FlowCV Logo
YASH ANANDSenior CyberSecurity Engineer
Phone
+91 8368 139 138
Email
[email protected]
LinkedIn
https://www.linkedin.com/in/yashanand155
Profile

Impact-driven cybersecurity engineer with over 3.5 years of work experience in the FinTech, E-commerce, and SaaS Industry. Adept at shift-left security, implementing automation solutions, conducting vulnerability assessments, and enhancing overall security measures.

Education
Work Experience
  • Leading the application security initiatives by establishing end-to-end security testing processes. Built the AppSec program from the ground up, collaborated with product managers to prioritize and track remediation efforts, and led cross-functional security reviews for every release.

  • Identified and addressed a range of critical to medium severity vulnerabilities, such as SQL Injection, access control flaws, and rate limit logic bypasses, during the early stages of the development process.

  • Developed Aspire's Responsible Disclosure Policy and established the end-to-end process from acknowledging researcher submissions to coordinating issue remediation.

  • Implemented OWASP Top 10 security rules, rate limiting, and threat score-based IP blocking on Cloudflare, enhancing web application protection and performance in collaboration with the DevOps team.

  • Integrated GitHub Advanced Security for Static Application Security Testing (SAST) and Dependabot for Software Composition Analysis (SCA). Built a bidirectional automation to create and close Jira issues based on security findings.

  • Collaborated with the Data team to develop an automated dashboard for IT Security KPI metrics, featuring insights on SLA breaches, system uptime, compliance status, security vulnerabilities, historical trends, and predictive analytics.

  • Performed internal network penetration testing on AWS subnets, identified multiple security issues, and collaborated with the DevOps team to ensure timely remediation.

  • Managed the end-to-end hiring process for Application Security Interns—screened 1500+ resumes and conducted over 100 interviews. Also led the interview process for a Lead Application Security Engineer role, designing custom CTF challenges and threat models tailored to different application functionalities.

  • Actively collaborated with DevOps engineers to identify, patch, and resolve Docker security issues. Analyzed application packages to determine necessity and deployed manual patches to update vulnerable dependencies when required.

  • Deployed a solution leveraging Winget, PowerShell, and Microsoft Intune to efficiently patch software on Windows end-user systems.

  • Contributed significantly to the organization's compliance efforts by collecting evidence for ISO 27001 and PCI certifications.
  • As a member of the Meesho product security team, I collaborated with the development team to conduct security testing for new features, review PRD and architecture, and perform quarterly testing of the Meesho Android app and supplier website.

  • Designed and implemented a CVE scanner for EC2 instances utilizing AWS SSM and the NVD CVE database, reducing the dependency on third-party tools such as Qualys Cloud Scanner.

  • I am a part of the team that developed an in-house Static Application Security Testing (SAST) pipeline for code and secret scanning and also responsible for managing the Bug Bounty Program.

  • Designed and executed the development of a specialized tool to scan and identify secrets within Confluence.
  • As one of the first members of the Attack Surface Management team, I created and set up the Attack Surface Management Automation. This made our work more efficient, cutting down the time needed by 80% through smarter processes and less manual work.

  • Performed Web application, APIs, Network & Mobile Applications Security testing of several clients.

  • Stay up-to-date with emerging security threats, CVE, and new reconnaissance techniques.
    • Skills
    Tools & Languages

    BurpSuite,GitHub Enterprise, GitHub Advanced Security, Wiz(CSPM), Cloudflare, Metasploit Framework, Nessus, Nmap, Sqlmap, Wireshark, Project discovery tools, Microsoft Defender, Synk, Intune, and Shell scripting.

    Expertise

    Application Security, Network Penetration Testing, Security Automation, Attack Surface Management, Docker Security, AWS, OSINT, and CTF.

    Awards
    Hall of Fames

    I have successfully discovered and reported more than 10 security issues in OYO, spanning from critical to medium severity. Additionally, I have identified multiple bugs of varying severity in esteemed programs such as Western Union, Gojek, Takeaway A.S. Watson, and BMW Group.

    CCTNS Cyber Challenge Hackathon

    Organised by National Crime Record Bureau, India. 3 days long Hackathon where 30 out of 2000 students were selected to participate with the sole motive to test and exploit the government’s Crime and Criminal Tracking Network System (CCTNS).

    Capture the Flag Competitions
  • DEC 2017 – Rank 17th in DRDO CTF.
  • JAN 2019 – Rank 1st in DEFCON Delhi CTF.
  • DEC 2019 – Rank 8th in India on CTFTime.
  • JAN 2020 – Rank under 45 in the TCS Hackquest.
  • JAN 2021 – Rank 7th in the Global Cyber CTF.
    • Rooters CTF 2018 and 2019

    Organized an online Capture the Flag (CTF) held under the InfoXpression 2018 and 2019, the technical fest of USICT, in which 450 teams participated.

    Publications
    A Brief Survey of Cloud Data Auditing Mechanism, International Conference on Innovative Data Communication Technologies and Application
    24/02/2022
    Certificates
  • PentesterLab: Unix, PCAP, White, Android and Recon Badges.
  • Google cloud Essesntials.
    • Writeups & Profile