BILAL KHAN

Application Security Engineer

About Me

Seasoned cybersecurity engineer with over 14 years of expertise in securing web, mobile, API, and thick-client applications through comprehensive vulnerability assessments, penetration testing, and both manual and automated code reviews. Skilled in designing and automating security testing processes for web applications and APIs using a combination of commercial and open-source tools alongside custom scripts to efficiently identify security vulnerabilities. Proven track record in implementing secure coding standards, conducting threat modeling, and fostering collaboration with engineering teams to integrate security throughout the software development lifecycle. Proficient in DevSecOps practices, seamlessly integrating security automation into CI/CD pipelines while providing strong mentorship by training team members and developers on secure coding, vulnerability mitigation, and industry best practices.

  • Residence INDIA
  • Address Mumbai, Maharashtra
  • e-mail XYZ@XYZ.COM
  • Phone +91 99XX 9XX YYY

Who Am I

As an Application Security Engineer, I am dedicated to fortifying digital landscapes and ensuring the resilience of software applications. With a strong foundation in cybersecurity and a keen eye for identifying vulnerabilities, I specialize in crafting robust security measures to safeguard critical data and systems.

My expertise extends to conducting comprehensive security assessments, penetration testing, and code reviews to pinpoint and remediate vulnerabilities early in the development lifecycle. I am well-versed in industry best practices and frameworks, ensuring that applications meet stringent security standards.

Collaboration is at the core of my approach, working closely with cross-functional teams to integrate security seamlessly into the software development process. I am passionate about staying updated with emerging threats and technologies, enabling me to provide proactive solutions that protect against the ever-evolving threat landscape.

Resume

Education

2010

Bachelor of Science (Information Technology)

University of Mumbai
2006

Higher Secondary Certificate (H.S.C)

Maharashtra Board
2004

Secondary School Certificate (S.S.C)

Maharashtra Board

Work Experience

Oct 2022 - Current
ConnectWise LLP

Principal Product Security Engineer

  • Performed Internal Penetration testing and Threat Hunting to identify vulnerabilities in applications
  • Reporting and conducting vulnerability triage with development teams on timely basis
  • Shift-left initiative by creating Security Championship program and ensuring that development teams are building applications in secure manner, right from initial phase of designing
  • Worked with DevOps team to integrate security tools in Pipeline to detect vulnerabilities in source code
  • Updated technical documentation, product specifications and technical training materials
  • Integrated Snyk tool in GitLab Pipeline to perform SCA, SAST, SCA and IaC Scans to identify vulnerabilities and notify to development team about Pipeline build

    • July 2021 - Oct 2022
    Accenture

    Technology Security Associate Manager

  • Led projects and analyzed data to identify opportunities for improvement
  • Led one of the largest security assessment project where around more than 100+ applications were in scope for SAST, DAST, SCA and Penetration testing including DevSecOps
  • Managed a team of 4 members, active participants in quality result driven and reviewing the assessment outcome
  • Closely worked with development / Infrastructure team for remediation plan to fix the identified vulnerabilities in timely manner
  • Created a labs for vulnerable machines to host a Capture The Flag (CTF) event within the organization
  • Trained team to execute security testing projects

    • Jan 2020 - July 2021
    KPMG

    Manager

  • Delivered various projects and worked with clients across multiple geographies including Middle East, Canada and United States and has experience serving across a different domain such as Banking, Telecom, Retail and Pharmaceutical
  • Performed Security Testing on 100+ Web and 30+ Mobile (Android) based applications
  • Performed Vulnerability Assessment and Penetration Testing on 600+ IP's
  • Prepared comprehensive client reports detailing the outcome of all testing with appropriate recommendations and discussed with different stakeholders to make them understand
  • Assisted project team in understanding risk & threat level associated with reported vulnerabilities according to business criticality
  • Conducted Secure Configuration & Endpoint review to identify gaps, recommended technical solutions, process, and procedures to check and reinforce security best practices on the network
  • Developed Minimum Security Baseline/ MBSS for Network devices, Windows Servers, Linux Servers, Docker and Container
  • Conducted risk and business development work such as responding to RFP, making proposals and costing sheets
  • Implemented DevSecOps culture in the client environment and helping clients to implement Secure SDLC for application development and deployment

    • June 2019 - Jan 2020
    Cornerstone OnDemand

    Application Security Engineer

  • Performed Penetration Testing on Web, thick client and Mobile Applications rolled out before the quarterly release
  • Monitor, Maintain and enhance the Vulnerability Management Program for defects and vulnerabilities observed
  • Developed GSL (Governance Specification Language) rules and alerts for Dome9 to monitor the current security posture of the AWS environment
  • Performed project leadership tasks on selected security projects to improve and enhance security posture
  • Integrated an automated DAST Web app and API scanning by using Burp Suite, Selenium, Postman and Jenkins as well as Software Composition Analysis (SCA) tool i.e., Snyk to identify vulnerabilities in the open source or third-party libraries in the CI/CD Pipeline
  • Conducted social engineering attacks for number of clients across sectors that included creating and running a tailored and targeted phishing and vishing campaign for the client organization’s employees to make them submit their sensitive corporate information such as email id, username, password, employee number
  • Validated and verified system security requirements definitions and analyzed system security designs

    • Jan 2011 - May 2019
    Continuum Managed Solutions Pvt. Ltd

    Principal Quality Engineer

  • Active involvement with various Development teams starting from design phase to product development
  • Managed a team of 5 members and tracked the progress of testing and release cycle
  • Involved in System testing and acceptance testing and analyzing business and end user requirements, preparation of test strategy and test plan, verifying and approving the test environment
  • Created Analysis reports on JIRA and Confluence, and manage the test cases and results in TestRail
  • Assessed software bugs and compiled findings along with suggested resolutions for development team members
  • Gathered data on integration issues and vulnerabilities and outlined improvement recommendations
  • Created accurate and successful test scripts to manage automated testing of certain products and features
  • Wrote and optimized test cases to maximize success of manual software testing with consistent, thorough approaches
  • Closely worked with the developers to identified the cause of error and to find the possible solution for same
  • Worked with InfoSec team, to perform common vulnerability assessment for web application like broken authentication / authorization, XSS, SQL Injection etc

    • Skills

    • Application Security Testing
    • Vulnerability Assessment & Penetration Testing
    • Static Application Security Testing (SAST)
    • Dynamic Application Security Testing (DAST)
    • Software Composition Analysis (SCA)
    • DevSecOps
    • GitLab / GitHub
    • Cloud Security
    • Burp Suite Pro
    • NMAP
    • Nessus
    • SQLMap
    • Agile Methodology
    • Azure DevOps
    • Functional Testing
    • Manual Testing
    • Acunetix / Netsparker (Invicti)
    • Threat Modelling
    • Jenkins
    • Vulnerability Management

    Achievements

    Employee of the Year

    Employee of the Year for best performance in testing and managing the applications

    Team Maestro Security Award

    Awarded with Team Maestro for Security incident handling

    Spot Award

    Spot award for fixing the clients server critical issue within a 24 hour

    Team Award

    Awarded with Team award for best application implementation and integration

    STAR Performer

    Awarded with STAR Performer for the Quarter release

    ENCORE - Rising Star Award

    Awarded with Rising Start award for the Quarter 1 – April 2020 – June2020 in KPMG

    Languages

    English

    Professional Working Proficiency

    Hindi

    Full Professional Proficiency

    Urdu

    Full Professional Proficiency

    Marathi

    Limited Working Proficiency

    Certificates

    Certified Az Red Team Professional (CARTP)

    August 2018

    CREST Practitioner Security Analyst (CPSA)

    January 2019

    EC-Council Certified Security Analyst (ECSA)

    January 2019

    EC-Council Certified Ethical Hacker (CEH)

    July 2016

    EC-Council Certified Threat Intelligence Analyst (CTIA)

    December 2018

    Certified Application Security Engineer (CASE .NET)

    September 2019

    Microsoft Certified: Azure Fundamentals (AZ-900)

    January 2021

    Blog

    COMING SOON !

    Contact

    Mumbai, India

    +91 99XX 9XX YYY

    XYZ@XYZ.COM