DevSecOps, application security, and penetration test
Aktualisiert am 14.06.2024
Profil
Freiberufler / Selbstständiger
Remote-Arbeit
Verfügbar ab: 01.07.2024
Verfügbar zu: 100%
davon vor Ort: 100%
Web application security
OWASP
Cloud Security
Kubernetes
Penetrationstest
Persian
Muttersprache
English
Professional working proficiency

Einsatzorte

Einsatzorte

Deutschland, Schweiz, Österreich
möglich

Projekte

Projekte

9 months
2023-10 - now

Defining Scoutbee?s security strategies

Principal DevSecOps Engineer
Principal DevSecOps Engineer
  • Defining Scoutbee?s security strategies to make sure our product and services are secure and in compliance with the standards and regulations we are following.
  • Collaboration with development teams to implement best practices based on Secure Coding principles and define secure CI/CD guardrails to keep the development pipelines in the rail.
  • Collaborated with the infra/SRE team to identify security vulnerabilities and misconfigurations. Established IaC scanning, CNAPP, and Policy as Code for deployment on cloud providers to improve understanding and visibility.
  • Performing threat modeling and secure coding workshops to identify the threats and plan to fix them in the design and developing phase (Shift-left mindset) and promote a clutter of DevSecOps.
ScoutBee GmbH
1 year 2 months
2022-08 - 2023-09

Spearheaded the implementation of security-focused software development practices

Senior DevSecOps Engineer
Senior DevSecOps Engineer
  • Spearheaded the implementation of security-focused software development practices, including SAST, SCA, IaC, PaC, and DAST, in the CI/CD pipelines to enhance the security posture of applications and infrastructure for four main projects and reduce 20% costs and time of fixing security issues.
  • Prepared threat modeling exercises to identify security risks and vulnerabilities in software designs and implemented countermeasures to mitigate them before starting development, helping to cut 30% of potential issues.
  • Led and managed penetration testing and vulnerability management programs and coordinated with development and operations teams to prioritize and remediate issues to reduce time to resolve security vulnerabilities by 15% and improve the product?s security level by at least 15%.
  • Initiated the shift-left strategy and the DevSecOps culture to have early detection and mitigation of security risks throughout the SDLC, by reducing 25% security risk in the SDLC process.
  • Performed security assessments and audits of applications, Applications, and infrastructure to maintain compliance with industry standards and regulations, such as ISO 27001, TISAX, SOC2, and GDPR.
ScoutBee GmbH
6 months
2022-02 - 2022-07

Implemented application/API security measures, secure coding practices

Senior Security Engineer
Senior Security Engineer
  • Implemented application/API security measures, secure coding practices, and authentication/authorization mechanisms to ensure the security of applications and APIs by reducing 20% of the security risks.
  • Designed and executed security controls for cloud infrastructure to mitigate security risks in the cloud environment. To improve 50% AWS and 30% Kubernetes security level.
  • Led penetration testing and vulnerability management programs to identify and remediate vulnerabilities across applications, APIs, and infrastructure.
  • Conducted security assessments and audits of applications, APIs, andinfrastructure  to maintain compliance with industry standards and regulations, such as ISO 27001, SOC2, and GDPR.
NewStrore GmbH
6 months
2021-09 - 2022-02

Executed DevSecOps technologies

Engineering Lead DevSecOps
Engineering Lead DevSecOps
  • Executed DevSecOps technologies in the CI/CD pipelines to enhance applications and infrastructure security. I Integrated 65% of new services with DevSecOps technologies.
  • Accomplished threat modeling exercises to identify security issues in software designs and implementations. And design countermeasures to mitigate them to lessen service security risks.
  • Advocated the shift-left strategy and DevSecOps culture by initiating threat modeling and actively collaborating with DevOps teams to integrate security into the SDLC, promoting continuous improvement and security awareness.
Henkel AG
2 years 2 months
2019-07 - 2021-08

Conducted periodic and on-demand vulnerability assessments

Senior Security Engineer
Senior Security Engineer
  • Conducted periodic and on-demand vulnerability assessments and penetration tests to identify and remediate security vulnerabilities across applications, APIs, and infrastructure.
  • Designed and evaluated cloud/hybrid infrastructure development leveraging Azure IaaS and PaaS, ensuring confidentiality, integrity, and availability of data and services.
  • Analyzed software designs, implementations, and infrastructure through threat modeling to identify security issues and design countermeasures, resulting in the improved security posture of applications and infrastructure.
  • Performed security testing and code review as part of the SDLC pipeline, promoting the shift-left strategy and DevSecOps culture, and implemented SAST, SCA, and DAST in the CI/CD pipelines to enhance the security of applications and infrastructure.
  • Collaborated with development, operations, and security teams to foster a culture of continuous improvement and security awareness, ensuring security was integrated into the DevOps processes and workflows.
Raisin GmbH
11 months
2018-06 - 2019-04

Conducted and managed regular vulnerability assessments

Security Red Team Lead
Security Red Team Lead
  • Conducted and managed regular vulnerability assessments and penetration testing programs on IT services to identify and remediate security vulnerabilities across networks, applications, and systems.
  • Worked closely with the DevOps team to find security issues and automate some test cases, promoting a culture of security awareness and continuous improvement.
  • Reviewed service architecture and performed threat modeling documents for significant services to identify security weaknesses and design countermeasures, ensuring the confidentiality, integrity, and availability of data and services.
  • Defined and enforced IT infrastructure security checklists for new and existing systems considering regulatory and industry standards, ensuring compliance and minimizing risk exposure.
  • Developed and implemented security tools and automation scripts to enhance the IT security process, improving the efficiency and effectiveness of the security team's operations and reducing human errors.
MTN Irancell
2 years 10 months
2016-03 - 2018-12

Conducted comprehensive web application penetration testing

Penetration Tester
Penetration Tester
  • Conducted comprehensive web application penetration testing using tools such as Burp Suite, OWASP ZAP, and Nmap to identify security vulnerabilities, such as cross site scripting (XSS), SQL injection, and insecure authentication mechanisms.
  • Conducted thorough penetration testing of mobile applications for iOS and Android platforms, using tools such as MobSF, APK Analyzer, and Frida, to identify security vulnerabilities, such as insecure data storage, improper authentication, and weak encryption.
  • Created detailed reports outlining the identified vulnerabilities, along with recommendations for remediation and risk mitigation, and presented these findings to development and management teams.
Atieh Dadeh Pardaz
2 years 7 months
2015-11 - 2018-05

Conducted and managed penetration testing

Security Engineer
Security Engineer
  • Conducted and managed penetration testing and vulnerability assessment programs on IT services, including networks, systems, and applications, to identify security vulnerabilities and remediate them promptly.
  • Collaborated with the security team to design and implement security controls and countermeasures, including firewalls, intrusion detection/prevention systems, and security information and event management (SIEM) solutions, to protect against cyber threats and attacks.
  • Reviewed service architecture and performed threat modeling to identify potential security risks and vulnerabilities, designing and implementing mitigation strategies to ensure the confidentiality, integrity, and availability of data and services.
  • Contributed to the development and implementation of security policies, procedures, and standards based on regulatory and industry best practices, ensuring compliance and reducing the risk exposure of the organization.
Red Team, MTN Irancell
2 years 7 months
2013-04 - 2015-10

Conducted penetration tests and vulnerability assessments

Security Engineer (Pentester)
Security Engineer (Pentester)
  • Conducted penetration tests and vulnerability assessments to identify and report security weaknesses in client systems.
  • Provided consultation services to clients on improving system and network security measures.
  • Developed and implemented security dashboards to provide clients with real-time security monitoring and reporting capabilities.
Ertebat Gostar
5 years 1 month
2008-03 - 2013-03

Provided consultation services to clients on improving system

Security Engineer (Pentester)
Security Engineer (Pentester)
  • Conducted penetration tests and vulnerability assessments to identify and report security weaknesses in client systems.
  • Provided consultation services to clients on improving system and network security measures.
  • Developed and implemented security dashboards to provide clients with real-time security monitoring and reporting capabilities.
IDSco

Aus- und Weiterbildung

Aus- und Weiterbildung

2011 - 2013:

Software Engineering

Bachelor

jdeihe.ac.ir


2006 - 2009:

Computer Software Engineering

Associate

jdeihe.ac.ir


Certificates:

  • Link on request

Kompetenzen

Kompetenzen

Top-Skills

Web application security OWASP Cloud Security Kubernetes Penetrationstest

Produkte / Standards / Erfahrungen / Methoden

SUMMARY

  • I am a Security Engineer with a decade of experience in Telco, FinTech, Retail, and SasS. My expertise includes security-focused software development practices, threat modeling, penetration testing, and vulnerability management.
  • I help companies adopt DevSecOps to produce more secure products with less effort and cost. I can communicate security concerns in a language that makes sense to both technical and non-technical departments.
  • As an active contributor to the global security community, I lead the OWASP DevSecOps Guideline project. I advocate for AppSec and DevSecOps, speaking at events to influence security in technology


SOFT SKILLS

  • Strong communication skills gained from interacting with colleagues, clients, and customers.
  • Collaborative team player with excellent knowledge-sharing abilities.
  • Experience in managing a team of 8 engineers and handling stakeholder management, conflict resolution, and business prioritization.
  • Ability to effectively communicate technical concepts to non-technical stakeholders.


TECHNICAL SKILLS

Security standards

  • Familiar with security standards and frameworks such as ISO27001, SOC2, TISAX, PCI-DSS, NIST800, OWASP, and GDPR.


Vulnerability Assessment and Penetration test

Strong practical knowledge of penetration tests and logical and business-based security bugs.

  • Pentest tools {Burp suite, SQLMap, and Metasploit}
  • Mobile pentest tools {drozer, and bug, Frida, Inspeckage, MobSF, and apktools}
  • Vulnerability scanner {Nessus, InsightVm, Nexpose, and OpenVAS}


Cloud and Container

  • Hands-on experience with AWS, GCP, and Azure as public cloud providers and in the container side Kubernetes (CKA and CKS Certified) working with GitOps solutions like Flux and ArgoCD


Software Development

  • Computer programming background Bash, Python, Go, and JavaScript


DevOps Experiences

  • Hands-on experience working with varent of CI/CD like GitHub, Gitlab, and Azure DevOps.


Infra Experiences

  • Hands-on experience working with Terraform, and Pulumi.


RESEARCH EXPERIENCE

12/2016 - today:

Role: Security Researcher

Customer: OWASP Foundation


Tasks:

  • The OWASP DevSecOps guideline project leader.
  • The OWASP MSTG (Mobile Security Testing Guide) project contributor.

Betriebssysteme

Linux
A good background
Windows Operating Systems
A good background

Einsatzorte

Einsatzorte

Deutschland, Schweiz, Österreich
möglich

Projekte

Projekte

9 months
2023-10 - now

Defining Scoutbee?s security strategies

Principal DevSecOps Engineer
Principal DevSecOps Engineer
  • Defining Scoutbee?s security strategies to make sure our product and services are secure and in compliance with the standards and regulations we are following.
  • Collaboration with development teams to implement best practices based on Secure Coding principles and define secure CI/CD guardrails to keep the development pipelines in the rail.
  • Collaborated with the infra/SRE team to identify security vulnerabilities and misconfigurations. Established IaC scanning, CNAPP, and Policy as Code for deployment on cloud providers to improve understanding and visibility.
  • Performing threat modeling and secure coding workshops to identify the threats and plan to fix them in the design and developing phase (Shift-left mindset) and promote a clutter of DevSecOps.
ScoutBee GmbH
1 year 2 months
2022-08 - 2023-09

Spearheaded the implementation of security-focused software development practices

Senior DevSecOps Engineer
Senior DevSecOps Engineer
  • Spearheaded the implementation of security-focused software development practices, including SAST, SCA, IaC, PaC, and DAST, in the CI/CD pipelines to enhance the security posture of applications and infrastructure for four main projects and reduce 20% costs and time of fixing security issues.
  • Prepared threat modeling exercises to identify security risks and vulnerabilities in software designs and implemented countermeasures to mitigate them before starting development, helping to cut 30% of potential issues.
  • Led and managed penetration testing and vulnerability management programs and coordinated with development and operations teams to prioritize and remediate issues to reduce time to resolve security vulnerabilities by 15% and improve the product?s security level by at least 15%.
  • Initiated the shift-left strategy and the DevSecOps culture to have early detection and mitigation of security risks throughout the SDLC, by reducing 25% security risk in the SDLC process.
  • Performed security assessments and audits of applications, Applications, and infrastructure to maintain compliance with industry standards and regulations, such as ISO 27001, TISAX, SOC2, and GDPR.
ScoutBee GmbH
6 months
2022-02 - 2022-07

Implemented application/API security measures, secure coding practices

Senior Security Engineer
Senior Security Engineer
  • Implemented application/API security measures, secure coding practices, and authentication/authorization mechanisms to ensure the security of applications and APIs by reducing 20% of the security risks.
  • Designed and executed security controls for cloud infrastructure to mitigate security risks in the cloud environment. To improve 50% AWS and 30% Kubernetes security level.
  • Led penetration testing and vulnerability management programs to identify and remediate vulnerabilities across applications, APIs, and infrastructure.
  • Conducted security assessments and audits of applications, APIs, andinfrastructure  to maintain compliance with industry standards and regulations, such as ISO 27001, SOC2, and GDPR.
NewStrore GmbH
6 months
2021-09 - 2022-02

Executed DevSecOps technologies

Engineering Lead DevSecOps
Engineering Lead DevSecOps
  • Executed DevSecOps technologies in the CI/CD pipelines to enhance applications and infrastructure security. I Integrated 65% of new services with DevSecOps technologies.
  • Accomplished threat modeling exercises to identify security issues in software designs and implementations. And design countermeasures to mitigate them to lessen service security risks.
  • Advocated the shift-left strategy and DevSecOps culture by initiating threat modeling and actively collaborating with DevOps teams to integrate security into the SDLC, promoting continuous improvement and security awareness.
Henkel AG
2 years 2 months
2019-07 - 2021-08

Conducted periodic and on-demand vulnerability assessments

Senior Security Engineer
Senior Security Engineer
  • Conducted periodic and on-demand vulnerability assessments and penetration tests to identify and remediate security vulnerabilities across applications, APIs, and infrastructure.
  • Designed and evaluated cloud/hybrid infrastructure development leveraging Azure IaaS and PaaS, ensuring confidentiality, integrity, and availability of data and services.
  • Analyzed software designs, implementations, and infrastructure through threat modeling to identify security issues and design countermeasures, resulting in the improved security posture of applications and infrastructure.
  • Performed security testing and code review as part of the SDLC pipeline, promoting the shift-left strategy and DevSecOps culture, and implemented SAST, SCA, and DAST in the CI/CD pipelines to enhance the security of applications and infrastructure.
  • Collaborated with development, operations, and security teams to foster a culture of continuous improvement and security awareness, ensuring security was integrated into the DevOps processes and workflows.
Raisin GmbH
11 months
2018-06 - 2019-04

Conducted and managed regular vulnerability assessments

Security Red Team Lead
Security Red Team Lead
  • Conducted and managed regular vulnerability assessments and penetration testing programs on IT services to identify and remediate security vulnerabilities across networks, applications, and systems.
  • Worked closely with the DevOps team to find security issues and automate some test cases, promoting a culture of security awareness and continuous improvement.
  • Reviewed service architecture and performed threat modeling documents for significant services to identify security weaknesses and design countermeasures, ensuring the confidentiality, integrity, and availability of data and services.
  • Defined and enforced IT infrastructure security checklists for new and existing systems considering regulatory and industry standards, ensuring compliance and minimizing risk exposure.
  • Developed and implemented security tools and automation scripts to enhance the IT security process, improving the efficiency and effectiveness of the security team's operations and reducing human errors.
MTN Irancell
2 years 10 months
2016-03 - 2018-12

Conducted comprehensive web application penetration testing

Penetration Tester
Penetration Tester
  • Conducted comprehensive web application penetration testing using tools such as Burp Suite, OWASP ZAP, and Nmap to identify security vulnerabilities, such as cross site scripting (XSS), SQL injection, and insecure authentication mechanisms.
  • Conducted thorough penetration testing of mobile applications for iOS and Android platforms, using tools such as MobSF, APK Analyzer, and Frida, to identify security vulnerabilities, such as insecure data storage, improper authentication, and weak encryption.
  • Created detailed reports outlining the identified vulnerabilities, along with recommendations for remediation and risk mitigation, and presented these findings to development and management teams.
Atieh Dadeh Pardaz
2 years 7 months
2015-11 - 2018-05

Conducted and managed penetration testing

Security Engineer
Security Engineer
  • Conducted and managed penetration testing and vulnerability assessment programs on IT services, including networks, systems, and applications, to identify security vulnerabilities and remediate them promptly.
  • Collaborated with the security team to design and implement security controls and countermeasures, including firewalls, intrusion detection/prevention systems, and security information and event management (SIEM) solutions, to protect against cyber threats and attacks.
  • Reviewed service architecture and performed threat modeling to identify potential security risks and vulnerabilities, designing and implementing mitigation strategies to ensure the confidentiality, integrity, and availability of data and services.
  • Contributed to the development and implementation of security policies, procedures, and standards based on regulatory and industry best practices, ensuring compliance and reducing the risk exposure of the organization.
Red Team, MTN Irancell
2 years 7 months
2013-04 - 2015-10

Conducted penetration tests and vulnerability assessments

Security Engineer (Pentester)
Security Engineer (Pentester)
  • Conducted penetration tests and vulnerability assessments to identify and report security weaknesses in client systems.
  • Provided consultation services to clients on improving system and network security measures.
  • Developed and implemented security dashboards to provide clients with real-time security monitoring and reporting capabilities.
Ertebat Gostar
5 years 1 month
2008-03 - 2013-03

Provided consultation services to clients on improving system

Security Engineer (Pentester)
Security Engineer (Pentester)
  • Conducted penetration tests and vulnerability assessments to identify and report security weaknesses in client systems.
  • Provided consultation services to clients on improving system and network security measures.
  • Developed and implemented security dashboards to provide clients with real-time security monitoring and reporting capabilities.
IDSco

Aus- und Weiterbildung

Aus- und Weiterbildung

2011 - 2013:

Software Engineering

Bachelor

jdeihe.ac.ir


2006 - 2009:

Computer Software Engineering

Associate

jdeihe.ac.ir


Certificates:

  • Link on request

Kompetenzen

Kompetenzen

Top-Skills

Web application security OWASP Cloud Security Kubernetes Penetrationstest

Produkte / Standards / Erfahrungen / Methoden

SUMMARY

  • I am a Security Engineer with a decade of experience in Telco, FinTech, Retail, and SasS. My expertise includes security-focused software development practices, threat modeling, penetration testing, and vulnerability management.
  • I help companies adopt DevSecOps to produce more secure products with less effort and cost. I can communicate security concerns in a language that makes sense to both technical and non-technical departments.
  • As an active contributor to the global security community, I lead the OWASP DevSecOps Guideline project. I advocate for AppSec and DevSecOps, speaking at events to influence security in technology


SOFT SKILLS

  • Strong communication skills gained from interacting with colleagues, clients, and customers.
  • Collaborative team player with excellent knowledge-sharing abilities.
  • Experience in managing a team of 8 engineers and handling stakeholder management, conflict resolution, and business prioritization.
  • Ability to effectively communicate technical concepts to non-technical stakeholders.


TECHNICAL SKILLS

Security standards

  • Familiar with security standards and frameworks such as ISO27001, SOC2, TISAX, PCI-DSS, NIST800, OWASP, and GDPR.


Vulnerability Assessment and Penetration test

Strong practical knowledge of penetration tests and logical and business-based security bugs.

  • Pentest tools {Burp suite, SQLMap, and Metasploit}
  • Mobile pentest tools {drozer, and bug, Frida, Inspeckage, MobSF, and apktools}
  • Vulnerability scanner {Nessus, InsightVm, Nexpose, and OpenVAS}


Cloud and Container

  • Hands-on experience with AWS, GCP, and Azure as public cloud providers and in the container side Kubernetes (CKA and CKS Certified) working with GitOps solutions like Flux and ArgoCD


Software Development

  • Computer programming background Bash, Python, Go, and JavaScript


DevOps Experiences

  • Hands-on experience working with varent of CI/CD like GitHub, Gitlab, and Azure DevOps.


Infra Experiences

  • Hands-on experience working with Terraform, and Pulumi.


RESEARCH EXPERIENCE

12/2016 - today:

Role: Security Researcher

Customer: OWASP Foundation


Tasks:

  • The OWASP DevSecOps guideline project leader.
  • The OWASP MSTG (Mobile Security Testing Guide) project contributor.

Betriebssysteme

Linux
A good background
Windows Operating Systems
A good background

Vertrauen Sie auf Randstad

Im Bereich Freelancing
Im Bereich Arbeitnehmerüberlassung / Personalvermittlung

Fragen?

Rufen Sie uns an +49 89 500316-300 oder schreiben Sie uns:

Das Freelancer-Portal

Direktester geht's nicht! Ganz einfach Freelancer finden und direkt Kontakt aufnehmen.