Kavya Sree

Integrated GitHub Advanced Security (GHAS) into CI/CD workflows for automated code scanning, secret detection, and dependency monitoring, enabling early detection of vulnerabilities and improved SDLC hygiene. Developed Python scripts to automatically find and fix misconfigurations in AWS and Azure environments. Applied security best practices with programming language Python, Java, .NET, C#, JavaScript, and React Native. Built Splunk and ELK Stack monitoring dashboards to support real-time alerting and incident response. Executed static and dynamic code analysis using Checkmarx, IBM AppScan, and Snyk. Set up OWASP ZAP for automated dynamic testing within DevSecOps pipelines to reduce manual testing effort and improve security validation. Improved container security in Docker and Kubernetes environments. Created custom IDS/IPS signatures to detect and prevent targeted attacks on enterprise applications. Built secure CI/CD pipelines with Jenkins and GitHub Actions to allow continuous security validation. Established a wide-ranging security program across multiple SDLCs to ensure software is free from security vulnerabilities. Performed API security testing and automated validation using SmartBear SoapUI Pro. Identified and fixed security vulnerabilities in web and mobile applications through detailed assessments and penetration testing. Applied React Native security best practices to secure cross-platform mobile applications. Implemented RBAC policies to enforce access controls across sensitive workloads and applications. Developed automation scripts to streamline security operations and lessen manual effort. Conducted third-party and vendor security assessments to ensure compliance with internal security standards. Showed strong analytical skills in identifying and reducing security risks in fast-paced settings. Built custom fuzz testing tools to automate vulnerability detection. Worked with development teams to integrate fuzz testing into the SDLC.

Developed and maintained full-stack Java applications using Spring Boot and Hibernate, and built user interfaces with HTML, CSS, and JavaScript. Integrated Apache Kafka to enable real-time data streaming and designed RESTful APIs for seamless communication between services. Collaborated with senior developers on Java and Kafka projects, participated in code reviews, and adopted new technologies to improve development practices. Created and maintained XML schemas, parsed data using SAX, and applied XSLT to transform XML for front-end rendering. Built and maintained CI/CD pipelines using Jenkins and Shell scripts, and led service migrations to AWS using Docker for scalable deployment. Implemented logging using Log4j to track application flow and support debugging. Used Splunk to monitor application performance and resolve issues efficiently. Replaced AWS SQS with Apache Kafka for real-time messaging, reducing latency by 25% in Fastag recharge operations. Introduced auto-recharge and auto-recharge plus features, resulting in a 40% increase in customer retention.

Developed custom automation tools in Python to update threat models dynamically based on new threats, and integrated Jenkins pipelines to enforce continuous security monitoring and compliance. Led hands-on training sessions for development teams on identifying common coding vulnerabilities and implemented multi-factor authentication across applications to strengthen access security. Participated in regular security audits, using Veracode for static application security testing to ensure compliance with internal and industry standards. Executed network and cloud penetration assessments, focusing on perimeter defenses, firewall misconfigurations, and exposed services. Utilized Wireshark, Nessus, Metasploit, and scripting (Python/Bash) for reconnaissance, enumeration, and exploit development. Identified critical vulnerabilities in application components and produced exploitation POCs to support risk discussions. Conducted adversary emulation exercises, simulating privilege escalation and lateral movement within hybrid environments. Collaborated with cross-functional teams to validate patches and improve threat detection based on test findings. Evaluated emerging SAST tools through proof-of-concept initiatives and recommended best-fit solutions to improve the organization’s security testing capabilities. Identified high-risk open-source libraries using Sonatype Nexus IQ and managed upgrade planning by recommending secure alternatives. Automated license compliance checks and SBOM generation within GitHub Actions workflows to support open-source risk governance. Maintained endpoint security standards by hardening physical workstations, managing antivirus configurations, and enforcing baseline compliance across assets. Documented and validated infrastructure-level access control and video surveillance systems to meet physical security compliance requirements. Led threat modeling workshops and validated application and infrastructure security controls in alignment with OWASP standards. Created incident response plans and facilitated tabletop exercises while actively monitoring network activity using IDS/IPS tools to detect and respond to anomalies. Performed web and infrastructure-level penetration testing using Burp Suite Pro and coordinated with third-party vendors to conduct comprehensive security assessments. Designed secure network architectures and implemented encryption strategies to protect sensitive data both at rest and in transit, aligned with industry regulations. Worked closely with developers to remediate security issues, review code for vulnerabilities, and promote adoption of OWASP best practices. Also collaborated with AWS cloud teams to ensure infrastructure security. Used Splunk for log monitoring, conducted phishing simulations and social engineering tests, and delivered tailored security awareness training across the organization. Integrated Fortify scans into CI/CD pipelines using Jenkins to maintain continuous security coverage and support ongoing compliance initiatives. Wrote advanced SQL queries to identify abnormal user behavior and privilege escalations, enhancing proactive threat detection. Supported API security testing efforts by identifying critical vulnerabilities like insecure object references and unvalidated error handling. Collaborated with legal and compliance teams to ensure adherence to data privacy regulations and authored security policies aligned with ISO 27001 and the NIST Cybersecurity Framework. Used GitHub for source control, collaborating with cross-functional teams to prioritize and remediate SAST-flagged vulnerabilities in codebases. Delivered repeat training sessions to reinforce secure development practices and helped teams apply secure coding principles during code reviews.

Managed the application security posture for AWS-based workloads, ensuring compliance with HIPAA and NIST security standards across cloud-hosted environments. Integrated Veracode into GitLab CI pipelines to enforce policy-based vulnerability gating, allowing only secure code to pass through build stages. Led training sessions for development teams to build awareness around common security risks, focusing on the OWASP Top 10 and SANS Top 25 vulnerabilities. Collaborated with system owners and project managers to collect required security artifacts and align security deliverables with RMF lifecycle stages. Enhanced static and dynamic application security testing pipelines by applying policy-based thresholds, ensuring alignment with state and federal cybersecurity standards. Automated static analysis reporting through Veracode APIs, reducing turnaround time for vulnerability remediation across development teams. Led application and API penetration testing during pre-deployment phases to detect security gaps early in the SDLC. Performed manual testing alongside automated scans to uncover business logic flaws and insecure authentication flows. Participated in red team simulation exercises, emulating adversary behavior to evaluate SOC detection and response. Identified misconfigurations in network and cloud environments, including exposed endpoints and permissive IAM roles. Partnered with product and security teams to prioritize remediation and integrate recurring checks into CI/CD pipelines. Managed continuous application security monitoring by using Veracode for static analysis, ensuring early detection of code vulnerabilities. Hardened AWS ECS and EKS environments by enforcing secure base images and tightening IAM roles, reducing the risk of misconfigurations in containerized microservices. Used AWS Inspector to scan containers and EC2 instances for vulnerabilities, triggering automated remediation workflows through Lambda functions. Assisted in deploying Veracode-based security scans within DevOps pipelines, ensuring consistent application of Product Security Engineering standards across the SDLC. Tracked vulnerability remediation SLAs using JIRA and ServiceNow, and delivered weekly compliance dashboards to InfoSec leadership for status reporting. Built real-time remediation dashboards by integrating Qualys scan results with ticketing systems through custom scripts, improving visibility and accountability. Integrated mobile security standards into the development lifecycle for Android and iOS platforms, ensuring consistent protection across mobile apps. Used Threat Modeler to conduct structured threat modeling and risk assessments, facilitating security review sessions with engineering and product stakeholders. Embedded Fortify scans into Jenkins pipelines to automate SAST, and used Black Duck for continuous monitoring of open-source risks—reducing production vulnerabilities by 40%. Worked with DevOps teams to build secure CI/CD pipelines using Jenkins, Docker, and Groovy scripts, automating security scans and compliance checks. Performed static code analysis using SonarQube to detect code-level vulnerabilities early in the development lifecycle and enforce secure coding standards. Deployed secure APIs using Azure API Gateway, enforcing authentication protocols, encryption standards, and strict input validation. Designed and executed manual vulnerability tests, including SQL injection assessments, as part of static and dynamic security validation efforts. Managed code repositories on GitLab and GitHub, applying branching strategies and commit policies to uphold secure development standards. Partnered with data scientists to build predictive security models for proactive threat detection and anomaly identification. Used Splunk and the ELK Stack for centralized security logging, enabling real-time threat detection and investigation through SIEM integrations. Implemented intrusion detection and prevention systems (IDS/IPS) to monitor unauthorized access attempts and safeguard critical infrastructure.