecture, Data-level Security, Azure, Cloud Security, SIEM, Amazon Web Services (AWS), OpenID, Puppet, OAuth, Privacy, Intrusion Prevention Systems (IPS), AWS CloudFormation, AWS Lambda, Amazon API Gateway, API Gateways, Amazon S3 (AWS S3), Amazon RDS, Amazon Athena, Data Lakes, Database Security, Vulnerability Assessment, Bugcrowd, Security Analysis, Threat Modeling, Application Security, NIST, Identity & Access Management (IAM), Single Sign-on (SSO), Cloud Architecture, Security Architecture, DevSecOps, Information Security, Google Webmaster Tools, eCommerce, Infrastructure Security, Network Architecture, Cloud Infrastructure, YAML, Automation, Azure Cloud Security, Azure Cloud Services
Security Engineer
2019 - 2021
Blinkit
- Created an automated pipeline from scratch. Used Terraform to create DNS entries in Cloudflare and Amazon Route 53 with a failover option for easy switching to either of the DNS providers.
- Created a GitHub bot with a shift-left intention, bringing security closer to the developer workflow. Scanned for security issues like hardcoded secrets. Set up modular code for easy addition by team members.
- Integrated Vault with DB and GitHub so that users can generate temporary credentials for the database based on their GitHub team.
- Worked with multiple teams to integrate Amazon Cognito with legacy APIs. Provided better authentication workflows with OAuth and OTP-based workflows.
- Integrated an OAuth proxy for Google Workspace authentication and compliance with some of our internal applications.
- Managed a self-hosted public bug bounty program, working with teams to close those findings and maintaining the SLA.
Technologies: Python, Go, GitHub API, HTML, JavaScript, React, Flutter, Dart, Terraform, Vault, Ansible, Cloudflare, Burp Suite, Web Security, Web App Security, Red Teaming, Security, Training, Jira, Confluence, IT Security, Security Testing, Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Penetration Testing, OWASP, Mobile Security, Authentication, Vulnerability Identification, Cloud, APIs, Cybersecurity, Risk Management, SaaS, DevOps, Scraping, Data Protection, Architecture, Data-level Security, Azure, Cloud Security, Amazon Web Services (AWS), OpenID, Chef, Puppet, OAuth, Intrusion Prevention Systems (IPS), AWS CloudFormation, AWS Lambda, Amazon API Gateway, API Gateways, Amazon S3 (AWS S3), Amazon RDS, Amazon Athena, Data Lakes, Vulnerability Assessment, Security Analysis, Threat Modeling, Application Security, NIST, Identity & Access Management (IAM), Cloud Architecture, Security Architecture, DevSecOps, Information Security, Google Webmaster Tools, eCommerce, Infrastructure Security, Network Architecture, Cloud Infrastructure, YAML, Automation, SOC 2
DevOps Intern
2018 - 2018
Innovaccer
- Integrated health checks into applications whose metrics were further populated on Kibana dashboards for easy management of the services.
- Tracked metrics and automated alarm systems from Kibana dashboards. Integrated Slack webhook for alerts in specific channels.
- Created a generic Slackbot with a webhook for use by any team in the organization.
Technologies: Ansible, Automation, Jenkins, Authentication, Vulnerability Identification, Cloud, APIs, Cybersecurity, DevOps, Scraping, Architecture, Data-level Security, Azure, Cloud Security, Amazon Web Services (AWS), Chef, OAuth, AWS CloudFormation, AWS Lambda, Amazon API Gateway, API Gateways, Amazon S3 (AWS S3), Amazon RDS, Amazon Athena, Data Lakes, Database Security, Vulnerability Assessment, Security Analysis, Threat Modeling, Application Security, Cloud Architecture, Security Architecture, DevSecOps, Information Security, Cloud Infrastructure, YAML
Experience
Unified Payments Interface (UPI) Recon Command Line Interface (CLI)
https://github.com/LuD1161/upi-recon-cliDeveloped a command line tool for reconnaissance using a virtual payment address. This tool leverages the openness available with the UPI platform to find:
1. The UPI ID and name associated with a mobile number
2. The UPI ID and name associated with a Gmail account
3. The UPI ID and name associated with a vehicle registration number.
I made sure that leverage a UPI ID associated with a FASTag.
1. The UPI ID and name associated with a mobile number
2. The UPI ID and name associated with a Gmail account
3. The UPI ID and name associated with a vehicle registration number.
I made sure that leverage a UPI ID associated with a FASTag.
Automated Compliance as Code Framework
https://www.gojek.io/blog/compliance-as-codeDeveloped a Go framework (previously Python) to follow benchmarks and auto-remediation in Google Cloud. Optimized costs and real-time solutions.
This framework actively checked more than 350 active projects, excluding the sys- projects.
Firewall rules > 4000.
Storage buckets > 1000.
All the metrics of the scan were sent to the ELK stack and displayed with Kibana dashboards for easier metric-driven decisions.
I also created automated ticketing based on these checks; if there was a new finding, the framework created tickets on the respective team's Jira queue.
The framework is modular enough so that engineers can write their own checks and schedule them to run when the whole set of checks is run. Or they can mark it to run on only specific GCP projects too.
This framework actively checked more than 350 active projects, excluding the sys- projects.
Firewall rules > 4000.
Storage buckets > 1000.
All the metrics of the scan were sent to the ELK stack and displayed with Kibana dashboards for easier metric-driven decisions.
I also created automated ticketing based on these checks; if there was a new finding, the framework created tickets on the respective team's Jira queue.
The framework is modular enough so that engineers can write their own checks and schedule them to run when the whole set of checks is run. Or they can mark it to run on only specific GCP projects too.
OmniSec App
Initially built as a React Native app and then translated to a Flutter app that I developed to supply daily security updates to all the app subscribers.
The database was built on Firebase and Cloud Functions to populate the database every 15 minutes. The front end was built on the Flutter framework.
It collected news articles from 30 sources (RSS feeds and web scraping) and collated a unique list of articles every 15 minutes.
The database was built on Firebase and Cloud Functions to populate the database every 15 minutes. The front end was built on the Flutter framework.
It collected news articles from 30 sources (RSS feeds and web scraping) and collated a unique list of articles every 15 minutes.
Top CTF Player and Bug Bounty Researcher
https://aseemshrey.in/blogI've been a CTF player with world finalists three times in a row at NYU's CSAW CTF (India region). I've also been in the top five world finalists for NullCon CTF 2017, sponsored by VMWare and Walmart Labs.
Apart from CTFs, I have reported security bugs and have received similar awards from top companies like Google, Myntra, IBM, Sony, GM, MakeMyTrip, Zoho, etc.
Found a critical bug in the DigiLocker initiative by the Government of India (Hall of Fame - https://developers.digitallocker.gov.in/credits-community-contribution.html)
Ranked amongst the top ten in DRDO CTF organized by the Government of India ( https://blog.mygov.in/result-announcement-of-drdo-cyber-challenge/#:~:text=Pushpender%20Yadav-,Aseem%20Shrey,-Abhishek%20Acharya).
Apart from CTFs, I have reported security bugs and have received similar awards from top companies like Google, Myntra, IBM, Sony, GM, MakeMyTrip, Zoho, etc.
Found a critical bug in the DigiLocker initiative by the Government of India (Hall of Fame - https://developers.digitallocker.gov.in/credits-community-contribution.html)
Ranked amongst the top ten in DRDO CTF organized by the Government of India ( https://blog.mygov.in/result-announcement-of-drdo-cyber-challenge/#:~:text=Pushpender%20Yadav-,Aseem%20Shrey,-Abhishek%20Acharya).
DNS as Code
Created an automated pipeline from scratch using Terraform and Jenkins to create DNS entries in Cloudflare and Route53 with a failover option for easy switching to either of the DNS providers.
This helped our shift-left approach, reducing manual errors and improving the developer experience.
This helped our shift-left approach, reducing manual errors and improving the developer experience.
G-Shield Security Bot
Created from scratch a GitHub bot with the intention of shift-left, bringing security closer to the developer workflow. It scans each PR for common security issues like hardcoded secrets, code smells, vulnerable Docker images, sensitive mount points, etc. The code is modular; new modules have been easily added to it by other team members, e.g., a TFLint module.
GoSecCon - Security Conference Organizer [Evangelization]
https://www.gojek.io/blog/hacks-and-tips-to-deploy-ctfd-in-k8sOrganized the first-ever security conference of GoJek, which included a CTF competition + external and internal speaker talks over a span of two days.
The CTF platform was hosted on Kubernetes and used CTFd as an open source CTF platform.
Challenges were created by myself and my teammates. This included web application challenges, digital forensic challenges, steganography challenges, vulnerable Android application challenges, etc.
The CTF platform was hosted on Kubernetes and used CTFd as an open source CTF platform.
Challenges were created by myself and my teammates. This included web application challenges, digital forensic challenges, steganography challenges, vulnerable Android application challenges, etc.
Skills
Languages
Python, YAML, Go, HTML, JavaScript, Dart
Tools
Google Webmaster Tools, OWASP Zed Attack Proxy (ZAP), Terraform, Jira, Confluence, Chef, AWS CloudFormation, Amazon Athena, GitHub, Vault, Ansible, Figma, GitLab, GitLab CI/CD, ELK (Elastic Stack), Jenkins, Celery, SonarQube, Google Kubernetes Engine (GKE), Puppet, Docker Swarm, Amazon EKS, Amazon Virtual Private Cloud (VPC)
Paradigms
Automation, Penetration Testing, DevSecOps, Azure DevOps, DevOps, Continuous Integration (CI), Continuous Deployment
Platforms
Kali Linux, Burp Suite, Azure, Amazon Web Services (AWS), AWS Lambda, Android, Google Cloud Platform (GCP), Vanta, Linux, Web, Firebase, Docker, Kubernetes, iOS
Industry Expertise
Cybersecurity
Storage
Amazon S3 (AWS S3), Azure Cloud Services, Data Lakes, Database Security
Other
OWASP Top 10, Web Security, Ethical Hacking, Security, Training, IT Security, Security Testing, Static Application Security Testing (SAST), OWASP, Mobile Security, Authentication, Vulnerability Identification, Cloud, APIs, Risk Management, SaaS, Scraping, Data-level Security, Cloud Security, OAuth, Intrusion Prevention Systems (IPS), Amazon API Gateway, API Gateways, Amazon RDS, Vulnerability Assessment, Security Analysis, Threat Modeling, Application Security, NIST, Identity & Access Management (IAM), Single Sign-on (SSO), Cloud Architecture, Security Architecture, Information Security, Infrastructure Security, Endpoint Security, Cloud Infrastructure, Azure Cloud Security, GitHub Actions, SOC 2, Red Teaming, Dynamic Application Security Testing (DAST), Data Protection, Architecture, Data Privacy, Privacy, Managed Security Service Providers (MSSP), eCommerce, Network Architecture, Endpoint Detection and Response (EDR), Networking, Web Development, Cloudflare, Design, Web App Security, English, Physics, IT Automation, Job Schedulers, Burp Proxy, Version Control Systems, Organization, Teamwork, Product Evangelism, Tech Conferences, SIEM, Bugcrowd, Infrastructure as Code (IaC), Vulnerability Management, CI/CD Pipelines, Web Application Firewall (WAF), Secure Containers, Secure Access Service Edge (SASE)
Libraries/APIs
OpenID, GitHub API, React, Jira REST API
Frameworks
Flutter, React Native
Education
2015 - 2019
Bachelor's Degree in Computer Science
Indian Institute of Information Technology - Allahabad, India
2012 - 2014
Higher Secondary Diploma in Physics, Chemistry, Math
Delhi Public School - Delhi, India
Collaboration That Works
How to Work with Toptal
Toptal matches you directly with global industry experts from our network in hours—not weeks or months.
1
Share your needs
Discuss your requirements and refine your scope in a call with a Toptal domain expert.
2
Choose your talent
Get a short list of expertly matched talent within 24 hours to review, interview, and choose from.
3
Start your risk-free talent trial
Work with your chosen talent on a trial basis for up to two weeks. Pay only if you decide to hire them.
Top talent is in high demand.
Start hiring