Avatar

Rohit Salecha

Security Engineering

About Me

Rohit Salecha is a technology geek who loves to explore anything that runs and understands binary. As a security engineer he is passionate about learning the length,breadth and depth of technology.

Being more on the defensive side he has evangelised secure software development at various organizations for more than a decade.

He is ridiculously driven by “everything as code” mantra and strongly believes that security team must strive towards making themselves irrelevant.

In his free time he is either reading books or watching movies. He is a fitness freak who loves to jog,swim and cycle on different terrains.

A devout Jain and a proud 🇮🇳


यतो धर्मस्ततो जयः Where there is righteousness there is victory

Interests

  • Web,Mobile and API Security
  • DevOps
  • Infrastructure As Code (IaC)
  • DevSecOps
  • GitOps
  • Security Automation
  • Cloud Infrastruture - AWS/GCP
  • Cloud Native - Kubernetes
  • Terraform
  • Security Architecture Review
  • Threat Modeling
  • Triathlon
  • OKRs Planning
  • Team Leadership/Management

Certifications

Education

  • B.E. Electronics Engineering, 2009

    Vidyalankar Institute of Technology

Projects

My Cloud Desktop

SetUp an Ubuntu machine with a DNS name on Cloud with Terraform and some pre-installed tools like vscode,nmap,metasploit

AWS EKS Playground using Terraform

Quickly setup an AWS EKS environment with AWS RDS as backend, AWS ALB and AWS Route53 integration to host a dynamic application

Practical GitOps - Infrastructure Management using Terraform,AWS and Github Actions

Practical GitOps is a book that will help you manage and automate your entire AWS infrastructure using Terraform and Github Actions

Practical DevOps - The Lab

Practical DevOps is a project where rohit explains how to setup a DevOps environment using a custom Lab with Jenkins,Docker,Vagrant,Ansible, Elasticsearch,Logstash,Kibana,Filebeat

Professional Journey

 
 
 
 
 

Senior Security Engineer

Amazon

April 2024 – Present Mumbai
  • Creating, updating, and maintaining threat models for a wide variety of software projects
  • Manual and Automated Secure Code Review, primarily in Java, Python and Javascript
  • Development of security automation tools
  • Adversarial security analysis using cutting-edge tools to augment manual effort
  • Security training and outreach for internal development teams
  • Security architecture and design guidance
  • Independently solve security problems that require novel methods or approaches
  • Influence my team’s and partners’ process, priorities, and choices to improve outcomes
 
 
 
 
 

Senior Security Engineering Manager

Zynga (Take2 Interactive)

May 2023 – March 2024 Mumbai
  • Manage a Team of 5+ super heroes; providing expert-level technical peer review for application security and cloud security issues, coaching and guidance on methodologies, tactics, processes and findings
  • Create and Coordinate quarterly planning process (OKRs – Objectives and Key Results), manage security debt/backlog, assignment and reprioritisation of resources.
  • Driving security engineering engagements with a high degree of Engineering satisfaction and through org-wide communication strategy.
  • Partnering closely with other functions including Product and Engineering, Communications, PR, Marketing, Revenue, HR, Talent for anything related to security.
 
 
 
 
 

Security Engineering Manager

Disney+ Hotstar

March 2022 – May 2023 Mumbai
  • Manage a Team of 5+ super heroes; providing expert-level technical peer review for application security and cloud security issues, coaching and guidance on methodologies, tactics, processes and findings
  • Create and Coordinate quarterly planning process (OKRs – Objectives and Key Results), manage security debt/backlog, assignment and reprioritisation of resources.
  • Driving security engineering engagements with a high degree of Engineering satisfaction and through org-wide communication strategy.
  • Driving initiatives and providing insightful data-driven strategic recommendations to leadership team.
  • Partnering closely with other functions including Product and Engineering, Communications, PR, Marketing, Revenue, HR, Talent for anything related to security.
  • Provide innovative solutions by working in an ambiguous environment thereby contributing to overall product design.
  • Work as the incident manager co-ordinating various stakeholders and provide timely mitigation.
  • Revolving my entire job/planning/execution around two simple mantras “Security by Default” and “All things security as code”
 
 
 
 
 

Security Architect

Claranet Cyber Security

July 2021 – March 2022 Mumbai
  • Working as a Security Architect for one of Claranet’s premier client helping them to setup a Product Security team riding on the “Shift Left” paradigm
  • Partner with multiple application development teams within client organization, to ensure secure development of applications.
  • Develop a broad and deep technical understanding of applications, services and architectures pertaining to the client application organization.
  • Interpret results from exercises such as code review and penetration testing stakeholders and advise on remediation and mitigation as well as incorporate learnings into future designs.
  • Conduct architecture reviews, threat Modeling, design reviews, code review on web and mobile applications and web services as and when required.
  • Develop documentation, and a knowledge base to be used by developers for implementing secure coding practices
  • Research and maintain knowledge of changing landscape of application security, latest threats, and attacker tools, techniques, and procedures.
  • Provide recommendations for missing application security controls and secure design patterns.
  • Support and provide consultation to development teams in the areas of application security, cloud security, DevSecOps, mobile security.
  • Act as subject matter expert and provide mentorship to team members.
  • Develop and maintain strong working relationship with development teams, leadership, and product owners.
  • Lead the efforts towards creation and successful functioning of an application security program for the client organisation.
  • Lead long term initiatives of program such as automation, processes, and documentation for the client organisation.
 
 
 
 
 

Associate Director

NotSoSecure

November 2016 – July 2021 Mumbai

Responsibilities include:

  • Security Automation

    • He loves automating his tasks and has also blogged about few of them in the Technology section.
    • He is a big fan of DevOps methodology and he loves to play around with devops tools like Jenkins,Docker,Kubernetes,Vagrant and Ansible.
    • At NotSoSecure he has build the entire DevSeCops course from ground-up involving plenty of automation.
    • Hence he is responsible for identifying tasks which can be automated at NotSoSecure.
  • Security Architecture Review/Threat Modelling

    • Being a developer at heart Rohit has experience in understanding how a typical software development environment operates.
    • He has performed architecture reviews of various such environments whether they are running in traditional IT or the modern DevOps stack.
    • His architecture reviews involve understanding the current high-level architecture then drilling deep down into the technology stack and suggesting the security best practices.
    • He has also worked with the STRIDE threat modelling approach by Microsoft in various projects.
    • He has experience in performing architecture and configuration review from a security standpoint for on-premises as well as cloud infrastructure including technology like Kubernetes.
  • Strategy

    • Being in the senior leadership Rohit Salecha is also tasked with steering the organization towards better growth.
    • Aligning research with pentesting and training content development to maximize revenue.
    • He is also tasked in leading the Protect and Detect segment to deliver strategic advises and consultancy to organizations for injecting security in their SDLC processes.
    • Actively involved in recruitment process for hiring exceptional candidates who can grow along with the company
  • Pentesting

    • Web,Mobile and API pentesting of applications from various industries
    • Researching for new tools and techniques for pentesting by and feeding it back to the team.
    • Writing informational blogs for NotSoSecure to share back with the community.
    • He is also very active on the CobaltCore pentesting platform.
  • Training

    • Lead trainer for three of the most selling classes of NotSoSecure viz. Application Security for Developers,DevSecOps and AppSecOps and delivered this class across the globe i.e. UK,EU and USA.
    • Developed the entire DevSecOps course from ground up and presented at OWASP Global APPSEC DC and many more places.
    • Trained and spoken at premier Security conferences like Blackhat,OWASP APPSEC,Nullcon and Agile+DevOps by Techwell.
    • Updating the trainings with new materials and exercises reflecting the changing infosec environment.
 
 
 
 
 

IT Security Specialist

Emirates National Bank of Dubai

April 2015 – November 2016 Dubai
  • Served as an internal Information Security consultant to the organization ensuring proper information security clearance amidst a constantly changing environment at the Bank and ensure its compliance with established organizational information security policies and regulatory requirements - Perform regular Security Assessments on the IT infrastructure, processes and procedures to ensure its compliance with the Groups Security policy. Proactively follow up for closure of the issues identified.
  • Risk Assessment of New Business Initiatives (Products, Channels, Solutions) across the bank from an Information Security and Architecture perspective ensuring involvement at every stage of the project/imitative lifecycle.
  • Third Party (Vendor) Assessments through RFP sessions helping select the best vendor from a Security and Architecture perspective.
  • Performing BAU activities like firewall rule approvals,developer access approvals etc…
 
 
 
 
 

IT Risk Advisory Consultant

EY LLP India

March 2014 – April 2015 Mumbai
  • Performing Vulnerability Assessment and Penetration testing for EYs clients in the Telecom, Media & Entertainment and Technology domains.
  • Performed IT Audits for ensuring compliance with various regulatory standards and policies including SOX and TRAI
  • Developing and Reviewing Minimum Baseline Security Standards for various technologies
 
 
 
 
 

Security Analyst

NII Consulting

July 2012 – March 2014 Mumbai
  • Performing VAPT on web/mobile applications and servers for various clients in the Banking industry and advising them on various security issues.
  • Conducted CSJD (Certified Secure Java Development) trainings for NII’s and IIS’s premier clients and CSI (Computer Society of India) Mumbai Chapter.
  • Delivered Security Awareness training to the senior management of a major Oil and Gas Corporation in India.
  • Single-handedly managed a 3-month engagement for a leading insurance company to perform Secure Code review and developing security guidelines for developers in J2EE technology.
 
 
 
 
 

Software Engineer

Mastek

July 2010 – July 2012 Mumbai
  • Full stack developer in J2EE-Oracle technology with expertise in Spring,StrutsJPA,Hibernate,MySQL and Oracle
  • Developed a suite of applications for MHADA Lottery 2012 following Secure Coding best practices as advised by the Security team over a period of 15 months.
  • Developed PoC solutions on Liferay Platform
  • Developed J2ME Mobile applications for bus-tracking as part of a hackathon.

All Posts

Reimagining Security Engineering using Semgrep and OPA

How tools like semgrep and OPA(Open Policy Agent) can trasform the way we do security engineering

Create A Personal Blog Using Hugo Academic Netlify

If you are tired of maintaining a blog on popular blogging websites and looking for a simple and easy to use blogging platform then …

Why I Chose to Become Infosec Professional

Why i switched from being a developer to becoming an information security professional

Demystifying Agile Scrum

Understand the keywords of Agile and Scrum in perspective of software development

Cissp Study Strategy - My 2 Paisa

If you are looking for cracking the CISSP exam read on …

Relocation to Dubai

in this blog i summarise my entire experience of relocating to Dubai from expenses to medical,from visa to transportation.If you have …

Talks/Trainings

*

Secrets Management @Nullcon 2020

Webinar on Secrets Management using Hashicorp Vault

AppSecOps - A holistic approach to Application Security

Training on AppSecOps

DevSecOps - Automating Security in DevOps

Training on DevSecOps

DevSecOps - Automating Security in DevOps

Training on DevSecOps

Basic Web Hacking

Training on Basics of Web Hacking

AppSecOps - A holistic approach to Application Security

Training on AppSecOps

Deserialization Vulnerabilities

Workshop on Deserialization Vulnerabilities

Basic Web Hacking

Training on Basics of Web Hacking