Ramiz Khan

As an Application Security Architect, responsible for reviewing and integrating all application
security requirements, involving security requirements. Typical day involves reviewing and integrating the
application security technical architecture requirements and providing input into final decisions regarding
application security.
• Lead the implementation of application security architecture and solutions
• Collaborated with cross-functional teams to ensure that security is integrated into all aspects of the
application development lifecycle
• Conducted security assessments and vulnerability testing to identify and mitigate potential security
risks
• Provided guidance and support to development teams on secure coding practices and security best
practices

- Led the integration of Static Application Security Testing (SAST) into Azure DevOps CI/CD
pipelines using Fortify Software Security Center (SSC), enabling early detection of security vulnerabilities
in source code. Responsible for configuring Fortify SSC to automate and orchestrate code scans across
multiple development projects. Collaborated with developers and DevOps engineers to embed security
gates, customize scan rules, and streamline scan reporting. Managed a 5-member application security
team, overseeing scan analysis, false positive triage, report delivery, and developer enablement. This
initiative significantly improved secure coding practices and reduced the volume of high-severity issues
introduced into production.
Project scope was to adopt ‘Shift left security’ approach for the ~1400 applications by configuring CICD
pipeline to perform SAST (Static Application Security Testing) activity. Client was having Fortify SSC tool
and Azure DevOps.
For commendable project work, client had sent appreciation email to LTIM management praising entire
team. Also received recommendation from client.
• First step was to do a kick off meeting with respective app team, app which is supposed to be
onboarded. Take all necessary information like details about the app, in-scope repository and branch
details, technical point of contact, time of trigger to run the scan (continuous or scheduled), type of
application etc. Type of application includes COTS, MOTS and home-grown applications. COTS apps were
out of scope as the code wasn’t available for it. Also as part of kick off, provided the overview of the
activities that are being done post pipeline setup
• Apps were internally categorized like paramount and non-paramount apps. Paramount were highest
priority and immediately needs to take action on
• Once all the information is shared by app team, setup end to end Azure DevOps CICD Pipeline and
integrated Fortify SSC security tool. Also created new self-hosted agents and service connection creation
etc. for Fortify’s interaction with source code
• Analyzed vulnerabilities in Fortify SSC and differentiated false positive cases
• Done the peer reviews as well for the work completed by colleagues to ensure the quality and no
incorrect vulnerability share with respective app team
• Conducted workshops with respective application teams to guide them on remediating the
vulnerabilities
• Lead the team of 6 members. Handled daily client calls, workshops and conduct interviews for open
positions
• As a team lead, responsible to create and share monthly report which included data of apps
(paramount & non-paramount) onboarded during that month, vulnerabilities tagged based on the
severity, kick-off meeting & workshops done etc. Shared the report to client and LTIM management
• Awarded outstanding contributor in the team two times

Project 1- Cyber Security Framework and Shift left security (sSDLC)
Summary - Scope of the project was to implement Cybersecurity Framework throughout the entire life
cycle.
• Involved in threat modeling assessment as part of one of initial part of sSDLC (secure SDLC)
• Developed and maintained threat models, documenting identified threats, risks, and mitigation
strategies
• Collaborated with architects and developers to implement security controls based on threat model
findings
• Prioritized and escalated critical security issues identified through threat modeling to relevant
stakeholders
• Threat modeling performed using Microsoft threat modeling tool
• Implemented and optimized Secure SDLC processes, integrating security activities at each stage
• Configured SonarQube SAST tool in CI/CD pipeline with Jenkins to identify the security issues early in
SDLC
• Developed and delivered secure coding training and awareness programs for developers
• Conducted third-party libraries assessment/ Software Composition Analysis (SCA) using Synopsys
Blackduck tool
• Performed Azure Cloud subscription security review as per CIS benchmarks
• Conducted network vulnerability assessment using Qualys
• Prepared thorough security reports and helped project teams in defect fixing
Project 2- Web Application and API Security Assessment
Summary - Worked on the application that is used for maintaining employees’ details. Activity helped in
assessing vulnerabilities in web application and APIs to make a secured product.
• Attended application walkthrough, and prepared security testing scope
• Conducted application penetration testing using Burp suite professional DAST tool, following the
OWASP Top Ten guidelines
• Verified the automated scan findings to eliminate false positives and performed manual checks which
were not possible via tool-based scanning
• Provided best possible remediations for identified vulnerabilities
• In depth report preparation
Project 3- Network Vulnerability Assessment and Cloud Configuration Review
Summary - Project involved network vulnerability assessment and Cloud configuration review of client
infrastructure that consisted of servers and Azure Cloud instance. Scope of the project was to assess
network infrastructure and audit Azure Cloud subscription.
• Performed network assessment using tools such as Qualys, Nessus
• Analyzed the tool’s output and removed false positives
• Leveraged Nmap tool to scan the host, open ports, and services etc.
• Performed Azure Cloud subscription security review as per CIS benchmark
• Prepared detailed report and shared with project team, helped them in understanding the impact of
the vulnerability, and provided recommendation for defect fixing

Title: HPE/DXE BBGB Project
• Solely responsible and deployed on client location to perform business logic related test cases for
HPE/DXE project as part of DAST (Dynamic Application Security Testing)
• Performed manual and automated dynamic gray box, black box testing and remediation on wide range
of web-based application hosted on UAT and production environment
• Burp suite, Acunetix, HP web inspect tools used for Dynamic Application Security Testing
• Prepared manual proof of Concepts & attack Scenarios with Reports
• Provided analysis and remediation recommendations to application and infrastructure teams
responsible for the maintenance of vulnerable applications
• Analyzed and validated application security testing-identified vulnerabilities and presented them to
application development teams to improve the security and customer usability.
• Identified and exploited vulnerabilities.
• To list some of the most common type of vulnerabilities those are found in current working project
web applications are; Insecure Direct Object reference, payment tampering, Insufficient Antiautomation, Horizontal / Vertical Privilege Escalation, Application Check Bypass, Information Leakage
and improper error handling, Broken Authentication, and Session Management and many more.

Project details -
Title: HP Applications Project
RESPONSIBILITIES:

• Performed manual and automated dynamic application security assessments on internal-facing web
applications. Analyzed and validated vulnerabilities and presented them to development teams
responsible for the implementation, maintenance and remediation
• Worked on HP fortify to do source code review and identify false positive
• To understand the functionality of application, worked on manual testing for a while and later moved
to security testing project
• Involved in deriving the Test Scenarios and designing the manual test cases
• Involved in manual test execution and was involved in various testing phases like Sanity, Functional
and retesting
• Co-ordinated the activities between on-site and offshore teams and initiate client call related to
project activities if needed

Project details -
Title: VFS 24*7.
A visa facilitation company which has more than 700 websites for different countries and languages.
Datamatics does development and maintenance work for them. The websites have been made in this
way that it can be fit all kind of devices screen.
RESPONSIBILITIES:

• Developed and maintained the front end and back-end functionality of websites
• Awarded ‘Spot award winner’ twice from client and higher management team for excellent
performance
• Worked in 24x7 production and maintenance environment
• Completed the task in given timeline according to their priority set by client
• Trained to new joiners