Rohit Salecha, Developer in Mumbai, Maharashtra, India
Rohit is available for hire
Hire Rohit

Rohit Salecha

Verified Expert  in Engineering

Security Specialist and DevOps Developer

Mumbai, Maharashtra, India

Toptal member since May 14, 2021

Bio

Rohit is a technology geek who loves to explore anything that runs and understands binary. As a security engineer, he is passionate about learning technology's length, breadth, and depth. Being more on the defensive side, he has evangelized secure software development at various organizations for over a decade. He is driven by the "everything as code" mantra and firmly believes that the security team must strive towards making themselves irrelevant.

Portfolio

Hotstar
Team Management, Objectives & Key Results (OKRs), Jira, Planning...
Zynga
Amazon EKS, Amazon, Web Security, Cloud Security, GCP Security, Mobile Security
Claranet Cyber Security
Amazon EKS, Threat Modeling, Amazon Web Services (AWS), Azure

Experience

Availability

Full-time

Preferred Environment

Ubuntu, Slack, Burp Suite, Security, MacOS, Amazon Web Services (AWS), Amazon EKS, Kubernetes

The most amazing...

...project I've delivered entailed moving 100+ Linux-based VMs to AWS EKS and allowing access to the bash terminal on the browser through Apache Guacamole.

Work Experience

Engineering Manager

2022 - PRESENT
Hotstar
  • Handled a company-wide project to clean and secure a secrets management solution (Hashicorp Vault).
  • Developed OKRs for the complete platform, infrastructure, and product security. Aligned sprints with the OKRs for the entire team.
  • Contributed to multiple engagements that impacted the entire organization's security, like solving secret management.
  • Worked with a team to solve real-world security problems like perimeter security.
Technologies: Team Management, Objectives & Key Results (OKRs), Jira, Planning, Amazon Web Services (AWS), Amazon EKS

Senior Engineering Manager

2023 - 2024
Zynga
  • Handled threat modeling for critical applications and identified cheat scenarios for games.
  • Managed a team of 5+ pen testers and groomed them to conduct penetration testing on games with high efficiency and coverage.
  • Performed red teaming on critical assets within Zynga to test the security controls.
Technologies: Amazon EKS, Amazon, Web Security, Cloud Security, GCP Security, Mobile Security

Security Architect

2021 - 2022
Claranet Cyber Security
  • Worked as a security architect for one of Claranet's premier clients, helping them to set up a product security team riding on the "Shift Left" paradigm.
  • Developed a broad and deep technical understanding of the client's application organization's applications, services, and architectures.
  • Supported and provided consultancy to development teams in DevSecOps and application, security, and mobile security.
Technologies: Amazon EKS, Threat Modeling, Amazon Web Services (AWS), Azure

Associate Director

2016 - 2021
NotSoSecure
  • Moved 100+ VMs running on an ESX server to AWS EKS by dockerizing the underlying OS and its dependencies. The Bash shell was also exposed over the browser using Apache Guacamole. This helped save time and money, increasing flexibility.
  • Led the team in the development of a training called DevSecOps and taught people how to inject security into their DevOps pipelines. Created hands-on labs accessible right from the browser.
  • Led a team of specialists in performing threat modeling and secure architecture reviews for our clients.
Technologies: Kubernetes, Amazon EKS, Burp Suite, Bash, Python, Java, Team Management, Inspec, Ansible, DevSecOps, AWS Lambda, ELK (Elastic Stack), Jenkins, Penetration Testing, Secure Containers, Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Continuous Integration (CI), Cloud Security, Continuous Delivery (CD), Jenkins Pipeline, Security, Web Security, Vagrant, Cloud, OWASP, OWASP Zed Attack Proxy (ZAP), OWASP Top 10, Kali Linux, Docker, CI/CD Pipelines, Threat Modeling, Cybersecurity, Amazon Web Services (AWS), DevOps Engineer, DevOps, GitHub

IT Security Specialist

2015 - 2016
Emirates NBD
  • Served as an internal information security consultant to the organization ensuring proper information security clearance amidst a constantly changing environment at the bank and ensure its compliance.
  • Oversaw risk assessment of new business initiatives (products, channels, solutions) across the bank from an information security and architecture perspective ensuring involvement at every stage of the project/imitative lifecycle.
  • Performed third-party (vendor) assessments through RFP sessions helping to select the best vendor from a security and architecture perspective.
Technologies: Penetration Testing, Security, Web Security, Burp Suite, OWASP, OWASP Top 10, Kali Linux, Threat Modeling, Cybersecurity

IT Risk Advisory Consultant

2014 - 2015
EY
  • Performed vulnerability assessments and penetration testing for EYs clients in the telecommunications, media and entertainment, and technology domains.
  • Performed IT audits to ensure compliance with various regulatory standards and policies including SOX and TRAI.
  • Developed and reviewed the minimum baseline security standards for various technologies.
Technologies: SOX Compliance, Audits, Penetration Testing, Security, Web Security, OWASP, OWASP Top 10, Kali Linux, Burp Suite, Cybersecurity

Security Analyst

2012 - 2014
NII Consulting
  • Performed VAPT on web/mobile applications and servers for clients in the banking industry and advised them on security issues.
  • Conducted CSJD (certified secure Java development) trainings for NII’s and IIS’s premier clients and CSI (Computer Society of India) Mumbai Chapter.
  • Delivered security awareness training to the senior management of a major oil and gas corporation in India.
  • Managed single-handedly a 3-month engagement for a leading insurance company to perform secure code reviews and developed security guidelines for developers in J2EE technology.
Technologies: VAPT, Penetration Testing, Mobile Security, Web Security, Security, OWASP, OWASP Top 10, Kali Linux, Burp Suite, Cybersecurity

Software Engineer

2010 - 2012
Mastek
  • Served as a full-stack developer in J2EE-Oracle technology with expertise in Spring, Apache Struts, JPA, Hibernate, MySQL, and Oracle.
  • Developed a suite of applications for the MHADA Lottery 2012 following secure coding best practices as advised by the security team over a period of 15 months.
  • Developed J2ME mobile applications for bus-tracking as part of a hackathon.
Technologies: Java, Android, Apache Struts, JPA, Security

Practical DevOps - The Lab

https://github.com/salecharohit/devops
This lab is for practicing your DevOps skills by tying up DevOps tools such as Jenkins, Docker, Ansible, Vagrant, and the ELK stack. The entire environment was built using Vagrant and VirtualBox and provisioned with Ansible as a completely automated setup. Local Git was used as the SCM and Jenkins as the CI/CD server to pull changes from the SCM, build and package the code, and then deploy it onto the staging and production servers. Staging and production servers run Docker, and Jenkins runs the Docker images for our application. Filebeat was deployed on staging and production API servers to feed the logs to Logstash. Logstash ships them to Elasticsearch, and Kibana is used to view them in real time. We used a simple Ubuntu machine to store the API and front-end build files to archive our builds.

Author of "Practical GitOps: Infrastructure Management Using Terraform, AWS, and GitHub Actions"

https://www.amazon.in/Practical-GitOps-Infrastructure-Management-Terraform/dp/1484286723
Infrastructure as Code (IaC) is gaining popularity and developers today are deploying their application environments through IaC tools to the cloud. However, it can become extremely difficult and time-consuming to manage the state of the infrastructure that has been deployed. This book will provide a complete walkthrough of deploying a Spring Boot application on AWS in multiple environments, such as production, staging, and development. Everything is orchestrated through GitHub Actions and executed through Terraform Cloud to monitor changes in the infrastructure and manage its state.

Training at Black Hat USA 2024

https://www.blackhat.com/us-24/training/schedule/#securing-the-four-cs-of-a-software-product-aws-edition-36609
Following a successful MVP demonstration, a startup recently obtained significant funding. As the next step involves a soft launch and swift market readiness, security poses a crucial challenge. The initial PoC lacks basic security standards needed for customer trust and compliance: secrets are strewn all across the code, everyone has admin privileges to AWS and Kubernetes, compute infrastructure is non-compliant, supply chain security is not considered, and only a basic web application pentest was conducted with very few findings.

This scenario inspired the creation of 'Securing 4C's of Software Product,' a specialized training program tailored to secure the core pillars of product security: Code, Container, Cluster, and Cloud.
2005 - 2009

Bachelor of Engineering Degree in Electronics

University of Mumbai - Mumbai, India

JUNE 2021 - JUNE 2024

AWS Certified DevOps Engineer – Professional

Amazon Web Services

MAY 2021 - MAY 2024

AWS Certified Developer Associate

AWS

DECEMBER 2020 - DECEMBER 2022

Certified Kubernetes Administrator

CNCF

JULY 2016 - PRESENT

CISSP

ISC2

OCTOBER 2014 - PRESENT

OSCP

Offensive Security

Libraries/APIs

Jenkins Pipeline

Tools

Vagrant, GitHub, Amazon EKS, Terraform, Ansible, Jenkins, ELK (Elastic Stack), OWASP Zed Attack Proxy (ZAP), AWS IAM, NMap, NGINX, AWS ELB, Jira, GCP Security

Paradigms

DevSecOps, DevOps, Penetration Testing, Continuous Delivery (CD), Continuous Integration (CI), Objectives & Key Results (OKRs)

Platforms

Windows, Kali Linux, Burp Suite, Ubuntu, Kubernetes, Docker, Amazon Web Services (AWS), AWS Lambda, Android, DigitalOcean, Azure, MacOS, Amazon

Industry Expertise

Cybersecurity

Languages

Java, Bash, Python

Storage

Inspec

Frameworks

Apache Struts, JPA

Other

VAPT, Web Security, IT Security, Security, Dynamic Application Security Testing (DAST), OWASP, OWASP Top 10, Threat Modeling, Windows Subsystem for Linux (WSL), Team Management, Static Application Security Testing (SAST), Secure Containers, Audits, Mobile Security, CI/CD Pipelines, Cloud, DevOps Engineer, GitHub Actions, AWS Certified DevOps Engineer, AWS DevOps, SOX Compliance, Cloud Security, GitOps, Planning, Semgrep, Kyverno, opa

Collaboration That Works

How to Work with Toptal

Toptal matches you directly with global industry experts from our network in hours—not weeks or months.

1

Share your needs

Discuss your requirements and refine your scope in a call with a Toptal domain expert.
2

Choose your talent

Get a short list of expertly matched talent within 24 hours to review, interview, and choose from.
3

Start your risk-free talent trial

Work with your chosen talent on a trial basis for up to two weeks. Pay only if you decide to hire them.

Top talent is in high demand.

Start hiring