Ravindra Annam

A highly skilled Threat Modeling Expert with extensive experience in identifying, assessing, and mitigating security risks throughout the software development lifecycle. Adept at developing comprehensive threat models and implementing security controls across various domains, including authentication, authorization, data protection, logging , monitoring and vulnerability management. Strong expertise in disaster recovery and business continuity planning, ensuring resilient and secure systems.

• Conduct comprehensive threat modeling exercises to identify potential security threats and vulnerabilities in applications and systems.
• Assess risks associated with various attack vectors and develop mitigation strategies to address identified risks.
• Collaborate with development teams to integrate security controls into the software development lifecycle (SDLC).
• Conducted thorough assessments of authentication protocols and identified potential risks in authentication flows.
• Implemented secure password policies and session management practices.
• Evaluated and refined authorization processes to minimize risks associated with privilege escalation.
• Collaborated with development teams to integrate authorization checks within application workflows.
• Regularly reviewed and refined logging configurations to ensure compliance with security policies and regulations.
• Conducted data privacy impact assessments (DPIAs) and ensured alignment with data protection regulations like GDPR.
• Led vulnerability identification, assessment, and remediation processes to ensure the organization's systems are protected against known threats.
• Utilized automated scanning tools and manual techniques to identify vulnerabilities in applications, networks, and systems.
• Collaborated with development teams to integrate secure coding practices and remediation strategies within the software development lifecycle (SDLC).
• Conducted regular disaster recovery tests to validate the effectiveness of recovery strategies and improve response times.
• Coordinated with cross-functional teams to ensure critical systems and data are recoverable within defined RTOs (Recovery Time Objectives) and RPOs (Recovery Point Objectives).
• Conducted business impact analyses (BIAs) to identify critical business functions and dependencies.
• Led training and awareness programs to ensure that employees are prepared to execute the BCP in the event of an incident.
• Reviewed and enforced secure coding practices related to input validation across development teams.
• Conducted threat modeling exercises to identify and mitigate input validation vulnerabilities early in the SDLC.
• 
  

• As Application Security Architect/Consultant my responsibilities include but not limited to, Develop security requirements, design patterns and templates for teams, Develop threat models to prioritize scope, Security design reviews of applications, systems, and networks, Define security best practices and standards, Continuously review and identify security improvement opportunities in existing processes, services, and workflows, Participate in architecture design reviews with senior engineering and product management to provide guidance on defining and incorporate effective threat modeling (STRIDE) and security standards into product design, Deployed controls within CI/CD pipelines for SAST, DAST and Third-Party library analysis, Work with the product teams to support proactive research in the area of security coding and integrate new languages and investigate new tooling to mitigate new emerging threats, vulnerabilities, tactics, techniques, and procedures, Integrated application security toolsets into product teams CI/CD pipelines, Perform Web application assessments, source-code reviews, SCA and API security Testing, Integrated SAST findings into product team agile management tooling (e.g., Jira) Triaging and writing PoC for true vulnerabilities, Experience on container image scanning using aqua security tool, Setting up assurance policies, runtime policies and enforcers, Guide vendor security activities to ensure 3rd-party software and development meets security standards, Collaborate with engineering/development teams to evolve Software assurance process to address security risks, and help teams learn and adopt shift- security-to-left practices, Managing team of security experts on day-to-day work, Publishing security metrics to senior management and customers periodically, Suggesting and researching on new trends in security area, Hiring and Grooming team on security, Continuous learning and researching in security related trends and best practices, Provide guidance to application team on application security best practices, Provide advice and support remediation effort and track open issues and follow up to ensure remediation, Provide Remediation guidance and secure code snippets to the development teams

• As Application Security Consultant responsibilities include but not limited to, 10+ Years of hands-on experience in Application Security Area, Hands of experience on DevSecOps, Develop and implement application security program in-line with industry best practices and compliance across all of product/Non product engineering teams, Perform application and source-code reviews, threat modeling, penetration tests and API Security Testing to build application visibility, Proactively identify and mitigate against application security risks or incidents, Provide security training to internal engineering, DevOps and infrastructure teams, Raise awareness of application security requirements through development and review of application security standards, policies and secure SDLC processes, Participate in architecture of mobile and web applications including interface and database design, process and API flows, networking, cloud infrastructure, protocol communication, security and appropriate technology use, Monitor and manage web and mobile application infrastructure to detect anomalies and security incidents, Evaluate, recommend, and deploy tools on Security awareness to enhance cyber-security detection and/or prevention of evolving threats, Research and evaluate vulnerabilities, attack vectors, and associated risks to our systems, applications, and technology, Continuous learning and researching in security related trends and best practices, Guide vendor security activities to ensure 3rd-party software and development meets security standards, Attend security technology conferences and events, Conduct threat modeling Create a software source code review process that is a part of development life cycle, Conduct application security testing for applications to assess vulnerabilities

• Worked as Application Security Engineer, Involved in Application VAPT using OWASP TOP 10 Methodologies, Knowledge about OWASP TOP 10 and SANS TOP 25, Knowledge in SAST and DAST Analysis, Experience in tools like HP Web inspect, IBM App scan, Burp suite professional, OWASP ZAP, Postman, SOAP UI

• Involved in coding, design and testing the Java/J2ee based Applications, Worked with project managers, developers, quality assurance and customers to resolve technical issues, Trained and mentored junior developers and engineers, teaching skills in Java/J2ee and working to improve overall team performance, Gathered and defined customer requirements to develop clear specifications for creating well- organized project plans, Collaborated with cross-functional development team members to analyze potential system solutions based on evolving client requirements

• Worked as Application Performance analysis, Knowledge about Heap Dump and Thread dump Analysis, Knowledge about IBM MAT and Thread Dump Analysis Tools

• Involved in coding of Applications