United Kingdom
Understanding of application security issues like Cross Site Scripting, CSRF, SQL injection, session security, buffer overflow Good understanding of cryptographic algorithms, like encryption, digital signatures, key exchange, hashing. Knowledge of mathematical principles behind cryptography. Led the effort to adapt an Intel trusted execution technology to automotive requirements. Contributed to scalability improvement of NTLM authentication framework for Cisco Scansafe product. Supported feature enhancements and standard compliance for Nokia Web RunTime security framework. Designed and implemented IMS (IP Multimedia Subsystem) security framework on Samsung handset platform. Played a lead role both at Samsung and Nokia in educating the team on security aspects of the project.
Worked as an external consultant in the technical risk team of a major financial firm helping with design review, source code review and pen test of their internal applications. Worked as an external consultant in the InfoSec team of a major cybersecurity company. Made major contribution in open source risk mitigation and pen test program establishment. Architecture Risk Analysis & Threat Modeling: salesforce cloud CRM application JAMF application deployment for IT management of Mac devices Azure deployed application Openshift on-premise deployed application Created a threat model for a payment framework for one of the major payment service provider. Created a threat model for an open banking application deployed on AWS for a commercial bank Source Code Review: Performed multiple code reviews of Java and C/C++ applications for various customers. Web/API/Network Pen testing: Performed pen tests for web applications using Burp Suite and Postman Manual testing using custom python scripts Performed network pen tests using tools including nessus, nmap
Automotive Security (In-Vehicle Infotainment) Project Overview: Provides platform security features for IVI system on IA chipsets suited for automotive domain. My Contribution: • Trusted execution technology(DAL) : led the effort to adapt intel DAL feature to IVI platform. • Keystore: designed and implementation of kernel feature for user application authentication using signed application manifest. • Hardware backed TLS: Proof of concept for TLS connection with client authentication with client private key stored in hardware. • Linux IMA/EVM for file system integrity protection: enhanced the IMA kernel feature to support better policy configuration. Integrated EVM with kernel based keystore for key provisioning. • Linux ecryptfs file encryption: Integration of kernel keystore based key provisioning for ecryptfs
Scansafe & Cloud based Security Project Overview: Scansafe connector integrated with the edge router forwards all the HTTP traffic from the network to scansafe towers located in the cloud for security inspection. The router authenticates the user and the user info is sent along with the concerned traffic to the tower. My Contribution: • Proposed design changes in NTLM authentication code to handle parallel NTLM authentications from the same IP addresses. Handled design and implementation of the state machine to handle HTTP requests and AAA NTLM responses. • Proposed a method to whitelist HTTPS traffic using SNI, TLS extension. • Identified a security defect in host header based whitelisting of traffic in scansafe. This would allow unintended domains to be whitelisted and this problem affects other products with whitelisting like application firewall and NBAR. Intrusion Prevention System Project Overview: IPS maintains a database of network based attack signature patterns. The traffic passing through the router is analysed for any of the signature patterns. Pattern matching uses DFA based regular expressions. My Contribution: Acted as the expert on DFA, NFA, regular expressions and pattern matching of IPS signatures. Worked on hardening HTTP, normalizer and atomic ip engines.
Security Framework for Widget Runtime for Symbian handsets Project Overview: The widget runtime allows users to download, install and launch widgets on the mobile device. A security framework authenticates downloaded widgets using XML signatures. Based on the certificate used for signing, each widget is mapped to a trust domain with a certain level of permission to access device API’s. My Contribution: • Study of W3C standards for XML signatures and JIL, WAC specs for widget security. • Design, Implementation and Unit testing of Online Certificate Status Protocol (OCSP) for checking the revocation status of the widget signing certificate. • Handling of Author, Distributor signatures in a widget package. • Enhance an access control mechanism based on capabilities and trust domains • Implement runtime user prompts based on a configured security policy. • Modification to a test signer tool to generate and attach XML signature to a widget • Educate the team on Security concepts like digital signature, certificate authority, PKI, certificate revocation.