Summary
Overview
Work History
Education
Skills
Accomplishments
Professional Expertise
Timeline
Generic
Vyshnavi Kothamasu

Vyshnavi Kothamasu

Tracy,CA

Summary

An Information Security Professional with experience of 9 years in and vulnerability assessments penetration testing of security standard on various applications in different domains.

Overview

12
12
years of professional experience

Work History

Sr. Vul Management Engineer

American Airlines
02.2024 - Current
  • Execute adversarial emulation attacks against identified targets using Safebreach software.
  • Tracks via remediation management system and provides a wiki-style format to capture recommendation, analysis and facts, and links to research
  • Researches vulnerabilities to determine attack vectors and possible vulnerable targets
  • Track and lead vulnerability resolutions with application teams
  • Increased efficiency through continuous analysis of existing systems, identifying areas for improvement and implementing necessary changes.
  • Developed strategic plans to achieve company objectives, aligning resources and setting clear performance targets.
  • Facilitated communication between departments to promote collaboration and knowledge sharing among team members.
  • Demonstrates continuous improvement mindset
  • Maintains an effective approach to problem solving, multi-tasking, coordinating, and scheduling in accordance with stated goals to ensure visibility and predictability.
  • Perform manual source code review and find vulnerabilities in C/C++, C#, VB.NET, ASP, PHP, and Java & communicate the findings to both Business and Developers.
  • Experience with cloud-based infrastructure (AWS, Azure, or Google Cloud) and Container (Azure AppService, Kubernetes) environments.
  • Expert knowledge of modern principles and practices of Cyber Security, certification and accreditation, network architecture, vulnerability identification and remediation, network forensics, ability to assist during an intrusion investigation.
  • Solid understanding of DevSecOps principles, CI/CD pipelines, and automation tools like Jenkins, GitLab CI, DevOps, with a focus on security integration and automated cyber security testing at all stages
  • Familiarity with PCI DSS Compliance standards and scanning practices
  • Ability to code and script Python, SQL, BASH, or PowerShell
  • AWS Security Guard duty, IAM, AWS Secret Manager, AWS Web Application Firewall, AWS Shield
  • In-depth knowledge of Amazon VPC, Security Groups & AWS IAM roles

Information Security Engineer

Intuitive
08.2021 - 01.2024
  • Serves as SME in Product Security Operations Center for Intuitive Surgical
  • Responsible for the timely and successful resolution for Product and shared Cyber Security incidents and events.
  • Responsible for the cyberthreat detection and vulnerability management automation efforts for Product Engineering
  • Auditing code and features for the internal & External applications.
  • Performing Security tests for 3rd party applications like 3rd party Vendor risk assessment and 3rd party application review and CTM, Threat Modeling.
  • As required, supports the cyber risk teams in cyber risk analysis and threat modelling of complex systems, including interconnected web, application, and database technology stack with networked medical devices
  • Develops and reports upon Security Operations, and FDA post-market cybersecurity programs
  • Experience with secure code review in languages such as: Java, Python, RUBY, C#, NodeJS, JavaScript
  • Work constructively with highly technical peers when security best practices and feature requests intersect
  • Familiarity with common web application testing tools for DAST, SAST, SCA and IAST analysis such as Burp Suite, Checkmarx, DataDog, Qualys, Gitlab, Github, Scout suite, Nmap etc.
  • Strong analytic skills as proven by a track record of analyzing and fixing complex problems in products and processes.
  • Proficient with SQL, stored procedures, and general database interaction
  • Understanding of application threat modeling, secure coding principles and SDLC security best practices.
  • Performed a technical analysis and reverse engineering of tools related to threat activity within the cloud environment or as part of cloud-conscious intrusions.
  • Excellent judgment in the presence of competing priorities and incomplete data; proven ability to make difficult trade-offs with good judgment.
  • Strong written and verbal communication skills and experience in working effectively in cross-functional teams
  • Prepare and update incident response plan and playbooks across multiple product lines

Application Security Engineer

HUMANA
02.2021 - 08.2021
  • My primary responsibility will be Code Scanning for vulnerabilities with a program called Rapid7 InsightAPP. Working and scanning more than 50 applications on this tool.
  • General skills with Code Scanning and ideally with SonarCube experience.
  • Defining our own development vulnerability analysis, and secondary on other devops activities that could be quite broad.
  • Analyze source code for flaws & Architect security gates using automated testing in SDLC
  • Define and maintain WAF policies & implementing and working on Checkmarx
  • Design and implement availability, security and performance monitoring.
  • Architect and integrate automation into platforms and processes including CI/CD pipelines
  • Assist with Security Awareness activities including internal phishing campaigns.
  • Mastery of OWASP Top 10 including secure authentication and access control methods
  • Understanding of Container Security and security orchestration using Docker, Kubernetes.
  • Expert level knowledge of application security vulnerabilities and the ability to explain and provide solutions at both an architecture and development level
  • Expert level knowledge and experience implementing third-party library risk management and lifecycle processes
  • Experience deploying, operating and maintaining vulnerability scanning solutions such as Qualys and Rapid7.
  • Deep understanding of vulnerability remediation. Core competency is giving remediation advice to end-users (IT Administrators) to resolve vulnerabilities.
  • Strong Experience using library management tools like JFrog, Nexus, Artifactory
  • This effort is part of Enclara's focus on integrating into the Humana family.

Information Security Engineer II (SAEO)

PayPal
10.2019 - 02.2021
  • Participating in new product conversation, in new changes, to assess security risk in the new project.
  • Assuring the project meets all information security standards before go live/ before launch.
  • Acted like an information security stakeholder in the product policy review process.
  • Setting up new security policy and ability to check the necessity of pen testing if needed.
  • Applying the best practices to the project, as they relate to the policy within PayPal.
  • Vulnerability assessment tools Qualys, ISS Scanner, Nmap, Nessus, Nexpose.
  • Operate and maintain application security tools, such as static application security testing (SAST) and dynamic application security testing (DAST) tools. This includes their integration points with Jira, Jenkins, etc
  • Strong technical ability in security related architecture design and assessment (manual approach to penetration testing)
  • Drive SecOps methodology across all of Engineering and work with various stakeholders for the security needs and initiatives.
  • Experience in cybersecurity risk program strategy and projects. Identify cyber risks and drive business security requirements across Sigma.
  • Strong technical abilities to conduct infrastructure and application security assessments employing a variety of techniques (both automated and manual) throughout the full pentesting delivery cycle (recon, vulnerability assessment, exploitation, lateral movement)
  • Conduct Dynamic Security Scans, Manual validations/Pen Testing, and other Security Testing activates
  • Identifying the security risk, asking them to undergo the secure product life cycle of the PayPal.
  • Acting like a PPR for the Infosec Team from the PayPal.
  • Execute and provide remediation support for Static Application Security Testing (SAST) assessments against .NET applications
  • Sound knowledge and industry experience in Vulnerability Assessment and Penetration Testing on WEB based Applications, Mobile based application and Infrastructure penetration testing.

Information Security Engineering

Five Below
06.2019 - 10.2019
  • Worked in the security team for launching the Ecommerce site successfully.
  • Experienced with the Magento Platform for creating out website store.
  • Securely configuring CDN Firewall with the help of Fastly.
  • Performed a Code scanning with the help of RIPSTECH Code Scanner by Installing, configuring and at last integrating Ripstech Tool with our code repositories in the bit bucket.
  • Collects and analyzes security data from manual, automatic and static source review, and integrates them to find best way to address security issue to meet the needs of the business
  • Sanitizing the vulnerabilities like cross site scripting and sequel injection by applying the remediation inputs to them.
  • Create rules and scripts for IP whitelisting, port 80/443 only, forcing connection to go to load balancer (not directly to webservers), block some bots services, allow caching to be served without going through firewall in CDN/WAF.
  • Lockdown Fastly and only allow port 443 and 80 by closing all other unnecessary ports.
  • Blocked DDoS Attacks & Block BOTS by adding/creating/setting up new rules in imperva incapsula.
  • Created IP Whitelisting by Blocking Admin Magento Portal from Fastly & Blocking all the access and only allowing the users based on their role.
  • Importing all Log activities & Export the Logs to LogRhythm.
  • Install SSL certificate along with installing root certificates for our site.
  • Creating all the security level stories in Jira and encountering one by one according to the current sprint.
  • Harden the Admin access with MFA, Captcha, and complex password with a minimum of 10 characters & Harden the User ID and Password requirements.
  • Method to vet third-party extensions and how they JS can be scanned and installed using Bitbucket.
  • The process that all third-party advertising agencies must follow Five Below Change and Release Management process and must pass the secure code scanning practices before deploying the code in production.
  • Worked on rapid 7 Nexpose for doing the user login scan and monitoring the records by weekly and up to date.
  • Make temp URL with all possible policies, rules work for M2 Staging and Prod. Temp WAF creation, pushing policies, ensure it is working with no Browser blocks.
  • Security assessment of online applications to identify vulnerabilities in different categories like Authentication, Authorization, Input and data Validation, Session Management.
  • Provide remediation steps to the team and follow up and Retest the fixed issues and ensure the closure.

Web Application Penetration Tester

Global Logic
03.2015 - 12.2017
  • Conducted application penetration testing of 10+ business applications
  • Conducted Vulnerability Assessment on Various Applications.
  • Acquainted with various approaches to Grey & Black box security testing
  • Providing a complete Vulnerability Assessment Report for any given application
  • Maintaining the Vulnerability Inventory of an application, maintaining the associated metrics for all the applications.
  • Analyzing Security Model of an organization using Strategy and Metrics, Attack Models, Penetration Testing, Security Testing etc.
  • Perform threat modelling of the applications to identify the threats.
  • Controlling risk management by identifying breaches, and major security incidents
  • Proficient in understanding application level vulnerabilities like XSS, SQL Injection, CSRF, authentication bypass, weak cryptography, authentication flaws etc.
  • Conducted security assessment of PKI Enabled Applications.
  • Skilled using Burp Suite, Automatic Scanner, NMAP, for web application penetration tests.
  • Generated and presented reports on Security Vulnerabilities to both internal and external customers.
  • Security assessment of online applications to identify the vulnerabilities in different categories like Input and data Validation, Authentication, Authorization, Auditing & logging.
  • Vulnerability Assessment of various web applications used in the organization using Paros Proxy, Burp Suite.
  • Training the development team on the most common vulnerabilities and common code review issues and explaining the remediation.
  • Update with the new hacking and latest vulnerabilities to ensure no such loopholes are present in the existing System

Security Analyst

Global Logic
06.2013 - 02.2015
  • Tracking a vulnerability from identifying until the closure by providing remediation assistance to developers.
  • Doing multiple level of testing before production to ensure smooth deployment cycle.
  • Creation of Generic Scripts for testing and reusability.
  • Application Security Review of all the impacted and non-impacted issues.
  • Providing KT to Development team for better understanding of Vulnerabilities.
  • Other Adhoc Activities like monthly and weekly report creations. Scheduling meeting with different applications SVP for understanding future pipelines for applications.
  • Assisting customer in understanding risk and threat level associated with vulnerability so that customer may or may not accept risk with respect to business criticality
  • Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS 25 and prioritizing them based on the criticality.
  • Assisting in review of business solution architectures from security point of view which helps avoiding security related issues/threats at the early stage of project

Education

Master of Science - Computer Information System in Networking

University of Central Missouri
Warrensburg, MO
05.2019

Bachelor of Science - Computer Science Engineering

Acharya Nagarjuna University
04.2013

Skills

  • Business process improvement
  • Operations management
  • Organizational development
  • Workforce planning
  • Experience with multiple web security assessment tools
  • Web application security testing
  • Familiarity with continuous integration and deployment tools
  • Expertise in attack methodologies
  • Experience with network security assessments using various scanners
  • Experienced with different tools like;
    BurpSuite, NMap, Ripstech Code Scanner, Jenkins, Qualys, Rapid 7 App spider, Nexpose, incapsula Imperva, Nessus, SAST, DAST, tools, Threat Modeler, GitLab, Github integration, DataDog, Checkmarx, Metasploit, IBM App Scan, Sqlmap, WAF, CrowdStrike, Alert Logic, HP Web inspect, Tennable, Archer, Cherwell, ServiceNow, Clarizen, Nucleus, Amazon GuardDuty, AWS Web Application Firewall, AWS Secret Manager

Accomplishments

  • Used Microsoft Excel to develop inventory tracking spreadsheets.
  • Supervised team of 4 members.
  • Achieved in Security Audits (PCI Audit) through effectively helping App teams by doing end-to-end penetration testing
  • Collaborated with team of 10 in the development of different applications accordingly.

Professional Expertise

  • Performed security scans to find software vulnerabilities based on the OWASP Top-10 Web Application specific best practices guidance and resolving them leveraging the security bug bar to assign the appropriate severity level and timelines.
  • Excellent knowledge in OWASP Top 10 2010, and WASC THREAT CLASSIFICATION 2.0 methodologies.
  • Used both broad and deep technology knowledge to architect a solution by mapping a customer business problem to an end-to-end technology solution. Diagnosed and corrected performance problems.
  • Perform testing using defined methodologies and a combination of automated and manual tools
  • Thorough knowledge of application security assessment techniques and their relative merits, including: SAST, DAST, IAST and manual assessment on the web applications against OWASP top 10 standards and ASVS checklist.
  • Perform manual penetration testing of client systems, web sites and networks to discover vulnerabilities
  • Skilled using Burp Suite, NMAP, Nessus, SQLMap, Qualys for web application penetration tests and infrastructure testing.
  • Understanding of modern development driving forces like CI/CD, containers, microservices and frameworks
  • Perform vulnerability assessment of SBA Assets using Tenable NESSUS scanner & Ripstech Code scanner.
  • Analyze Nessus scan results and produce a detailed operational report for mitigation.
  • Static (SAST) & Dynamic (DAST) Application Security Testing and/or penetration testing of applications and source code, auditing results with development and/or security teams and offering plans for remediation of vulnerabilities.
  • Cyber Security Strategies, Cyber Intelligence, Vulnerability Assessments, Security & Compliance Audits (PCI, TSA critical, etc.)
  • Provide end-to-end support guidance and expertise on how to effectively use OpenShift as PaaS to build solutions; creatively applying cloud infrastructure and platform services to help solve business problems; and communicating these approaches to different business audiences in designated industries
  • Experience with vulnerability assessments.

Timeline

Sr. Vul Management Engineer

American Airlines
02.2024 - Current

Information Security Engineer

Intuitive
08.2021 - 01.2024

Application Security Engineer

HUMANA
02.2021 - 08.2021

Information Security Engineer II (SAEO)

PayPal
10.2019 - 02.2021

Information Security Engineering

Five Below
06.2019 - 10.2019

Web Application Penetration Tester

Global Logic
03.2015 - 12.2017

Security Analyst

Global Logic
06.2013 - 02.2015

Master of Science - Computer Information System in Networking

University of Central Missouri

Bachelor of Science - Computer Science Engineering

Acharya Nagarjuna University

Similar Profiles

  • Sue Robinson

    Sue RobinsonSue Robinson

    Sr Specialist, HRIS Business Process at American Airlines, American Airlines HDQSr Specialist, HRIS Business Process at American Airlines, American Airlines HDQ

  • Jilleian K. Sessions-Stackhouse

    Jilleian K. Sessions-StackhouseJilleian K. Sessions-Stackhouse

    Human Resources Sr. Specialist, Policy at American Airlines, American Airlines HDQHuman Resources Sr. Specialist, Policy at American Airlines, American Airlines HDQ

  • DAVID KOBYLARZ

    DAVID KOBYLARZDAVID KOBYLARZ

    Commercial Airline Pilot at Trans World Airlines(TWA) /American AirlinesCommercial Airline Pilot at Trans World Airlines(TWA) /American Airlines

  • G. Tyler Tenbrink

    G. Tyler TenbrinkG. Tyler Tenbrink

    Director, Talent Acquisition & Development at Piedmont Airlines- American Airlines GroupDirector, Talent Acquisition & Development at Piedmont Airlines- American Airlines Group

  • RODELYN VILALE

    RODELYN VILALERODELYN VILALE

    Assistant Leader - Workforce Optimization at RHAssistant Leader - Workforce Optimization at RH

CREATE PROFILE