Shahid Hakim
Verified Expert in Engineering
安全工程师和软件开发人员
沙希德是一名熟练的网络安全专家,他在挑战中茁壮成长, 专攻攻击性安全, red teaming, threat modeling, 事件响应. He is certified in ethical hacking and blockchain security and excels in strategic threat mitigation. He has documented success in creating robust security frameworks and enjoys mentoring others. With each vulnerability, Shahid uncovers advanced cybersecurity for a safer digital world.
Portfolio
Experience
Availability
首选的环境
Penetration Testing, 认证道德黑客(CEH), DevSecOps, IoT Security, Access Control, 脆弱性管理, Threat Modeling, 统一威胁管理(UTM), Red Teaming, 安全体系结构
The most amazing...
...project I've authored is a CVE, CVE-2023-27290, for IBM Instana, with a CVSS score of 9.1.
Work Experience
首席产品安全工程师
JumpCloud
- 处理了认证标准(OAuth 2)的安全架构.0, Open ID Connect, SAML, JWT, Federated login),密码学(TLS, X.509)和访问控制(RBAC, ABAC).
- Integrated SAST, DAST, and IAST tools established a security-centric DevSecOps workflow and ensured daily AWS and GCP container security monitoring, 包括动态方面,如mTLS.
- 将威胁建模作为带有模板的代码进行介绍, 纳入OWASP风险评级, 促进基于风险的工程决策, 并使用Threatspec和LINDDUN GO等工具实现游戏化威胁建模.
- 带领一个PSIRT行动, 减少事故票, 并每周向团队领导提供有关安全举措的最新信息, threat models, VDP reports, DevSecOps程序, 以及增强产品安全性的事件管理.
- 领导一个全面的外部渗透测试项目,以加强产品的安全性, 倡导“设计安全”的文化, 并将主动安全措施集成到产品工程过程中.
- 专门研究Kubernetes容器安全和云原生概念, 运营企业解决方案, 需求协作, 确保安全标准, 具有IT或计算机科学背景,并以客户为中心.
安全工程主管
6sense
- 通过探索和关联大型数据集,在端点上执行威胁搜索, 及时发出客户警报.
- Uncovered novel attack techniques and monitored and cataloged changes in activity group tradecraft.
- 获得新的和利用已有的攻击工具知识, tactics, 和程序,以提高客户的安全态势.
- Investigated threats and created and maintained high detection rules while engaging and collaborating with the infra, data science, 工程团队. 根据严重性为每个组开发自定义的危害指标(ioc).
- Used CrowdStrike, Jamf, JumpCloud, Office 365, Wazuh, 和Rapid7 InsightVM为每个用户实现端点安全, as well as automated remediation and real-time response for each IOC and indicator of attack (IOA).
- Created threat modeling for data in transit and implemented best security practices for each microservice.
- Made maturity models and specialized security architecture add-ons for each of the 6sense vendors. 使用Jira跟踪我的工作,以创建平滑的过渡. 使用Confluence和Slack为每个输入创建知识库.
- 对内部和外部网络进行渗透测试, applications, APIs, cloud assets, 还有红色和紫色团队的评估. 以一天或更短的周转时间领导bug赏金计划.
- 集成了深度日志和监控平台,并使用Splunk创建警报, Sumo Logic, 和CrowdStrike作为威胁情报来源. 这将事件响应时间缩短到7天以内, 从而通过降低数据成本来节省资金.
- 确保及时解决, 必要的沟通, and escalation of obsolete and critical infrastructure tickets by conducting QA of incidents.
Red Team Lead
Mindtree
- Started a cybersecurity center of excellence team in Mindtree and reported directly to the CTO.
- Established a research and development group with the goal of developing signature-based attacks through hypothesis-based red teaming. 这个过程是为了开发Apache Metron的ioc而进行的.
- 为SIEM创建安全工具, 漏洞评估, 和我的团队一起进行渗透测试.5 years.
- Contributed to DevSecOps solutions to integrate proactive security in the CI/CD pipeline for each and every project Mindtree built.
- 开发了使用Terraform的工具, Qualys, 和法拉第自动化红队解决方案和DevOps流程.
- 报告了50多个客户端的脆弱微服务配置, 包括有漏洞赏金计划的组织.
- 连续两年获得年度最佳员工奖.
- 完成不同的认证, 包括电脑黑客和取证调查, SAS认证数据科学, 区块链专业开发人员.
- Developed six case studies on red teaming that were used in publications and websites. It demonstrated how Mindtree was able to stop business losses of more than $100 million by securing zero-day vulnerabilities.
- 专注于进攻性云安全, application security, IoT security, DevSecOps, cloud security, 安全架构设计, 安全编码实践.
保安部主任
Hackxpress
- 通过渗透测试识别网络和应用程序中的漏洞. Employing a strategy that differs from that of other organizations that rely on a tool-based approach, Hackxpress采用了一种杀伤链方法,并在其评估中脱颖而出.
- Reported multiple common vulnerabilities and exposures for the IBM Instana product to IBM. 获得好撒玛利亚人奖、A1-Injection奖和注射器奖.
- 处理攻击性安全服务, including scanning for vulnerabilities and producing reports to protect systems from potential attacks.
Security Engineer
Opt IT技术(I)私人
- Received systems used by ransomware attackers and created a methodology for reverse engineering them using memory analysis and signature detection.
- Built a team to handle memory forensics and security analysis and used Excel sheets every day to keep track of their progress. 向COO和CEO汇报团队的季度进度.
- Collaborated with the client success team to secure the largest client ever for cybersecurity services. 第二季度和第三季度完成的计费小时数开始盈利.
- 进行渗透测试和漏洞评估, 在我在Opt IT工作期间,这些服务成为了每个客户的基本服务.
- 为每个客户进行Office 365攻击性安全调查和取证调查.
Security Analyst
Techdefence Labs
- 研究十大OWASP漏洞. 尽管公司规模很小, 员工素质高,技术知识丰富.
- 每周对100多个目标发动袭击, 包括VoIP设备, wifi networks, 以及网络和移动应用程序. 对于每个目标,我生成一个报告.
- 获得网络安全专家认证.
- Designed my first security tool called Android Custom ROM for Penetration Testing to do ethical hacking, penetration testing, 漏洞评估, 在移动设备上进行指令注射, web, VoIP, wifi networks, and local networks.
- 在惠而浦印度的网络应用程序上发现了我的第一个漏洞.
Experience
基础设施和开发运维安全
注册cve - 2023 - 27290
http://www.ibm.com/support/pages/node/6959969端到端网络安全
微服务开发项目
http://github.com/zipponnova/Microservices-ExploitationIT安全自动化工具包
http://github.com/zipponnova/IT-Security-Automation-AppThis tool covers a significant gap in the company's security posture and identifies vulnerable endpoints. 它是一个使用api提供实时数据和可操作项的自动化工具, 比如整合Slack和Jira,进一步实现流程自动化. The tool also provides metrics in the form of graphs and descriptions to create a detailed report.
In-air Touch Sensor
致力于MIDI和触控技术,创造创新广告, instruments, home automation, 体育决策系统.
Demonstrated a white paper on animal language study through ECG interception and proximity.
Education
信息技术学士学位
BMS技术与管理学院-班加罗尔,印度
Certifications
认证威胁建模专家(CTMP)
Practical DevSecOps
红队道德黑客
Udemy
红队认证专家
Pentester Academy
IELTS
British Council
区块链必需品
IBM
区块链专业证书
全球技能发展委员会
计算机黑客和法医调查员
EC-Council
数据科学和SAS证书
Imarticus Learning
认证道德黑客
EC-Council
认证网络安全专家
Techdefence
Skills
Libraries/APIs
Java Security, Redis Queue, Spark ML, Slack API, Web MIDI, NVD3, Amazon API
Tools
Amazon EKS, Amazon CloudWatch, Amazon Athena, Amazon CloudFront CDN, SAP Security, GitHub, Confluence, Jira, Ansible, Terraform, Jenkins, Sumo Logic, Sqlmap, Checkmarx, Accunetix漏洞扫描器, 视网膜漏洞扫描器, Kafka Streams, Apache ZooKeeper, Bro网络安全监视器, JavaScript Testing, VPN, Splunk, SonarQube, Zed攻击代理(ZAP), Amazon弹性容器服务(Amazon ECS), Slack, Zoom, Shell, AWS CLI, Boto 3, Logging, IBM BPM, Instana, Grafana, Jamf Pro, Microsoft Intune, 亚马逊虚拟私有云(VPC), 安全Web网关(SWG)
Paradigms
Penetration Testing, DevSecOps, Microservices, Microservices架构, API Architecture, Azure DevOps, 服务器端/客户端对象模型(SharePoint), Data Science, Testing, DevOps, 安全代码最佳实践, HIPAA Compliance, 商业智能(BI), Automation, REST, 安全业务流程, Automation, and Response (SOAR)
Storage
Amazon S3 (AWS S3), Data Lake Design, Data Lakes, Google Cloud, Azure Active Directory, Database Security, Cassandra, ClickHouse, Elasticsearch, SQL注入防护, H2 Database, Apache Hive, Memcached, Redis, Redis Cache, 安全数字输入/输出(SDIO), MongoDB, PostgreSQL, MySQL, CockroachDB, Databases
Platforms
AWS Lambda, Burp Suite, Rapid7, Docker, Kubernetes, 亚马逊网络服务(AWS), Azure, 谷歌云平台(GCP), Blockchain, Apache Kafka, Wazuh, Kali Linux, Linux, QualysGuard, 区块链平台
Industry Expertise
汽车、网络安全
Languages
SAML, Python, Java, GraphQL, SQL, Python 3, Python 2, Bash Script, Bash, SAS, Embedded C, Falcon, Go
Frameworks
Spring Security, Apache Metron, Hadoop, Windows PowerShell, Presto, Apache Struts 2, Spring Microservice, Core MIDI, Flask
Other
Ethical Hacking, 认证道德黑客(CEH), IoT Security, Web Security, Cloud Security, Security Design, Mobile Security, Web App Security, Server Security, Payment Security, Endpoint Security, Offensive Security, 安全体系结构, Red Teaming, Threat Modeling, Container Security, Security, Amazon RDS, Amazon API Gateway, API Gateways, IT Security, CISO, 配置管理, 信息安全, Risk Assessment, 利益相关者管理, App 保护, 静态应用安全测试(SAST), IT Deployments, 安全工程, Data Governance, IT Governance, Governance, Data Protection, Group Policy, Cloud, Auditing, PCI DSS, ISO 26262, ISO 31000, FIM, Leadership, IT Management, Risk Modeling, 企业风险管理(ERM), SAML-auth, 质量保证(QA), 端点检测和响应(EDR), Shell Scripting, Single Sign-on (SSO), CCNP Security, CCNA Security, Security Audits, Security (AES-CCM), Security Testing, Computer Security, Security Planning, Security Analysis, Security Groups, White-hat Security, Wordfence Security, Threat Analytics, Threat Intelligence, 统一威胁管理(UTM), 威胁管理网关(TMG), 网络威胁搜索, Incident Management, Incident Response, CrowdStrike, MDM, Source Code Review, Secure Containers, Kubernetes运营(kOps), Secure Coding, 安全的Web开发, Secure Storage, Machine Learning, 区块链游戏开发, 动态应用安全测试(DAST), Pulumi, Email Security, OWASP Top 10, OWASP, NIST, SIEM, 系统级芯片(SoC), SOC 2, GRC, Data Privacy, API Testing, Forensic Science, Forensics & CSI, Digital Forensics, Wireless Protocols, Cisco Wireless, VoIP Administration, Reverse Engineering, Agile DevOps, Office 365, 开箱即用体验(OOBE), SAP HR Security, Checkpoints, Palo Alto Networks, Firewalls, IDS/IPS, 入侵检测系统(IDS), 入侵防御系统(IPS), Memory Leaks, 脆弱性管理, 漏洞评估, 脆弱性识别, ARM SoC, 安全运营中心(SOC), Cryptography, UI Testing, QA Testing, Hacking, Redis Clusters, Burp Proxy, 安全自动借贷技术(SALT), AWS DevOps, Web应用防火墙(WAF), Networking, Containers, Data-level Security, Zero Trust, 零日漏洞, Cobalt Strike, Slack App, 沙盒到生产, 保安意识培训, Compliance, SOC Compliance, PCI Compliance, SOX Compliance, MISRA Compliance, Product Compliance, Risk & Compliance, Compliance Training, RESTful Microservices, Bug Fixes, Bug Triage, Bug Leakage, 认证黑客取证调查员(C|HFI), 人工智能(AI), English, Communication, Sensor Data, Home Automation, MIDI, Architecture, Influencers, Web Marketing, Web App Development, Teams, WhatsApp, Discord, APIs, SSL Certificates, Prometheus, Exploits, APM, Monitoring, Access Control, Authorization, Authentication, JumpCloud, Microsoft Dynamics 365, Web Dashboards, Web Applications, Applications, API Applications, Web Development, Coding, IT Infrastructure, PSIRT, Risk Management, MITRE, Federated Sign-in, Jamf
如何使用Toptal
Toptal matches you directly with global industry experts from our network in hours—not weeks or months.
Share your needs
Choose your talent
开始你的无风险人才试验
对顶尖人才的需求很大.
Start hiring