Raj Sharath Gade

Kondapur, Hyderabad, 500084

rajsharath.g@gmail.com
7673973300
@irajsharath

Objective

Seeking an opportunity in an organization in the field of Information Security where I can utilize my
skills and offer professional growth while being innovative and flexible.

Experience Summary

• Currently working as Staff Security Engineer - Product Security at Gap Inc.

• Have an overall experience of 11+ years in IT security stream.
• Associated clients include Lloyds Banking Group, HSBC, Broadridge Financial Solutions and
Wells Fargo, GAP Inc.
• Have experience working in different phases of Secure Software Development Life Cycle
(SSDLC) conducted penetration/application security, source code reviews, Risk Assessments
& Architectural reviews.
• Experience in conducting manual and automated secure code reviews for different
technologies.
• Extensive experience on working with various commercial tools for DAST and SAST such as
HP Web inspect, IBM Appscan, Appspider, Burp suite pro, Checkmarx and Fortify.
• Experience on open source pen testing tools such as SQLmap, nmap, dirbuster, kalilinux,
Metasploit etc.
• Worked as SME for Checkmarx and Fortify, conducting False positive analysis, creating
custom rules and POCs to testing code snippets against the Foritfy and Checkmarx rules.
• Experience in conducting Software composition analysis and worked on tools such as
Blackduck and OWASP dependency checker.
• Experience on Risk assessments frameworks such as OWASP ASVS and Microsoft TMT tool.
• Expertise in conducting reviews for monolithic and microservices based architectures.
• Experience in reviewing Azure cloud security architectures for project migrations, cloud
native projects and hybrid projects
• Good understanding on Azure security frameworks such as Azure security center, Azure
Active Directory, Azure Key vault, Azure Sentinal, Azure VPN and API gateways, Azure
container registries, Azure Kubernetes services and others.
• Good understanding in DevSecOps process models, CICD pipelines, Docker containerization
and orchestration using Kubernetes frameworks.
• Experience in conducting risk assessments against industry compliance standards (GDPR,
PCI-DSS, OWASP Application Security Verification Standard (SVS) and Mobile Security
Testing Guide (MSTG), threat modeling.
• Experience in conducting vendor engagement for all types of vendor/service intake process
and reviewing the vendor products, integration with internal network and reviewing against
various data protection mechanisms.
• Conducted training sessions on OWASP development guidelines, secure architectural
frameworks, security awareness to developers, stakeholders and new recruits respectively.
Areas of Expertise

• Vulnerability assessments for:

• Azure Cloud Architectural Reviews
o Web applications
o Thickclient & Client API’s • Research & Development
o Webservices
o Mobile Applications • Penetration testing

• Secure code review (Manual & Automated)

Technical Proficiencies

Plat forms: Windows, Linux, ios, Android

Languages: Java, Csharp

Tools:

DAST tools: HP Web Inspect, Burp Suite Pro, IBM Appscan, AppSpider, Qualys, Digicert Fiddler,
Paros, SQLmap, Wireshark, Owasp Zap, SSL Scan tools, Kali linux, Metasploit, Dirbuster,
Gobuster, wfuzz

SAST Tools: HP Fortify, Checkmarx, Veracode, Visual Code Grepper (VCG)

SCA tools: Owasp Dependency checker, Blackduck, Jfrog Xray.

Risk Assessment: Microsoft TMT, OWASP ASVS

Others: Echomirage, ITR, Decompilers, SOAP UI, WS attacker, Winpmem, Mimikatz, Nmap, JBE,
Genymotion, Android Tamer, APPIE framework, Winhex, Postman, Akamai Web application
Firewall, Alert logic IDS

Reporting/Vulnerability management tools: Netspi CorrelatedVm, HP Quality Center, Threadfix,

JIRA.

Source Code Repositories: SVN, TFS, Perforce, Git

Professional Certification & Trainings:

• Azure Security Engineer AZ 500

• Certified Ethical Hacker V7
• IBM AppScan Certified
Professional Experience

GAP Inc, Hyderabad, July 2019 -Present

The Gap, Inc. commonly known as Gap Inc. or Gap, (stylized as GAP) is an American worldwide clothing and
accessories retailer.

Staff Security Engineer

Role: Product Security Engineer - Security Architect.

Roles and Responsibilities:

• Review and assess the security posture of the GAP products includes generating security
requirements, helping teams in designing secure solutions, assessing vendor security
controls, and performing security advisory tasks
• Conducted threat modelling for on- prem and cloud architectures includes application and
infrastructure level risk assessments.
• Helped project teams in designing solutions to ensure alignment with standard secure
architectural patterns.
• Developed checklist-based security questionnaire for application & infrastructure
components security assessments.
• Created and published security standards and best practices for approved file transfer
patterns, Retail store devices security, client-side scripts security, Azure Virtual Desktop
security, microservices security.
• Worked closely in evaluating and implementation of various security frameworks includes
Brinqa (Vulnerability management), Abnormal Security (DLP), PenTera (Exploitation
framework).
• Involved in Architectural review board (ARB) for Azure cloud architectures and migration
stories to identify security gaps and provide necessary solutions for risk reduction.
• Conducted Third party security reviews prior to intake/renewal/closure of the services that
includes products for SAAS, vendor software inhouse deployments and Third party services.
• Performed security advisory for different ad-hoc tasks and closely interacted with other
security teams
• Verify that product architectures to PCI DSS, GDPR, MLPS, CCPA and other regulatory &
compliance requirements.
• Conducted security trainings and awareness sessions for developer, business leaders and
vendors on GAP security standards and best practices.
• Created security guidelines for Developer best practices for .Net and JAVA technologies and
provided trainings sessions.

Wells Fargo Solutions Pvt ltd, Hyderabad, June2017-June - 2019

Wells Fargo Enterprise Global Services (EGS) is a critical component of the Wells Fargo’s (Wells Fargo Bank N.A.)
strategy to leverage distinct advantages in doing business in a global environment. Wells Fargo EGS – India (Wells
Fargo India Solutions Private Limited and Wells Fargo International Services Private Limited) is primarily an
extension of the technology, operations, knowledge services, and corporate support teams of Wells Fargo.
Senior Security Specialist

Role: Application Security Champion ASC

Roles and Responsibilities:

• Performed DAST for web, thick client, webservices and APIs and worked and with
development teams to provide suitable mitigations and resolve identified bugs.
• Performed manual and automated source code reviews for applications based on different
technologies.
• Performed Software composition analysis (SCA) using Blackduck and Owasp Dependency
checker tools for open source security.
• Worked as Fortify and Checkmarx static SME resolving queries and issues from development
teams.
• Worked on writing custom rules for Fortify tool.
• Worked on writing secure guidelines for PHP applications.
• Created POCs and guideline documents for Fortify scans involving Build integrations such as
ANT, Maven and Gradle.
• Conducted a POC on writing guidelines for WAF implementation to suite with overall
organization standards and best security practices.
• Conducted POCs on CICD pipeline which includes integration of tools such as checkmarx,
Blackduck and Owasp Zap with Jenkins framework.

Broadridge Financial Solutions, Hyderabad, Aug 2015 – May 2017

Senior Member Technical

Role: Penetration testing, Source code reviews, Architectural reviews

About the company: Broadridge Financial Solutions is the leading provider of investor
communications and technology-driven solutions for broker-dealers, banks, mutual funds, and
corporate issuers globally. Broadridge’s investor communications, securities processing, and
business process outsourcing solutions help clients reduce their capital investments in operations
infrastructure, allowing them to increase their focus on core business activities.

Roles and Responsibilities:

• Work with the business to understand the architecture, logic, existing security controls, and
changes implemented to propose applicable Security Assessments.
• Perform manual & automated security assessments and penetration testing for web
applications, Thick clients, Client API’s, and Webservices.
• Perform manual and automated source code review for applications on different platforms.
• Integrate secure code review process with the development phase to catch implementation &
code related bugs in earlier stages of SDLC.
• Conduct Design reviews for the applications against the requirements, security standards &
policies to identify the loopholes before implementation of the design.
• Analyze the existing code base for vulnerable API dependencies in accordance with the CVE
Identifiers.
• Analyze, filter, and classify results of vulnerability scans.
 • Accurately document system deficiencies, recommend solutions, and track remediation
activities.
• Worked with the development team to provide API level recommendations for vulnerabilities
identified.
• Conducted training sessions for development teams for secure coding practices.
• Conducted induction sessions for the new hires on Information security management
system.

HSBC Software development India, Hyderabad, Mar 2014 – Aug 2015

Information Security Analyst

Role: Penetration testing & Source code reviews

About the company: HSBC is one of the world’s largest banking and financial services
organizations serving more than 47 million customers through four global businesses: Retail
Banking and Wealth Management, Commercial Banking, Global Banking and Markets, and Global
Private Banking and has its foot hold in 71 countries.

Roles and Responsibilities:

• Perform manual security assessments for HSBC (Internal and public) applications of
particular geographic locations.
• Perform manual and automated source code reviews.
• Perform Vulnerability research and discovery
• Document the artifacts and compilation of final report.
• Adopted role of a Quality lead for a team of 4 members, responsible for reviewing check list,
test plan, test cases and test reports.
• Instrumental in creating checklist for web and thick client applications.
• Key member in conducting organizational level events on Information security awareness
such as “ISR week”.
• Received Q3 R&R Recognition award for the year 2014

Cognizant Technology Solutions, Chennai, Jan 2011 – March -2014

Programmer Analyst

Role: Application security & Source code reviews

About the company:

Cognizant is a leading provider of information technology, consulting and business process

outsourcing services, dedicated to helping the world's leading companies build stronger businesses.

Roles and Responsibilities:

• Perform vulnerability assessments and code reviews for applications in banking, financial
and healthcare domains.
• Developed demo vulnerable application in Java for the purpose of Security training.
 • Key member in handling end-to-end testing process for different clients.
• Communicated with clients & onshore team to discuss vulnerabilities and recommend
accurate solutions to mitigate them.
• Review test artifacts and deliverables from the team.

Education & Credentials

Bachelor of Engineering in Computer Science

Vaagdevi college of Engineering, Warangal

Active member of OWASP and NULLCON chapters.

Declaration

I, hereby declare that all the information furnished above is true to the best of my knowledge and
belief.

Thanks,
Raj Sharath Gade