Yogesh Kadam
IT Security Professional
Mumbai
Summary
A judicious professional with 11+ years of experience in various fields of Information Security. Currently associated with WTW, Mumbai as Lead Associate. My experience includes Threat Modeling, SSDLC, SAST, DAST, Assessor, Penetration Testing, Vulnerability Assessments and recommendations, Risk and Controls, preparing technical security documentation. An effective leader with honed communication, interpersonal, relationship management, analytical and problem-solving skills.
Overview
12
12
years of professional experience
6
6
Certifications
3
3
Languages
Work History
Lead Associate
WTW
01.2022 - Current
- Successfully led and managed end-to-end third-party annual Web and Infra Pen Testing projects, demonstrating expertise in orchestrating assessments to identify and address security vulnerabilities.
- Performed threat modeling to analyze and assess potential security threats, ensuring proactive approach to identifying and mitigating risks in diverse environments.
- Conducted thorough Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST) to evaluate the security robustness of applications, systems, and infra components.
- Developed and implemented Secure Software Development Life Cycle (SSDLC).
- Engaged in contract reviews, providing specialized expertise in the realm of application security.
- Demonstrate proficiency in translating technical concepts into accessible language for diverse stakeholders. Deliver expert insights on application security, contributing to informed decision-making and ensuring the implementation of robust security measures.
- Reviews of security exceptions submitted by various business units. Assess each exception based on the compensatory controls, and mitigation plans.
- Leading and conducting Information & Cyber Security awareness sessions.
- Work on client engagement which includes security questionnaires, RFPs, Contracts.
- Create and manage security training for application team on annual basis.
- Provide consulting and support for other line of business in the organization.
- Maintain and update new entries of client response database.
- Interact with management on current and improvement in the process.
- Attend client security review call and resolve their doubts and queries.
- Create and constantly update security overview and whitepaper for applications under assigned line of business.
Senior Consultant S2
ControlCase LLC
04.2020 - 01.2022
- Ensure compliance with hardening standards, access controls and security related configuration settings.
- Performed Assessments of Banks, Payment Gateway, Service Providers, Backoffice, BPO.
- Performed PCI DSS assessment, Audit of clients in Vietnam, Philippines, Indonesia, Singapore, Kuwait, Bahrain, Jordan, Sri Lanka. Provided mitigation support to clients on gap identified in various standards (PCI DSS, ISO 27001).
- End to end responsibility of PCI DSS Certification. Information security risk assessment or risk management
- Conduct and document Information Security Application and System risk assessments using the global standards.
- Work closely with the business and operations teams to identify risk in different processes and provide assistance in closure of the same. Conduct information security audits as per information security standards.
- Assisting customer for mitigation of the gaps.
- Review or interview personnel to establish security risks and complications.
- Execute and properly document the audit process on a variety of computing environments and computer applications.
- Develop rigorous “best practice” recommendations to improve security on all levels.
- Work with management to ensure security recommendations comply with company procedure.
- Handle multiple regions clients such as USA, APAC.
- Effectively delivered the PCI DSS certification, penetration testing, vulnerability assessment, firewall ruleset review, application penetration testing activities on time.
Senior Consultant S2
ControlCase
10.2019 - 04.2020
- Help make improvements and give recommendations for IT Security and PCI DSS Audit.
- Lead meetings to deliver PCI DSS and status reports to business compliance leads, IT and management.
- Work alongside the security risk assessment programme to identify and document any risks that are discovered.
- Drafts clear and meaningful findings, assessment reports, presentations, and other materials for presentation to management.
- Assist in providing compliance training to IT and auditstaff.
- Report status to senior management and executive management
- Interface with clients to review and analyze complex systems (Applications, operating systems, databases, and Networking devices), to identify risks and vulnerabilities within the client environments.
- Analyze sensitive data flows (business and application data flows) and accordingly identify the risks to sensitive data.
- Engage in advisory work to provide value-added feedback to assist management in improving their operations.
- Perform security testing on different activities as Application Security Testing, Mobile Application Security Testing, Payment Gateway Security Testing, Internal Network Vulnerability Assessment (INVA), Internal Network Penetration Testing (INPT), External Network Penetration Testing (ENPT), Firewall Rules Review, Approved Scanning Vendor (ASV) Security Testing, Segmentation Penetration Testing (SPT), Credit Card Data Discovery (CDD).
- Experience as an Information Security Analyst involved in OWASP Top 10 based Vulnerability.
- Assessment of various internet facing point of sale web applications and Web services.
- International client call handling for Evidence reviews, achieving compliance on set goal.
- Manage, review, examine and monitor artifacts and evidence provided in support of compliance.
- Create/maintain team staffing and scheduling to include time tracking and capacity planning.
Senior Consultant TS1
ControlCase LLC
04.2017 - 09.2019
- Conducted systematic security assessments. The assessments involve manual testing and analysis as well as the use of automated web application vulnerability scanning/testing tools.
- Testing on various types of Payment gateways and testing according to the test plans.
- Black box penetration testing on internet and intranet facingapplications.
- Experience in different web application security testing tools like Burp Suite, Netsparker, Nexpose, Nessus, SQLmap, OWASP ZAP Proxy, Acunetix and Metasploit.
- Responsible for Vulnerability Assessment and Security Testing.
- Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and prioritizing them based on the criticality.
- Execute and craft different payloads to attack the system to execute XSS and different attacks.
- Good experience in static application security testing, dynamic application security testing and manual penetration testing of applications.
- Providing details of the issues identified and the remediation plan to the banking clients.
- Participate in Security Assessments of networks, systems and applications
- Actively involved and participated in various training/sessions on Info security topics.
Senior Consultant
ControlCase
04.2016 - 03.2017
- Burp suite to identify issues like sql injection, XSS, CSRF, Qualys etc.
- Train the development team on explaining the security vulnerabilities in the form of security awareness sessions by explaining the security requirements prior to development.
- Understanding of network protocols coupled with experience with web proxies, web application firewalls, and vulnerability assessment tools.
- Experience with creating systems and applications security test plans and performing hands–on security testing.
- Provide remediation steps to the client and follow up.
- Retest the fixed issues and ensure theclosure.
- Having day to day contact with the clients; responsible for keeping the client informed of the progress of the testing and any issues that arise.
- Provide the report and explain the issues to the client team.
Executive Security Testing
ControlCase LLC
12.2013 - 03.2016
- Automated Scan of 4 different projects on a weekly basis using Burp Suite to ensure the changes does not reflect any new vulnerability.
- Manual Security testing of the applications and APIs to identify the OWASP Top 10 vulnerabilities.
- Conduct vulnerability assessment and penetration testing and configuration review for web applications, mobile applications.
- Good knowledge of TCP/IP and other application and network level protocols.
- Knowledge of industry standard scoring models such as CVSS,CCSS
- Responsible for identifying and classifying cyber security vulnerabilities and working on mitigation plans with clients and provide remediation solutions of vulnerabilities.
- Prepare audit reports that identify technical and procedural findings and provide recommended remediation strategies/solutions for standards such as PCI, ISO 27001.
Support Agent L1
ControlCase
06.2012 - 12.2013
- Assisted customers with more difficult technical issues requiring a greater level of personalized care and in greater length.
- Escalated support desk tickets to Level 2 in the most crucial circumstances and after considerable time had been spent on a single ticket.
- Onboarded and trained all incoming junior tech support specialists.
- Identity and access management for all existing and new joinee.
- Providing daily assistance for PC builds and software support
Education
Bachelor of Science - Information Technology
Mumbai University
Mumbai 04.2001 -
Skills
Effective Communication
Ability to Work Under Pressure
Highly Motivated
Ability to Work in Team
Vulnerability assessment and remediation
Dynamic Application Security Testing
Static Application Security Testing
Penetration Testing
Consulting
Threat Modeling
Effective Communication
Certification
ISO 27001:2013 LA - Certified
Awards/Recognition
Received "Certificate of Appreciation" award from ControlCase LLC for PCI ASV Requalification exam
Tools
Burp Suite, Appknox, SQL Map, Ettercap, NMAP, Metasploit Framework, Nessus, Qualys, IBM AppScan, Acunetix, Mobsf, SoapUI, Echo Mirage, Postman, Apktool, Tenable.io, Kali Linux framework, Loopio, Sirion Labs Comet Tool, Invicti, Snyk, Checkmarx, Microsoft Threat Modeling, Irusrisk
Timeline
Lead Associate
WTW
01.2022 - Current
Senior Consultant S2
ControlCase LLC
04.2020 - 01.2022
Senior Consultant S2
ControlCase
10.2019 - 04.2020
Senior Consultant TS1
ControlCase LLC
04.2017 - 09.2019
Senior Consultant
ControlCase
04.2016 - 03.2017
Executive Security Testing
ControlCase LLC
12.2013 - 03.2016
Support Agent L1
ControlCase
06.2012 - 12.2013
Bachelor of Science - Information Technology
Mumbai University
04.2001 -