Shahid Hakim,印度卡纳塔克邦班加罗尔的开发商
Shahid is available for hire
Hire Shahid

Shahid Hakim

Verified Expert  in Engineering

安全工程师和软件开发人员

Location
印度卡纳塔克邦的班加罗尔
Toptal Member Since
November 16, 2022

沙希德是一名熟练的网络安全专家,他在挑战中茁壮成长, 专攻攻击性安全, red teaming, threat modeling, 事件响应. He is certified in ethical hacking and blockchain security and excels in strategic threat mitigation. He has documented success in creating robust security frameworks and enjoys mentoring others. With each vulnerability, Shahid uncovers advanced cybersecurity for a safer digital world.

认证道德黑客(CEH)IoT SecurityWeb SecurityCloud SecurityMobile SecurityWeb App SecurityEndpoint SecurityOffensive Security安全体系结构Data ProtectionCloudSecurity信息安全App 保护Data GovernanceSecure CodingIncident ResponseCisco WirelessSQL注入防范Rapid7Email SecurityZero TrustQualysguardDigital ForensicsJamf

Portfolio

JumpCloud
容器、访问控制、Amazon API、威胁建模、体系结构...
6sense
Ansible, Apache Hive, Apache Kafka, Apache ZooKeeper, API Testing...
Mindtree
Apache Kafka, Agile DevOps, Apache Metron, API测试...

Experience

网络安全- 7年安全设计- 7年安全架构——7年红队- 7年DevSecOps - 7 years云安全——7年渗透测试- 7年端点安全- 7年

Availability

Full-time

首选的环境

Penetration Testing, 认证道德黑客(CEH), DevSecOps, IoT Security, Access Control, 脆弱性管理, Threat Modeling, 统一威胁管理(UTM), Red Teaming, 安全体系结构

The most amazing...

...project I've authored is a CVE, CVE-2023-27290, for IBM Instana, with a CVSS score of 9.1.

Work Experience

首席产品安全工程师

2023 - PRESENT
JumpCloud
  • 处理了认证标准(OAuth 2)的安全架构.0, Open ID Connect, SAML, JWT, Federated login),密码学(TLS, X.509)和访问控制(RBAC, ABAC).
  • Integrated SAST, DAST, and IAST tools established a security-centric DevSecOps workflow and ensured daily AWS and GCP container security monitoring, 包括动态方面,如mTLS.
  • 将威胁建模作为带有模板的代码进行介绍, 纳入OWASP风险评级, 促进基于风险的工程决策, 并使用Threatspec和LINDDUN GO等工具实现游戏化威胁建模.
  • 带领一个PSIRT行动, 减少事故票, 并每周向团队领导提供有关安全举措的最新信息, threat models, VDP reports, DevSecOps程序, 以及增强产品安全性的事件管理.
  • 领导一个全面的外部渗透测试项目,以加强产品的安全性, 倡导“设计安全”的文化, 并将主动安全措施集成到产品工程过程中.
  • 专门研究Kubernetes容器安全和云原生概念, 运营企业解决方案, 需求协作, 确保安全标准, 具有IT或计算机科学背景,并以客户为中心.
Technologies: 容器、访问控制、Amazon API、威胁建模、体系结构, Secure Storage, Secure Coding, 安全代码最佳实践, Threat Analytics, 威胁管理网关(TMG), 统一威胁管理(UTM), Web Security, Go, Agile DevOps, Secure Containers, Cloud Security, 安全运营中心(SOC), 安全业务流程, Automation, and Response (SOAR), DevSecOps, IT Infrastructure, Penetration Testing, Red Teaming, PSIRT, 脆弱性管理, 漏洞评估, 脆弱性识别, SAML-auth, 质量保证(QA), 端点检测和响应(EDR), Shell Scripting

安全工程主管

2021 - 2023
6sense
  • 通过探索和关联大型数据集,在端点上执行威胁搜索, 及时发出客户警报.
  • Uncovered novel attack techniques and monitored and cataloged changes in activity group tradecraft.
  • 获得新的和利用已有的攻击工具知识, tactics, 和程序,以提高客户的安全态势.
  • Investigated threats and created and maintained high detection rules while engaging and collaborating with the infra, data science, 工程团队. 根据严重性为每个组开发自定义的危害指标(ioc).
  • Used CrowdStrike, Jamf, JumpCloud, Office 365, Wazuh, 和Rapid7 InsightVM为每个用户实现端点安全, as well as automated remediation and real-time response for each IOC and indicator of attack (IOA).
  • Created threat modeling for data in transit and implemented best security practices for each microservice.
  • Made maturity models and specialized security architecture add-ons for each of the 6sense vendors. 使用Jira跟踪我的工作,以创建平滑的过渡. 使用Confluence和Slack为每个输入创建知识库.
  • 对内部和外部网络进行渗透测试, applications, APIs, cloud assets, 还有红色和紫色团队的评估. 以一天或更短的周转时间领导bug赏金计划.
  • 集成了深度日志和监控平台,并使用Splunk创建警报, Sumo Logic, 和CrowdStrike作为威胁情报来源. 这将事件响应时间缩短到7天以内, 从而通过降低数据成本来节省资金.
  • 确保及时解决, 必要的沟通, and escalation of obsolete and critical infrastructure tickets by conducting QA of incidents.
技术:Ansible, Apache Hive, Apache Kafka, Apache ZooKeeper, API Testing, API Architecture, 亚马逊网络服务(AWS), AWS DevOps, Web应用防火墙(WAF), Endpoint Security, Agile DevOps, Bash, Bash Script, Burp Proxy, Burp Suite, Threat Modeling, Threat Analytics, Threat Intelligence, 威胁管理网关(TMG), 统一威胁管理(UTM), Secure Coding, Secure Storage, Secure Containers, 安全代码最佳实践, 安全的Web开发, Web Security, Java Security, Bro网络安全监视器, Networking, Kubernetes, Containers, Docker, Rapid7, CrowdStrike, Ethical Hacking, Red Teaming, Cybersecurity, Presto, MongoDB, Data-level Security, Database Security, Offensive Security, APIs, Security, Web App Security, Mobile Security, SIEM, Confluence, Jira, Zero Trust, Python, Java, Spark ML, Apache Struts 2, SOC 2, 漏洞评估, 零日漏洞, 脆弱性识别, 脆弱性管理, Accunetix漏洞扫描器, JavaScript Testing, Cobalt Strike, VPN, Slack App, Slack API, Splunk, 沙盒到生产, 保安意识培训, Office 365, SonarQube, OWASP Top 10, OWASP, Zed攻击代理(ZAP), NIST, Compliance, SOC Compliance, PCI Compliance, HIPAA Compliance, SOX Compliance, MISRA Compliance, Product Compliance, Risk & Compliance, Compliance Training, GRC, Microservices, Spring Microservice, Microservices架构, RESTful Microservices, Amazon弹性容器服务(Amazon ECS), Container Security, Bug Fixes, Bug Triage, Bug Leakage, 认证道德黑客(CEH), Penetration Testing, DevSecOps, Cloud Security, Security Design, 安全体系结构, Amazon API Gateway, Access Control, Amazon Athena, Amazon CloudFront CDN, Amazon CloudWatch, Amazon EKS, Amazon RDS, Amazon S3 (AWS S3), Apache Metron, API Applications, API Gateways, APM, Architecture, 人工智能(AI), Authorization, Authentication, AWS CLI, AWS Lambda, Azure DevOps, Applications, Amazon API, 亚马逊虚拟私有云(VPC), 安全工程, Data Governance, IT Governance, Governance, Data Protection, Group Policy, Jamf, 质量保证(QA), 端点检测和响应(EDR), Shell Scripting

Red Team Lead

2017 - 2021
Mindtree
  • Started a cybersecurity center of excellence team in Mindtree and reported directly to the CTO.
  • Established a research and development group with the goal of developing signature-based attacks through hypothesis-based red teaming. 这个过程是为了开发Apache Metron的ioc而进行的.
  • 为SIEM创建安全工具, 漏洞评估, 和我的团队一起进行渗透测试.5 years.
  • Contributed to DevSecOps solutions to integrate proactive security in the CI/CD pipeline for each and every project Mindtree built.
  • 开发了使用Terraform的工具, Qualys, 和法拉第自动化红队解决方案和DevOps流程.
  • 报告了50多个客户端的脆弱微服务配置, 包括有漏洞赏金计划的组织.
  • 连续两年获得年度最佳员工奖.
  • 完成不同的认证, 包括电脑黑客和取证调查, SAS认证数据科学, 区块链专业开发人员.
  • Developed six case studies on red teaming that were used in publications and websites. It demonstrated how Mindtree was able to stop business losses of more than $100 million by securing zero-day vulnerabilities.
  • 专注于进攻性云安全, application security, IoT security, DevSecOps, cloud security, 安全架构设计, 安全编码实践.
技术:Apache Kafka, Agile DevOps, Apache Metron, API测试, Accunetix漏洞扫描器, 亚马逊网络服务(AWS), Azure, Python 3, Python 2, Web Security, IoT Security, Java Security, SAP Security, CCNP Security, CCNA Security, Web App Security, Security Groups, Security Design, Spring Security, Cloud Security, Server Security, Mobile Security, Security Testing, Payment Security, Security Audits, Database Security, Security Analysis, Endpoint Security, Computer Security, Security Planning, White-hat Security, Security (AES-CCM), 安全体系结构, Blockchain, API Architecture, Data Science, H2 Database, Hadoop, Apache Hive, 脆弱性管理, 漏洞评估, 脆弱性识别, 视网膜漏洞扫描器, Penetration Testing, UI Testing, Testing, QA Testing, Ethical Hacking, Hacking, 认证道德黑客(CEH), Digital Forensics, Memcached, Redis, Redis Cache, Redis Queue, Redis Clusters, Kafka Streams, Apache ZooKeeper, Red Teaming, Windows PowerShell, Bash Script, Bash, Docker, Secure Containers, Container Security, Burp Suite, Burp Proxy, DevSecOps, DevOps, Azure DevOps, Checkmarx, Checkpoints, Cassandra, Cisco Wireless, ClickHouse, Confluence, CrowdStrike, Cryptography, Data Privacy, 动态应用安全测试(DAST), Elasticsearch, Email Security, Firewalls, Forensic Science, GitHub, 谷歌云平台(GCP), GraphQL, GRC, IDS/IPS, Incident Management, Incident Response, 入侵检测系统(IDS), 入侵防御系统(IPS), Java, Jenkins, Jira, Kali Linux, Kubernetes, Kubernetes运营(kOps), Linux, Machine Learning, MDM, Memory Leaks, Microservices, Microservices架构, NIST, Office 365, Ansible, OWASP, 开箱即用体验(OOBE), OWASP Top 10, Cybersecurity, Palo Alto Networks, Pulumi, Python, Rapid7, Reverse Engineering, Secure Coding, Secure Storage, 安全的Web开发, 安全运营中心(SOC), 服务器端/客户端对象模型(SharePoint), SIEM, 系统级芯片(SoC), SAP HR Security, Source Code Review, SQL, SQL注入防护, Sqlmap, Sumo Logic, Terraform, Threat Analytics, 网络威胁搜索, Threat Intelligence, 威胁管理网关(TMG), Threat Modeling, 统一威胁管理(UTM), VoIP Administration, Wazuh, Wireless Protocols, Wordfence Security, Forensics & CSI, SOC 2, 安全代码最佳实践, 安全数字输入/输出(SDIO), 安全自动借贷技术(SALT), QualysGuard, Offensive Security, Data Governance, IT Governance, Governance, Data Protection, 质量保证(QA), 端点检测和响应(EDR), Shell Scripting

保安部主任

2017 - 2019
Hackxpress
  • 通过渗透测试识别网络和应用程序中的漏洞. Employing a strategy that differs from that of other organizations that rely on a tool-based approach, Hackxpress采用了一种杀伤链方法,并在其评估中脱颖而出.
  • Reported multiple common vulnerabilities and exposures for the IBM Instana product to IBM. 获得好撒玛利亚人奖、A1-Injection奖和注射器奖.
  • 处理攻击性安全服务, including scanning for vulnerabilities and producing reports to protect systems from potential attacks.
技术:道德黑客, Penetration Testing, Red Teaming, Influencers, Web Marketing, Web App Development, Web App Security, IoT Security, Web Security, Mobile Security, Bug Fixes, 认证道德黑客(CEH), DevSecOps, Cloud Security, Security Design, Offensive Security, 安全体系结构, Container Security, Data Governance, IT Governance, Governance, Data Protection, 端点检测和响应(EDR), Shell Scripting, Threat Modeling

Security Engineer

2017 - 2017
Opt IT技术(I)私人
  • Received systems used by ransomware attackers and created a methodology for reverse engineering them using memory analysis and signature detection.
  • Built a team to handle memory forensics and security analysis and used Excel sheets every day to keep track of their progress. 向COO和CEO汇报团队的季度进度.
  • Collaborated with the client success team to secure the largest client ever for cybersecurity services. 第二季度和第三季度完成的计费小时数开始盈利.
  • 进行渗透测试和漏洞评估, 在我在Opt IT工作期间,这些服务成为了每个客户的基本服务.
  • 为每个客户进行Office 365攻击性安全调查和取证调查.
技术:逆向工程, Penetration Testing, Ethical Hacking, 认证道德黑客(CEH), DevSecOps, Azure DevOps, Agile DevOps, Office 365, Apache Metron, SIEM, Wazuh, Red Teaming, 开箱即用体验(OOBE), 服务器端/客户端对象模型(SharePoint), IoT Security, Web Security, SAP Security, CCNP Security, CCNA Security, Java Security, Cloud Security, Mobile Security, Server Security, Spring Security, Security Groups, Security Audits, Security Design, Web App Security, Payment Security, Security (AES-CCM), Security Testing, Computer Security, Security Planning, Database Security, Security Analysis, Endpoint Security, White-hat Security, Offensive Security, SAP HR Security, Checkmarx, Checkpoints, Palo Alto Networks, Firewalls, IDS/IPS, 入侵检测系统(IDS), 入侵防御系统(IPS), Memory Leaks, Ansible, API Testing, Azure, Apache Kafka, Burp Suite, API Architecture, 亚马逊网络服务(AWS), 脆弱性管理, 漏洞评估, 脆弱性识别, Accunetix漏洞扫描器, 视网膜漏洞扫描器, Kali Linux, Linux, ARM SoC, 系统级芯片(SoC), 安全运营中心(SOC), Cryptography, 安全体系结构, Data Governance, IT Governance, Data Protection, Shell Scripting, Threat Modeling

Security Analyst

2014 - 2014
Techdefence Labs
  • 研究十大OWASP漏洞. 尽管公司规模很小, 员工素质高,技术知识丰富.
  • 每周对100多个目标发动袭击, 包括VoIP设备, wifi networks, 以及网络和移动应用程序. 对于每个目标,我生成一个报告.
  • 获得网络安全专家认证.
  • Designed my first security tool called Android Custom ROM for Penetration Testing to do ethical hacking, penetration testing, 漏洞评估, 在移动设备上进行指令注射, web, VoIP, wifi networks, and local networks.
  • 在惠而浦印度的网络应用程序上发现了我的第一个漏洞.
技术:渗透测试, Web Security, CCNP Security, Cloud Security, IoT Security, Java Security, OWASP Top 10, OWASP, Sqlmap, SQL, SQL注入防护, Forensic Science, Forensics & CSI, Digital Forensics, Wireless Protocols, Cisco Wireless, Mobile Security, VoIP Administration, Security Analysis, Database Security, Server Security, Security Design, Web App Security, Ethical Hacking, DevSecOps, Offensive Security, 安全体系结构, Red Teaming, Data Governance, IT Governance, Data Protection, Shell Scripting, Threat Modeling

基础设施和开发运维安全

电子商务市场是数字经济最重要的方面之一. 全球电子商务市场预计将超过5美元.6 trillion by 2023. It provides a large and diverse database that can be leveraged across industries to better understand consumer preferences and habits. When a worldwide consumer goods corporation sought to relaunch a website for one of its brands, 它必须确保它所处理的信息是安全的.

注册cve - 2023 - 27290

http://www.ibm.com/support/pages/node/6959969
Registered a CVE-2023-27290 vulnerability for IBM Instana as I discovered that the Docker-based data stores currently do not require authentication. This vulnerability could be exploited by an attacker who has network access to the data stores, 允许他们查询具有读/写权限的数据存储. 请在回执里查一下我的名字.

端到端网络安全

One of the most important aspects of air travel is getting passengers' luggage to their destinations on schedule. As a result, when the world's biggest air transport and communication company wanted to upgrade its baggage handling operations, Hackxpress stepped in to help secure the operations and make millions of customers' travels more convenient.

微服务开发项目

http://github.com/zipponnova/Microservices-Exploitation
基于MITRE ATT的适配工具&用Python编写的CK框架用于利用微服务. The tool first surveys all the microservices in the cloud infrastructure using a boto client and then prepares an exploit for each of the identified microservices. 第一步是命令和控制, 之后,可以在另一个shell中执行命令并执行泄漏, 导致基础设施内部的横向移动.

IT安全自动化工具包

http://github.com/zipponnova/IT-Security-Automation-App
A Python Flask-based IT security threat-hunting application that can be used to monitor mobile device management (MDMs) versus CrowdStrike deployment. 使用CrowdStrike的公司, Jamf, JumpCloud, or Microsoft Intune to monitor devices and implement CrowdStrike as endpoint security can thoroughly analyze present versus missing devices.

This tool covers a significant gap in the company's security posture and identifies vulnerable endpoints. 它是一个使用api提供实时数据和可操作项的自动化工具, 比如整合Slack和Jira,进一步实现流程自动化. The tool also provides metrics in the form of graphs and descriptions to create a detailed report.

In-air Touch Sensor

Developed a touch-based decision system using MPR121 capacitive touch and paramagnetic electronic conductive paint as an aid for referees to provide final decisions for Vivo Pro Kabaddi sports. 该系统的专利已经提交,正在等待批准.

致力于MIDI和触控技术,创造创新广告, instruments, home automation, 体育决策系统.

Demonstrated a white paper on animal language study through ECG interception and proximity.
2012 - 2016

信息技术学士学位

BMS技术与管理学院-班加罗尔,印度

2023年9月至今

认证威胁建模专家(CTMP)

Practical DevSecOps

2022年8月至今

红队道德黑客

Udemy

2021年9月至今

红队认证专家

Pentester Academy

2020年12月至今

IELTS

British Council

2018年12月至今

区块链必需品

IBM

2018年12月至今

区块链专业证书

全球技能发展委员会

2018年12月至2021年12月

计算机黑客和法医调查员

EC-Council

2017年4月至今

数据科学和SAS证书

Imarticus Learning

2016年3月至2022年12月

认证道德黑客

EC-Council

2014年9月至今

认证网络安全专家

Techdefence

Libraries/APIs

Java Security, Redis Queue, Spark ML, Slack API, Web MIDI, NVD3, Amazon API

Tools

Amazon EKS, Amazon CloudWatch, Amazon Athena, Amazon CloudFront CDN, SAP Security, GitHub, Confluence, Jira, Ansible, Terraform, Jenkins, Sumo Logic, Sqlmap, Checkmarx, Accunetix漏洞扫描器, 视网膜漏洞扫描器, Kafka Streams, Apache ZooKeeper, Bro网络安全监视器, JavaScript Testing, VPN, Splunk, SonarQube, Zed攻击代理(ZAP), Amazon弹性容器服务(Amazon ECS), Slack, Zoom, Shell, AWS CLI, Boto 3, Logging, IBM BPM, Instana, Grafana, Jamf Pro, Microsoft Intune, 亚马逊虚拟私有云(VPC), 安全Web网关(SWG)

Paradigms

Penetration Testing, DevSecOps, Microservices, Microservices架构, API Architecture, Azure DevOps, 服务器端/客户端对象模型(SharePoint), Data Science, Testing, DevOps, 安全代码最佳实践, HIPAA Compliance, 商业智能(BI), Automation, REST, 安全业务流程, Automation, and Response (SOAR)

Storage

Amazon S3 (AWS S3), Data Lake Design, Data Lakes, Google Cloud, Azure Active Directory, Database Security, Cassandra, ClickHouse, Elasticsearch, SQL注入防护, H2 Database, Apache Hive, Memcached, Redis, Redis Cache, 安全数字输入/输出(SDIO), MongoDB, PostgreSQL, MySQL, CockroachDB, Databases

Platforms

AWS Lambda, Burp Suite, Rapid7, Docker, Kubernetes, 亚马逊网络服务(AWS), Azure, 谷歌云平台(GCP), Blockchain, Apache Kafka, Wazuh, Kali Linux, Linux, QualysGuard, 区块链平台

Industry Expertise

汽车、网络安全

Languages

SAML, Python, Java, GraphQL, SQL, Python 3, Python 2, Bash Script, Bash, SAS, Embedded C, Falcon, Go

Frameworks

Spring Security, Apache Metron, Hadoop, Windows PowerShell, Presto, Apache Struts 2, Spring Microservice, Core MIDI, Flask

Other

Ethical Hacking, 认证道德黑客(CEH), IoT Security, Web Security, Cloud Security, Security Design, Mobile Security, Web App Security, Server Security, Payment Security, Endpoint Security, Offensive Security, 安全体系结构, Red Teaming, Threat Modeling, Container Security, Security, Amazon RDS, Amazon API Gateway, API Gateways, IT Security, CISO, 配置管理, 信息安全, Risk Assessment, 利益相关者管理, App 保护, 静态应用安全测试(SAST), IT Deployments, 安全工程, Data Governance, IT Governance, Governance, Data Protection, Group Policy, Cloud, Auditing, PCI DSS, ISO 26262, ISO 31000, FIM, Leadership, IT Management, Risk Modeling, 企业风险管理(ERM), SAML-auth, 质量保证(QA), 端点检测和响应(EDR), Shell Scripting, Single Sign-on (SSO), CCNP Security, CCNA Security, Security Audits, Security (AES-CCM), Security Testing, Computer Security, Security Planning, Security Analysis, Security Groups, White-hat Security, Wordfence Security, Threat Analytics, Threat Intelligence, 统一威胁管理(UTM), 威胁管理网关(TMG), 网络威胁搜索, Incident Management, Incident Response, CrowdStrike, MDM, Source Code Review, Secure Containers, Kubernetes运营(kOps), Secure Coding, 安全的Web开发, Secure Storage, Machine Learning, 区块链游戏开发, 动态应用安全测试(DAST), Pulumi, Email Security, OWASP Top 10, OWASP, NIST, SIEM, 系统级芯片(SoC), SOC 2, GRC, Data Privacy, API Testing, Forensic Science, Forensics & CSI, Digital Forensics, Wireless Protocols, Cisco Wireless, VoIP Administration, Reverse Engineering, Agile DevOps, Office 365, 开箱即用体验(OOBE), SAP HR Security, Checkpoints, Palo Alto Networks, Firewalls, IDS/IPS, 入侵检测系统(IDS), 入侵防御系统(IPS), Memory Leaks, 脆弱性管理, 漏洞评估, 脆弱性识别, ARM SoC, 安全运营中心(SOC), Cryptography, UI Testing, QA Testing, Hacking, Redis Clusters, Burp Proxy, 安全自动借贷技术(SALT), AWS DevOps, Web应用防火墙(WAF), Networking, Containers, Data-level Security, Zero Trust, 零日漏洞, Cobalt Strike, Slack App, 沙盒到生产, 保安意识培训, Compliance, SOC Compliance, PCI Compliance, SOX Compliance, MISRA Compliance, Product Compliance, Risk & Compliance, Compliance Training, RESTful Microservices, Bug Fixes, Bug Triage, Bug Leakage, 认证黑客取证调查员(C|HFI), 人工智能(AI), English, Communication, Sensor Data, Home Automation, MIDI, Architecture, Influencers, Web Marketing, Web App Development, Teams, WhatsApp, Discord, APIs, SSL Certificates, Prometheus, Exploits, APM, Monitoring, Access Control, Authorization, Authentication, JumpCloud, Microsoft Dynamics 365, Web Dashboards, Web Applications, Applications, API Applications, Web Development, Coding, IT Infrastructure, PSIRT, Risk Management, MITRE, Federated Sign-in, Jamf

有效的合作

如何使用Toptal

Toptal matches you directly with global industry experts from our network in hours—not weeks or months.

1

Share your needs

在与Toptal领域专家的电话中讨论您的需求并细化您的范围.
2

Choose your talent

Get a short list of expertly matched talent within 24 hours to review, interview, and choose from.
3

开始你的无风险人才试验

与你选择的人才一起工作,试用最多两周. 只有当你决定雇佣他们时才付钱.

对顶尖人才的需求很大.

Start hiring
" class="hidden">2014巴西世界杯_网易体育