Aseem Shrey
Verified Expert in Engineering
Vulnerability Assessment Developer
Pittsburgh, PA, United States
Toptal member since October 17, 2022
Aseem enjoys building DevSecOps pipelines and setting up automation using Go, Python, Terraform, CI/CD pipelines, AWS Lambda, and Google Cloud Platform (GCP), among others. To effectively manage infrastructure security at scale, he often builds fault-tolerant systems and automatic failure detection in these systems. Aseem reviews code changes going to production for security issues and frequently engages in web app penetration testing.
Portfolio
Experience
Availability
Preferred Environment
Python, Go, Kali Linux, Burp Suite, OWASP Top 10, OWASP Zed Attack Proxy (ZAP), Android, Web Security, Red Teaming
The most amazing...
...thing I’ve developed is a compliance as code (CaC) framework that scanned the entire Google Cloud Platform (GCP) against CIS benchmarks.
Work Experience
Security Engineer
Self-employed (Working with Clients in the US and Europe)
- Created a CVE bot issue tracker, clubbing similar issues based on the library and creating tickets on Jira for the same. Populated a CVE dashboard on Jira.
- Created a Python program to monitor changes to production Amazon S3 (AWS S3) buckets. Auto-reverted any dangerous configurations. Used Amazon EventBridge and AWS Lambda.
- Leveraged Trivy to automate container security in CI/CD pipelines. Gave the client real-time information on their security containers.
Security Engineer
Relay Hawk, Inc.
- Found three critical bugs on the client's internal portal that was up for penetration testing.
- Helped improve the cloud security posture of the application.
- Developed good relations with the client and hence suggested some internal tooling improvements.
Black-box Pen Tester for Security Assessment
Association for the Advancement of Sustainability in Higher Education, Inc
- Helped the client complete the black-box pentest with multiple roles for their web application. It was a web application with almost 20 different pages, four different roles, and access to critical data of their participating users.
- Found one critical and a few high and medium bugs that helped the client save sensitive info of their participating users.
- Advised the client on best measures and next steps to prevent these bugs in the future.
Vulnerability Assessment Engineer
Yahoo! - Paranoids (Cybersecurity) - India
- Rewrote and optimized Python tooling for a vulnerability log management system. This was a cross team project, where I worked with other teams in Paranoids (security org in Yahoo).
- Migrated old security systems which was responsible for handling billions of input data points. I, along with three other people, only had access to these systems. These helped the security monitoring team to stay on top of any incidents that happened.
- Helped develop automation for StackStorm integration for wider adoption in the organization.
Security Engineer
Rippling
- Worked in the SecInfra team and built security automations through code. Built the Vulnerability Management System (VMS) backed by JIRA for centralizing all our security findings and enacting on them.
- Built a product security automation as part of the assurance team. This was used for doing automated dynamic application security testing (DAST). It was a self-serve portal for developers to upload their Postman collection for scanning.
- Worked with the ProdSec team and did threat modeling, code reviews, etc.
Senior Information Security Engineer
Gojek
- Built a Go framework to follow benchmarks and auto-remediation in Google Cloud. Optimized costs and real-time solutions.
- Executed pen tests for any feature release in the Gojek web API back end and Gojek Android application.
- Found critical vulnerabilities and escalated privileges to gain admin access to almost all Gojek infrastructure using a low-privileged 3rd-party account.
- Initiated regular code reviews for any feature release in the Gojek API or mobile application.
- Organized the first-ever security conference for Gojek. Included a Capture the Flag (CTF) competition and external and internal speakers over a span of two days.
- Managed Bugcrowd program with hundreds of researchers.
Security Engineer
Blinkit
- Created an automated pipeline from scratch. Used Terraform to create DNS entries in Cloudflare and Amazon Route 53 with a failover option for easy switching to either of the DNS providers.
- Created a GitHub bot with a shift-left intention, bringing security closer to the developer workflow. Scanned for security issues like hardcoded secrets. Set up modular code for easy addition by team members.
- Integrated Vault with DB and GitHub so that users can generate temporary credentials for the database based on their GitHub team.
- Worked with multiple teams to integrate Amazon Cognito with legacy APIs. Provided better authentication workflows with OAuth and OTP-based workflows.
- Integrated an OAuth proxy for Google Workspace authentication and compliance with some of our internal applications.
- Managed a self-hosted public bug bounty program, working with teams to close those findings and maintaining the SLA.
DevOps Intern
Innovaccer
- Integrated health checks into applications whose metrics were further populated on Kibana dashboards for easy management of the services.
- Tracked metrics and automated alarm systems from Kibana dashboards. Integrated Slack webhook for alerts in specific channels.
- Created a generic Slackbot with a webhook for use by any team in the organization.
Experience
Unified Payments Interface (UPI) Recon Command Line Interface (CLI)
https://github.com/LuD1161/upi-recon-cli1. The UPI ID and name associated with a mobile number
2. The UPI ID and name associated with a Gmail account
3. The UPI ID and name associated with a vehicle registration number.
I made sure that leverage a UPI ID associated with a FASTag.
Automated Compliance as Code Framework
https://www.gojek.io/blog/compliance-as-codeThis framework actively checked more than 350 active projects, excluding the sys- projects.
Firewall rules > 4000.
Storage buckets > 1000.
All the metrics of the scan were sent to the ELK stack and displayed with Kibana dashboards for easier metric-driven decisions.
I also created automated ticketing based on these checks; if there was a new finding, the framework created tickets on the respective team's Jira queue.
The framework is modular enough so that engineers can write their own checks and schedule them to run when the whole set of checks is run. Or they can mark it to run on only specific GCP projects too.
OmniSec App
The database was built on Firebase and Cloud Functions to populate the database every 15 minutes. The front end was built on the Flutter framework.
It collected news articles from 30 sources (RSS feeds and web scraping) and collated a unique list of articles every 15 minutes.
Top CTF Player and Bug Bounty Researcher
https://aseemshrey.in/blogApart from CTFs, I have reported security bugs and have received similar awards from top companies like Google, Myntra, IBM, Sony, GM, MakeMyTrip, Zoho, etc.
Found a critical bug in the DigiLocker initiative by the Government of India (Hall of Fame - https://developers.digitallocker.gov.in/credits-community-contribution.html)
Ranked amongst the top ten in DRDO CTF organized by the Government of India ( https://blog.mygov.in/result-announcement-of-drdo-cyber-challenge/#:~:text=Pushpender%20Yadav-,Aseem%20Shrey,-Abhishek%20Acharya).
DNS as Code
This helped our shift-left approach, reducing manual errors and improving the developer experience.
G-Shield Security Bot
GoSecCon - Security Conference Organizer [Evangelization]
https://www.gojek.io/blog/hacks-and-tips-to-deploy-ctfd-in-k8sThe CTF platform was hosted on Kubernetes and used CTFd as an open source CTF platform.
Challenges were created by myself and my teammates. This included web application challenges, digital forensic challenges, steganography challenges, vulnerable Android application challenges, etc.
Education
Bachelor's Degree in Computer Science
Indian Institute of Information Technology - Allahabad, India
Higher Secondary Diploma in Physics, Chemistry, Math
Delhi Public School - Delhi, India
Skills
Libraries/APIs
OpenID, GitHub API, React, Jira REST API
Tools
GitHub, Google Webmaster Tools, OWASP Zed Attack Proxy (ZAP), Terraform, Jira, Confluence, Chef, AWS CloudFormation, Amazon Athena, Vault, Ansible, Figma, GitLab, GitLab CI/CD, ELK (Elastic Stack), Jenkins, Celery, SonarQube, Google Kubernetes Engine (GKE), Puppet, Docker Swarm, Amazon EKS, Amazon Virtual Private Cloud (VPC)
Languages
Python, YAML, Go, HTML, JavaScript, Dart, SAML
Paradigms
Automation, Penetration Testing, DevSecOps, Azure DevOps, DevOps, Continuous Integration (CI), Continuous Deployment
Platforms
Kali Linux, Burp Suite, Azure, Amazon Web Services (AWS), AWS Lambda, Android, Google Cloud Platform (GCP), Vanta, Linux, Web, Firebase, Docker, Kubernetes, iOS, Bugcrowd
Industry Expertise
Cybersecurity
Storage
Amazon S3 (AWS S3), Azure Cloud Services, Data Lakes, Database Security
Frameworks
Flutter, React Native
Other
OWASP Top 10, Web Security, Ethical Hacking, Security, Training, IT Security, Security Testing, Static Application Security Testing (SAST), OWASP, Mobile Security, Authentication, Vulnerability Identification, Cloud, APIs, Risk Management, SaaS, Scraping, Data-level Security, Cloud Security, SIEM, OAuth, Intrusion Prevention Systems (IPS), Amazon API Gateway, API Gateways, Amazon RDS, Vulnerability Assessment, Security Analysis, Threat Modeling, Application Security, NIST, Identity & Access Management (IAM), Single Sign-on (SSO), Cloud Architecture, Security Architecture, CI/CD Pipelines, Information Security, Infrastructure Security, Endpoint Security, Cloud Infrastructure, Azure Cloud Security, GitHub Actions, SOC 2, Security Information and Event Management (SIEM), Shell Scripting, Code Review, Source Code Review, Red Teaming, Dynamic Application Security Testing (DAST), Data Protection, Architecture, Data Privacy, Privacy, Managed Security Service Providers (MSSP), eCommerce, Network Architecture, Endpoint Detection and Response (EDR), Networking, Web Development, Cloudflare, Design, Web App Security, English, Physics, IT Automation, Job Schedulers, Burp Proxy, Version Control Systems, Organization, Teamwork, Product Evangelism, Tech Conferences, Infrastructure as Code (IaC), Vulnerability Management, Web Application Firewall (WAF), Secure Containers, Secure Access Service Edge (SASE), Product Security, Integrated Development Environments (IDE), Host Based Security System (HBSS), OpenID Connect (OIDC), Cloud Platforms
How to Work with Toptal
Toptal matches you directly with global industry experts from our network in hours—not weeks or months.
Share your needs
Choose your talent
Start your risk-free talent trial
Top talent is in high demand.
Start hiring