Aseem Shrey, Developer in Bengaluru, Karnataka, India
Aseem is available for hire
Hire Aseem

Aseem Shrey

Verified Expert  in Engineering

Vulnerability Assessment Developer

Location
Bengaluru, Karnataka, India
Toptal Member Since
October 17, 2022

Aseem enjoys building DevSecOps pipelines and setting up automation using Go, Python, Terraform, CI/CD pipelines, AWS Lambda, and Google Cloud Platform (GCP), among others. To effectively manage infrastructure security at scale, he often builds fault-tolerant systems and automatic failure detection in these systems. Aseem reviews code changes going to production for security issues and often engages in web app penetration testing.

Availability

Full-time

Preferred Environment

Python, Go, Kali Linux, Burp Suite, OWASP Top 10, OWASP Zed Attack Proxy (ZAP), Android, Web Security, Red Teaming

The most amazing...

...thing I’ve developed is a compliance-as-code framework that scanned the entire Google Cloud Platform (GCP) against CIS benchmarks.

Work Experience

Security Engineer

2022 - PRESENT
Self-employed (Working with Clients in the US and Europe)
  • Created a CVE bot issue tracker, clubbing similar issues based on the library and creating tickets on Jira for the same. Populated a CVE dashboard on Jira.
  • Created a Python program to monitor changes to production Amazon S3 (AWS S3) buckets. Auto-reverted any dangerous configurations. Used Amazon EventBridge and AWS Lambda.
  • Leveraged Trivy to automate container security in CI/CD pipelines. Gave the client real-time information on their security containers.
Technologies: Android, Linux, Web, Web App Security, Red Teaming, Burp Suite, IT Automation, Python, Go, Google Cloud Platform (GCP), Security, Training, Jira, Confluence, IT Security, Security Testing, Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Penetration Testing, iOS, Authentication, Vulnerability Identification, Cloud, APIs, Cybersecurity, Risk Management, SaaS, DevOps, Scraping, Data Protection, Architecture, Data-level Security, Azure, Cloud Security, SIEM, Amazon Web Services (AWS), OpenID, Chef, Puppet, OAuth, Data Privacy, Privacy, Intrusion Prevention Systems (IPS), AWS CloudFormation, AWS Lambda, Amazon API Gateway, API Gateways, Amazon S3 (AWS S3), Amazon RDS, Amazon Athena, Data Lakes, Database Security, Vulnerability Assessment, Security Analysis, Threat Modeling, Application Security, NIST, Identity & Access Management (IAM), Single Sign-on (SSO), Cloud Architecture, Security Architecture, DevSecOps, Secure Containers, Vanta, Information Security, Managed Security Service Providers (MSSP), Google Webmaster Tools, eCommerce, Infrastructure Security, Network Architecture, Secure Access Service Edge (SASE), Endpoint Security, Endpoint Detection and Response (EDR), Cloud Infrastructure, YAML, Automation, Azure Cloud Security, GitHub Actions, Azure Cloud Services, Azure DevOps, SOC 2, CI/CD Pipelines, GitHub, Security Information and Event Management (SIEM), Shell Scripting, Code Review, Source Code Review

Black-box Pen Tester for Security Assessment

2024 - 2024
Association for the Advancement of Sustainability in Higher Education, Inc
  • Helped the client complete the black-box pentest with multiple roles for their web application. It was a web application with almost 20 different pages, four different roles, and access to critical data of their participating users.
  • Found one critical and a few high and medium bugs that helped the client save sensitive info of their participating users.
  • Advised the client on best measures and next steps to prevent these bugs in the future.
Technologies: Penetration Testing, IT Security, Security, Google Cloud Platform (GCP), Web Security, Automation

Vulnerability Assessment Engineer

2023 - 2023
Yahoo! - Paranoids (Cybersecurity) - India
  • Rewrote and optimized Python tooling for a vulnerability log management system. This was a cross team project, where I worked with other teams in Paranoids (security org in Yahoo).
  • Migrated old security systems which was responsible for handling billions of input data points. I, along with three other people, only had access to these systems. These helped the security monitoring team to stay on top of any incidents that happened.
  • Helped develop automation for StackStorm integration for wider adoption in the organization.
Technologies: Python, JavaScript, Amazon Web Services (AWS), DevOps, Infrastructure as Code (IaC), Vulnerability Management, Vulnerability Assessment, Kubernetes, CI/CD Pipelines, Docker Swarm, Amazon EKS, Amazon Virtual Private Cloud (VPC), Terraform, AWS CloudFormation, Information Security, Cybersecurity, Google Webmaster Tools, Infrastructure Security, Network Architecture, Secure Access Service Edge (SASE), Endpoint Security, Cloud Infrastructure, YAML, Automation, GitHub Actions, Azure Cloud Services, Azure DevOps, GitHub, Shell Scripting, Code Review, Source Code Review

Security Engineer

2022 - 2023
Rippling
  • Worked in the SecInfra team and built security automations through code. Built the Vulnerability Management System (VMS) backed by JIRA for centralizing all our security findings and enacting on them.
  • Built a product security automation as part of the assurance team. This was used for doing automated dynamic application security testing (DAST). It was a self-serve portal for developers to upload their Postman collection for scanning.
  • Worked with the ProdSec team and did threat modeling, code reviews, etc.
Technologies: Amazon Web Services (AWS), Terraform, Cloud Security, Threat Modeling, Automation, Web Security, Dynamic Application Security Testing (DAST), Web Application Firewall (WAF), Information Security, Cybersecurity, Google Webmaster Tools, Infrastructure Security, Network Architecture, Secure Access Service Edge (SASE), Endpoint Detection and Response (EDR), Cloud Infrastructure, YAML, Azure Cloud Security, Azure Cloud Services, SOC 2, CI/CD Pipelines, GitHub, SIEM, Shell Scripting, Product Security, Code Review, Source Code Review

Senior Information Security Engineer

2021 - 2022
Gojek
  • Built a Go framework to follow benchmarks and auto-remediation in Google Cloud. Optimized costs and real-time solutions.
  • Executed pen tests for any feature release in the Gojek web API back end and Gojek Android application.
  • Found critical vulnerabilities and escalated privileges to gain admin access to almost all Gojek infrastructure using a low-privileged 3rd-party account.
  • Initiated regular code reviews for any feature release in the Gojek API or mobile application.
  • Organized the first-ever security conference for Gojek. Included a Capture the Flag (CTF) competition and external and internal speakers over a span of two days.
  • Managed Bugcrowd program with hundreds of researchers.
Technologies: Python, Go, JavaScript, Figma, Dart, Google Cloud Platform (GCP), GitLab, GitLab CI/CD, Cybersecurity, Burp Suite, Web Security, Web App Security, Kali Linux, Red Teaming, Security, Training, Jira, Confluence, IT Security, Security Testing, Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Penetration Testing, OWASP, Mobile Security, Authentication, Vulnerability Identification, Cloud, APIs, Risk Management, SaaS, Scraping, Data Protection, Architecture, Data-level Security, Azure, Cloud Security, SIEM, Amazon Web Services (AWS), OpenID, Puppet, OAuth, Privacy, Intrusion Prevention Systems (IPS), AWS CloudFormation, AWS Lambda, Amazon API Gateway, API Gateways, Amazon S3 (AWS S3), Amazon RDS, Amazon Athena, Data Lakes, Database Security, Vulnerability Assessment, Bugcrowd, Security Analysis, Threat Modeling, Application Security, NIST, Identity & Access Management (IAM), Single Sign-on (SSO), Cloud Architecture, Security Architecture, DevSecOps, Information Security, Google Webmaster Tools, eCommerce, Infrastructure Security, Network Architecture, Cloud Infrastructure, YAML, Automation, Azure Cloud Security, Azure Cloud Services, CI/CD Pipelines, GitHub, Shell Scripting, Code Review, Source Code Review

Security Engineer

2019 - 2021
Blinkit
  • Created an automated pipeline from scratch. Used Terraform to create DNS entries in Cloudflare and Amazon Route 53 with a failover option for easy switching to either of the DNS providers.
  • Created a GitHub bot with a shift-left intention, bringing security closer to the developer workflow. Scanned for security issues like hardcoded secrets. Set up modular code for easy addition by team members.
  • Integrated Vault with DB and GitHub so that users can generate temporary credentials for the database based on their GitHub team.
  • Worked with multiple teams to integrate Amazon Cognito with legacy APIs. Provided better authentication workflows with OAuth and OTP-based workflows.
  • Integrated an OAuth proxy for Google Workspace authentication and compliance with some of our internal applications.
  • Managed a self-hosted public bug bounty program, working with teams to close those findings and maintaining the SLA.
Technologies: Python, Go, GitHub API, HTML, JavaScript, React, Flutter, Dart, Terraform, Vault, Ansible, Cloudflare, Burp Suite, Web Security, Web App Security, Red Teaming, Security, Training, Jira, Confluence, IT Security, Security Testing, Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Penetration Testing, OWASP, Mobile Security, Authentication, Vulnerability Identification, Cloud, APIs, Cybersecurity, Risk Management, SaaS, DevOps, Scraping, Data Protection, Architecture, Data-level Security, Azure, Cloud Security, Amazon Web Services (AWS), OpenID, Chef, Puppet, OAuth, Intrusion Prevention Systems (IPS), AWS CloudFormation, AWS Lambda, Amazon API Gateway, API Gateways, Amazon S3 (AWS S3), Amazon RDS, Amazon Athena, Data Lakes, Vulnerability Assessment, Security Analysis, Threat Modeling, Application Security, NIST, Identity & Access Management (IAM), Cloud Architecture, Security Architecture, DevSecOps, Information Security, Google Webmaster Tools, eCommerce, Infrastructure Security, Network Architecture, Cloud Infrastructure, YAML, Automation, SOC 2, CI/CD Pipelines, GitHub, Shell Scripting, Source Code Review

DevOps Intern

2018 - 2018
Innovaccer
  • Integrated health checks into applications whose metrics were further populated on Kibana dashboards for easy management of the services.
  • Tracked metrics and automated alarm systems from Kibana dashboards. Integrated Slack webhook for alerts in specific channels.
  • Created a generic Slackbot with a webhook for use by any team in the organization.
Technologies: Ansible, Automation, Jenkins, Authentication, Vulnerability Identification, Cloud, APIs, Cybersecurity, DevOps, Scraping, Architecture, Data-level Security, Azure, Cloud Security, Amazon Web Services (AWS), Chef, OAuth, AWS CloudFormation, AWS Lambda, Amazon API Gateway, API Gateways, Amazon S3 (AWS S3), Amazon RDS, Amazon Athena, Data Lakes, Database Security, Vulnerability Assessment, Security Analysis, Threat Modeling, Application Security, Cloud Architecture, Security Architecture, DevSecOps, Information Security, Cloud Infrastructure, YAML, GitHub, Shell Scripting

Unified Payments Interface (UPI) Recon Command Line Interface (CLI)

https://github.com/LuD1161/upi-recon-cli
Developed a command line tool for reconnaissance using a virtual payment address. This tool leverages the openness available with the UPI platform to find:

1. The UPI ID and name associated with a mobile number
2. The UPI ID and name associated with a Gmail account
3. The UPI ID and name associated with a vehicle registration number.

I made sure that leverage a UPI ID associated with a FASTag.

Automated Compliance as Code Framework

https://www.gojek.io/blog/compliance-as-code
Developed a Go framework (previously Python) to follow benchmarks and auto-remediation in Google Cloud. Optimized costs and real-time solutions.

This framework actively checked more than 350 active projects, excluding the sys- projects.

Firewall rules > 4000.
Storage buckets > 1000.

All the metrics of the scan were sent to the ELK stack and displayed with Kibana dashboards for easier metric-driven decisions.

I also created automated ticketing based on these checks; if there was a new finding, the framework created tickets on the respective team's Jira queue.

The framework is modular enough so that engineers can write their own checks and schedule them to run when the whole set of checks is run. Or they can mark it to run on only specific GCP projects too.

OmniSec App

Initially built as a React Native app and then translated to a Flutter app that I developed to supply daily security updates to all the app subscribers.

The database was built on Firebase and Cloud Functions to populate the database every 15 minutes. The front end was built on the Flutter framework.

It collected news articles from 30 sources (RSS feeds and web scraping) and collated a unique list of articles every 15 minutes.

Top CTF Player and Bug Bounty Researcher

https://aseemshrey.in/blog
I've been a CTF player with world finalists three times in a row at NYU's CSAW CTF (India region). I've also been in the top five world finalists for NullCon CTF 2017, sponsored by VMWare and Walmart Labs.

Apart from CTFs, I have reported security bugs and have received similar awards from top companies like Google, Myntra, IBM, Sony, GM, MakeMyTrip, Zoho, etc.

Found a critical bug in the DigiLocker initiative by the Government of India (Hall of Fame - https://developers.digitallocker.gov.in/credits-community-contribution.html)

Ranked amongst the top ten in DRDO CTF organized by the Government of India ( https://blog.mygov.in/result-announcement-of-drdo-cyber-challenge/#:~:text=Pushpender%20Yadav-,Aseem%20Shrey,-Abhishek%20Acharya).

DNS as Code

Created an automated pipeline from scratch using Terraform and Jenkins to create DNS entries in Cloudflare and Route53 with a failover option for easy switching to either of the DNS providers.
This helped our shift-left approach, reducing manual errors and improving the developer experience.

G-Shield Security Bot

Created from scratch a GitHub bot with the intention of shift-left, bringing security closer to the developer workflow. It scans each PR for common security issues like hardcoded secrets, code smells, vulnerable Docker images, sensitive mount points, etc. The code is modular; new modules have been easily added to it by other team members, e.g., a TFLint module.

GoSecCon - Security Conference Organizer [Evangelization]

https://www.gojek.io/blog/hacks-and-tips-to-deploy-ctfd-in-k8s
Organized the first-ever security conference of GoJek, which included a CTF competition + external and internal speaker talks over a span of two days.
The CTF platform was hosted on Kubernetes and used CTFd as an open source CTF platform.

Challenges were created by myself and my teammates. This included web application challenges, digital forensic challenges, steganography challenges, vulnerable Android application challenges, etc.
2015 - 2019

Bachelor's Degree in Computer Science

Indian Institute of Information Technology - Allahabad, India

2012 - 2014

Higher Secondary Diploma in Physics, Chemistry, Math

Delhi Public School - Delhi, India

Libraries/APIs

OpenID, GitHub API, React, Jira REST API

Tools

GitHub, Google Webmaster Tools, OWASP Zed Attack Proxy (ZAP), Terraform, Jira, Confluence, Chef, AWS CloudFormation, Amazon Athena, Vault, Ansible, Figma, GitLab, GitLab CI/CD, ELK (Elastic Stack), Jenkins, Celery, SonarQube, Google Kubernetes Engine (GKE), Puppet, Docker Swarm, Amazon EKS, Amazon Virtual Private Cloud (VPC)

Languages

Python, YAML, Go, HTML, JavaScript, Dart

Platforms

Kali Linux, Burp Suite, Azure, Amazon Web Services (AWS), AWS Lambda, Android, Google Cloud Platform (GCP), Vanta, Linux, Web, Firebase, Docker, Kubernetes, iOS

Paradigms

Automation, Penetration Testing, DevSecOps, Azure DevOps, DevOps, Continuous Integration (CI), Continuous Deployment

Industry Expertise

Cybersecurity

Storage

Amazon S3 (AWS S3), Azure Cloud Services, Data Lakes, Database Security

Frameworks

Flutter, React Native

Other

OWASP Top 10, Web Security, Ethical Hacking, Security, Training, IT Security, Security Testing, Static Application Security Testing (SAST), OWASP, Mobile Security, Authentication, Vulnerability Identification, Cloud, APIs, Risk Management, SaaS, Scraping, Data-level Security, Cloud Security, SIEM, OAuth, Intrusion Prevention Systems (IPS), Amazon API Gateway, API Gateways, Amazon RDS, Vulnerability Assessment, Security Analysis, Threat Modeling, Application Security, NIST, Identity & Access Management (IAM), Single Sign-on (SSO), Cloud Architecture, Security Architecture, CI/CD Pipelines, Information Security, Infrastructure Security, Endpoint Security, Cloud Infrastructure, Azure Cloud Security, GitHub Actions, SOC 2, Security Information and Event Management (SIEM), Shell Scripting, Code Review, Source Code Review, Red Teaming, Dynamic Application Security Testing (DAST), Data Protection, Architecture, Data Privacy, Privacy, Managed Security Service Providers (MSSP), eCommerce, Network Architecture, Endpoint Detection and Response (EDR), Networking, Web Development, Cloudflare, Design, Web App Security, English, Physics, IT Automation, Job Schedulers, Burp Proxy, Version Control Systems, Organization, Teamwork, Product Evangelism, Tech Conferences, Bugcrowd, Infrastructure as Code (IaC), Vulnerability Management, Web Application Firewall (WAF), Secure Containers, Secure Access Service Edge (SASE), Product Security

Collaboration That Works

How to Work with Toptal

Toptal matches you directly with global industry experts from our network in hours—not weeks or months.

1

Share your needs

Discuss your requirements and refine your scope in a call with a Toptal domain expert.
2

Choose your talent

Get a short list of expertly matched talent within 24 hours to review, interview, and choose from.
3

Start your risk-free talent trial

Work with your chosen talent on a trial basis for up to two weeks. Pay only if you decide to hire them.

Top talent is in high demand.

Start hiring