Varun Om Khosla, Developer in New Delhi, Delhi, India
Varun is available for hire
Hire Varun

Varun Om Khosla

Verified Expert  in Engineering

Software Architect and Full-stack Developer

New Delhi, Delhi, India
Toptal Member Since
June 17, 2022

Varun is a software architect and full-stack developer with over 14 years of experience developing products primarily on the .NET platform. He's a self-starter who built and sold his first software at 20. His previous employers include Microsoft, and he's worked for clients like the government of Singapore, LexisNexis, E&Y, Nokia, and Forge Trust. Varun creates value for the business by conceptualizing and building innovative, accessible, secure, efficient, and user-friendly solutions.


Khosla Tech Private Limited
C#, .NET, Authorization, ASP.NET, SQL Server 2016, NuGet, New Products...
Forge Trust
C#, Azure, AngularJS, ServiceStack, OAuth 2, HMAC, APIs, Microsoft SQL Server...
C#, .NET, Microsoft SQL Server, Unit Testing, Framework Design, Automation...




Preferred Environment

Windows, Visual Studio, Git, AutoHotkey, SQL Server 2016, Azure, ASP.NET, JavaScript, C#

The most amazing...

...thing I've developed is ASPSecurityKit, the only zero-trust security framework for .NET, securing over $13 billion in assets and 1.3 million investor accounts.

Work Experience

Chief Architect, Lead Developer, Product Manager

2013 - PRESENT
Khosla Tech Private Limited
  • Conceptualized, architected, and led the development of ASPSecurityKit from version 1 to version 3. It became the main product making over $2 million in revenue for the company from associated product sales and consultancy services.
  • Implemented projects in cryptocurrencies, including a multi-currency escrow for a classified marketplace, document proofing, blockchain monitoring, and more, thereby opening up a new service category for the organization and increasing its revenue.
  • Hired technical talent from the personal network and maintained a healthy relationship with clients.
  • Led the development of multiple products from scratch and oversaw their successful launch with good coverage on forums like Hacker News, LinkedIn, etc.
Technologies: C#, .NET, Authorization, ASP.NET, SQL Server 2016, NuGet, New Products, JavaScript, Git, Bitbucket, Entity Framework, Zero Trust, REST APIs, Technical Writing, Windows Forms (WinForms), Hugo, Azure, OAuth 2, Dogecoin, Amazon EC2, Amazon RDS, Azure App Service, Azure Storage, Azure SQL, Azure Active Directory, Azure Functions, OWASP, HMAC, MySQL, ASP.NET MVC, AngularJS, Xamarin, SQLite, Redis, Unit Testing, Algorithms, API Testing, Jira, Visual Studio, Regular Expressions, Payment APIs, Email APIs, APIs, Blockchain, BitClout, Bitcoin, Code Review, Team Mentoring, Product Design, SQL, .NET Core, ADO.NET, HTML

API Investment Platform Chief Security Architect

2015 - 2020
Forge Trust
  • Architected and implemented a zero-trust security subsystem based on ASPSecurityKit with various options for authentication, authorization (multitenancy/multi-user), 2FA, and suspension. It secures over 1.3 million investor accounts with $13+ billion assets.
  • Designed and developed activity tracking, new device access detection and notification, and similar security monitoring features.
  • Led the incident detection and response team and prepared reports of intrusion attempts successfully blocked by the security subsystem.
  • Used tools like Jira for sprints and bug management, GitLab for code reviews or source management, and Confluence for technical and business documents.
  • Wrote technical articles on various security topics, such as HMAC design guide, sharing sensitive information guidelines, authentication schemes, incident investigation and report preparation, the user or team management, 2FA, impersonation, XSS, etc.
  • Designed subscribed plan-based dynamic access to documents, including API references and articles, on the developer portal. Wrote a tool to package articles based on Dynamic Access.
  • Supervised an independent penetration test by BHIS and participated in preparing security audit documents required by partners.
Technologies: C#, Azure, AngularJS, ServiceStack, OAuth 2, HMAC, APIs, Microsoft SQL Server, ASPSecurityKit, Zero Trust, SpecFlow, Unit Testing, Integration Testing, API Testing, JavaScript, GitLab, TeamCity, ASP.NET, Jira, Confluence, Web Security, Incident Response, Redis, Authorization, Two-factor Authentication (2FA), Shaolinq, Kibana, Technical Writing, Team Mentoring, Code Review, SQL, ADO.NET, .NET

Associate Consultant

2011 - 2016
  • Implemented the core framework components, including DAL, caching, logging, and exceptions, of the new provident fund web platform built for Singapore Central Provident Fund (CPF), a government agency used by millions of Singapore's citizens.
  • Provided expert technical guidance and solutions to hard technical problems and promoted best practices within the teams.
  • Got selected as an Azure architect into the prestigious partner enterprise architect team (PEAT), a global team under EPG helping ISVs and service partners win deals by providing fast expert architectural and solution guidance for Azure, O365, etc.
  • Worked with clients like Nokia, Singapore's CPF, Ernst & Young, LexisNexis, and others to deliver projects worth hundreds of millions of dollars.
  • Received the Best Consultant award for excellent performance in Ernst & Young and the Ability award at Redmond for creating an accessibility plugin for Outlook.
Technologies: C#, .NET, Microsoft SQL Server, Unit Testing, Framework Design, Automation, Windows Forms (WinForms), Exchange SDK, Cloud Architecture, Azure, Stored Procedure, TFS, Outlook Add-ons, Agile, Kendo UI, T-SQL (Transact-SQL), JavaScript, ADO.NET, ASP.NET MVC, ASP.NET Web Forms, Single Sign-on (SSO), Office API

ASPSecurityKit | The Only Zero-trust Security Framework for .NET Web Apps
ASPSecurityKit (ASK) enables developers to rapidly build secure web apps or APIs based on the zero-trust principle without security experience by automating several key checks. This proven framework secures a financial platform ISCP with more than 1.3 million accounts and over $13 billion in assets. While working on this project, I conducted the following:

• Conceptualized, architected, and led the entire development from version 1 to version 3 from scratch, including the core library, source packages, API docs, licensing infrastructure, and more.
• Wrote several articles, including all product docs, the zero-trust whitepaper, security guides, and the zero-trust thinking series.
• Implemented a unique UI-based NuGet tool to install source packages and generate trial or license keys.
• Cleverly used preprocessor directives in all types of files to reuse the same source code to build source packages targeting different frameworks and plans. Also, I wrote a guided source package builder.
• Wrote a guided NuGet package builder to build and deploy new test or production releases of the ASK library packages on NuGet, saving considerable time in testing and pushing new releases.

Investor Services Cloud Platform (ISCP)
A team spread across the US, Europe, and India built it to provide modern APIs and portals for retirement planning/investment. It manages over 1.3 million investors' accounts and over $13 billion in financial assets. As the chief architect, I designed and implemented the security subsystem based on ASPSecurityKit. The features implemented include:

• Authentication, including schemes such as OAuth, Azure AD, and HMAC, and tokens, such as an API key, user sessions, feature tokens, and dynamic client tokens.
• Two-factor authentication (2FA) enforcement depending on user role and network-based exclusions.
• Granular record-level activity resource authorization and automatic output data filtering with reverse authorization.
• User verification and IP firewall for API keys and user sessions.
• Entity-hierarchy and rule-based suspension.

Additionally, I designed security monitoring features like activity tracking and suspicious access, dynamic developer docs for API reference, and articles based on the subscribed plan, user/team management, onboarding workflows, generic data caching, etc. Finally, I led the incident detection and response team, prepared reports of intrusion attempts, mentored the team, and wrote articles on security.

Developed as a SaaS for Indian healthcare practitioners, Gluco enables medical establishments of all sizes to efficiently manage walk-in and pre-booked appointments in a unified smart queue with real-time position changes delivered to patient mobiles and a smart digital display in the clinic. It also securely records and shares prescription data with colleagues and patients, powered by ASPSecurityKit, using an intuitive mobile app that works on an offline-first model.

I conceptualized, architected, and led the development from scratch while managing two senior developers and a QA, wrote the web services using ServiceStack and web front end as Angular SPA, and designed and implemented the granular, property-based sync framework based on a JSON format for prescription data at both web services and Xamarin mobile app. Additionally, I designed and implemented an efficient algorithm to sync patient queue positions to work across multiple devices, managing queues simultaneously at both web services and Xamarin mobile app, solved reliability issues with the mobile app SQLite, and implemented efficient auto-suggestion data miner and service back end by Azure Table storage. Finally, I wrote the narration scripts for the demo videos.

CloudAlarm provides budgeted pace and new resource creation-based alerts, which ensure much faster and clearer notification of the cloud consumption breaching the expected budget than what Azure cost management does, based on threshold consumption. Powered by ASPSecurityKit, CloudAlarm lets you set up and manage alarms for multiple Azure subscriptions, add team members, and give access to subscriptions to them securely and reliably.

I conceptualized and performed product management, including regular calls as needed with the team to ensure quality completion of the service on time and within budget. Also, I reviewed the alarm execution code and fixed issues related to scalability so that the service could scale efficiently for small to large workloads. Finally, I mentored the team and created marketing content, including the detailed service home page, FAQ documents, and demo video scripts.

Government of Singapore's Central Provident Fund

Served as the core framework engineer in the team of 50+ professionals that built a platform for the Singapore Central Provident Fund (CPF), a government agency, to modernize the provident fund web platform for the citizens of Singapore.

I prepared the architecture in collaboration with a senior architect and single-handedly wrote the implementation of cross-cutting framework components, including DAL, caching, logging, and exceptions. I also created a single sign-on (SSO) security implementation based on federated STS with an attribute-based roles authorization model.

Ernst & Young Affordable Care Act | Obamacare

Built for Ernst & Young (E&Y), it leveraged the Affordable Care Act (ACA), known as Obamacare, in order to provide compliance services to its customers. The conceptual design for the E&Y ACA client repository enables E&Y to capture, structure, and organize client information, including employee payroll. As a back-end developer and tech lead, I:

• Provided technical mentorship and solutions to hard technical problems and promoted best practices within the team.
• Performed a security review and closed gaps in the implementation.
• Created generic change tracking and caching components.
• Developed multiple modules.
2008 - 2011

Master's Degree in Computer Science

Maharshi Dayanand University - Rohtak, Haryana, India


Entity Framework, REST APIs, Windows Forms (WinForms), jQuery, Office API


NuGet, Visual Studio, Git, AutoHotkey, GitLab, Bitbucket, TeamCity, Jira, Confluence, Kibana, Azure App Service, GitHub, TFS, YouTrack


ASP.NET, OAuth 2, .NET, AngularJS, ServiceStack, SpecFlow, ASP.NET MVC, Windows PowerShell, Kendo UI, ADO.NET, ASP.NET Web Forms, ASP.NET Core, Entity Framework Core, .NET Core


C#, JavaScript, Hugo, SQL, C, C++, Java, Stored Procedure, T-SQL (Transact-SQL), HTML, C#.NET


Object-oriented Design (OOD), Unit Testing, Software Testing, Automation, Agile, Penetration Testing


RDBMS, Microsoft SQL Server, Redis, SQL Server 2016, Azure Storage, Azure SQL, Azure Active Directory, MySQL, SQLite, Azure Table Storage


Azure, Windows, Oracle, Amazon EC2, Azure Functions, Xamarin, Blockchain


Web Security, HMAC, APIs, ASPSecurityKit, Zero Trust, Authorization, Two-factor Authentication (2FA), Technical Writing, New Products, Back-end, Data Structures, Algorithms, Integration Testing, Incident Response, Bitcoind, Digital Banking, Software Development Lifecycle (SDLC), Operating Systems, Computer Networking, Computer Organization, Software Engineering, API Testing, Shaolinq, Dogecoin, Amazon RDS, OWASP, Regular Expressions, Payment APIs, Email APIs, BitClout, Cloudflare, Source Code Review, Console Apps, Framework Design, Exchange SDK, Cloud Architecture, Outlook Add-ons, Single Sign-on (SSO), Bitcoin, Product Design, Team Mentoring, Code Review, Mentorship

Collaboration That Works

How to Work with Toptal

Toptal matches you directly with global industry experts from our network in hours—not weeks or months.


Share your needs

Discuss your requirements and refine your scope in a call with a Toptal domain expert.

Choose your talent

Get a short list of expertly matched talent within 24 hours to review, interview, and choose from.

Start your risk-free talent trial

Work with your chosen talent on a trial basis for up to two weeks. Pay only if you decide to hire them.

Top talent is in high demand.

Start hiring