Neela Sindhuja Yasarapu

• Implemented DevSecOps process in Organization. Reviewed and conducted POCs for several security tools. Integrated them in CI/CD pipeline for all Critical Applications.
• Integrated DAST, SAST, SCA, Cloud Security tools like BlackDuck, Alert (by Synopsys), Webinspect, SonarQube, Coverity, Fortify SSC, Burp Suite Enterprise in CI/CD pipeline. JIRA integration is also worked upon. Researching on automating Pentest Scenarios also using Nuclei Tool.
• Cybersecurity sessions on SecureSDLC was provided to all developers across organization. Prepared Run books and play books on using Security tool plugins like Coverity, BlackDuck, Sonarlint in IDEs like Eclipse, Visual Studio, IntelliJ, Visual Studio Code etc.
• Hosted and installed all security tools as saas, on prem , Docker and maintained Servers like upgrading softwares, updating certificates, adding new plugins and acted as Subject Matter Expert (SME) for all security Tools. Performed Root Cause Analysis (RCA) for failures in CI/CD pipeline and provided immediate resolutions.
• Coordinated with Development, DevOps team for successful onboarding of all applications in CI/CD pipeline. Categorizing applications, understanding their DevOps (Gitlab, Jenkins), Build Pipelines, Source Code Repositories (Gitlab, Bitbucket)and preparing plan/ Checklist to integrate them in pipeline.
• Performed Manual Penetration testing for Web Applications, API, Thick Client Applications, Mobile Applications and identified Critical, Major and High vulnerabilities using Burpsuite Professional, ZAP proxy, SQL Map, NMAP, Wire Shark, Echo Mirage, Postman, Swagger, MobSF.
• Conducted Vulnerability assessments for Web applications and APIs using DAST automated tools and performed False Positive Analysis. Source code was assessed by Building code and automated Scan using SAST tools. Performed Security, license and Operational risk analysis using Software Composition Analysis (SCA) Tools like Snyk, BlackDuck, Dependency Checker.
• Performed False positive analysis for identified Vulnerabilities. Prepared Excel Dashboards and reports of findings with Proof of Concept like screenshots, payloads and steps on reproducing vulnerability identified, cost effective recommendations for remediation's.
• Prepared Application Security guidelines for developers (both checklist and documents), Source Code Repository Management tools (Bitbucket, Gitlab) Hardening Guidelines.
• Performed Threatmodelling for critical applications using STRIDE methodology. With Microsoft Threatmodelling tool (Microsoft TMT) created Data Flow Diagrams, Prepared attack trees, Risk matrix and identified potential risks and discussed with application architects and business owners of respective application team.
• Provided Presentations on MITRE Attack Framework and PASTA model of threatmodelling. Provided many Knowledge sharing sessions on Dashboard Walkthrough of security tools to internal teams.

• Responsible for conducting dynamic security testing of applications, Static Application security testing, Software composition Analysis, Penetration Testing, identifying and assessing vulnerabilities, and generating comprehensive reports with actionable recommendations for remediation.
• Collaborate with development teams, validate and assist in vulnerability remediation efforts, and stay updated with latest security trends and best practices in field of SAST, Pentest and dynamic application security testing.
• Research and Continuous Learning: -Stay updated with latest security vulnerabilities, attack techniques, and industry best practices related to dynamic application security testing.
• Conduct research and experiments to enhance effectiveness and efficiency of DAST processes and methodologies. Share knowledge and insights with broader security community through blog posts, whitepapers, or conference presentations.
• Collaborate with development teams, security engineers, and other stakeholders to foster strong security culture. Provide guidance and training to development teams on secure coding practices and importance of security testing. Communicate effectively with both technical and non-technical stakeholders, ensuring clear and concise reporting and sharing of information

• Collaborate with development teams and security stakeholders to define scope and objectives of dynamic security testing.
• Develop detailed test plans and strategies, including target applications, test scenarios, and expected outcomes.
• Execute dynamic security tests against web applications, APIs, mobile applications, and other relevant software systems.
• Vulnerability Identification and Assessment: -Identify and assess security vulnerabilities, such as injection flaws, cross-site scripting (XSS), Cross site request forgery (CSRF), authentication and authorization issues, and insecure configurations.
• Analyze scan results, interpret findings, and validate vulnerabilities to eliminate false positives.
• Prioritize identified vulnerabilities based on severity, impact, and exploitability.

• Conduct thorough vulnerability assessments to identify security weaknesses in systems, networks and applications. - Utilize automated scanning tools and manual techniques to identify known vulnerabilities, misconfigurations, and weaknesses in security controls.
• Analyse scan results, prioritize vulnerabilities based on severity, and provide recommendations for remediation.
• Penetration Testing: Perform penetration testing to simulate real-world attacks and attempt to exploit identified vulnerabilities.
• Conduct both external and internal penetration tests to assess security posture from an attacker's perspective.
• Use various tools and methodologies to exploit vulnerabilities and gain unauthorized access, while avoiding damage to systems or data.
• Document findings, including methods used, vulnerabilities exploited, and recommendations for mitigation.

Perform penetration testing for various applications listed in Bug Bounty Platforms using different Security tools like WireShark, Kali Linux, Burp Suite, SQLmap, Nmap, ZAP Proxy, Metasploit.

Identified many Business logic vulnerabilities like Improper Access control , Authorization Bypass, IDOR, Privelage escalation, File upload, Denial of Service Vulnerabilities.

• Responsible for managing and performing VA/PT, risk assessment and threat modelling primarily for banking and finance industries.
• Analysing and evaluating security posture of applications
• Understanding of application workflows and identifying possible attack vectors
• Exploitation of vulnerabilities found.
• Co-ordinate team to design and execute test cases based upon requirements.
• Assist development teams during vulnerability remediation phase.