Work & Research
Case Studies
Real-world security work demonstrating methodology, technical depth, and measurable business impact.
Custom Semgrep Rules for Business Logic Vulnerabilities
Context
A growing microservices codebase exposed recurring business-logic flaws (IDOR, multi-tenancy bypass) that standard SAST tools consistently missed due to lack of domain context.
Approach
Analyzed 3 months of bug-bar review findings to identify defect patterns. Authored 30+ custom Semgrep YAML rules targeting proprietary framework patterns. Integrated rules into GitHub Actions as a blocking PR check with triage dashboards.
Impact
Reduced time-to-detect logic-layer vulnerabilities by 60%. Blocked 12 critical findings in the first sprint post-deployment across 50+ repositories.
Threat Model for Kubernetes-based Financial Gateway
Context
A new Kubernetes-hosted payment gateway was approaching production with no formal threat model. Regulatory requirements mandated a documented risk assessment before go-live.
Approach
Facilitated a 3-session threat modeling workshop using STRIDE taxonomy. Created data-flow diagrams across 8 microservices, identified trust zones, and modeled 40+ threats. Scored and prioritized by DREAD methodology.
Impact
Identified 3 critical permission scope violations prior to deployment. Required implementation of mutual TLS between services and scoped RBAC roles, preventing potential privilege escalation paths.
CI/CD Security Pipeline Automation
Context
Engineering teams were shipping container images and third-party dependencies without any automated security gates, creating supply-chain risk.
Approach
Designed a multi-stage security pipeline integrating Trivy for container image scanning, OWASP Dependency-Check for SCA, and Gitleaks for secrets detection. Built a centralized SARIF reporting layer feeding into GitHub Security tab.
Impact
Achieved 100% coverage of container registries. Automated detection of 200+ vulnerable dependencies in Q1, with remediation SLAs enforced programmatically via PR labels and Jira integration.
API Penetration Test — Critical Auth Bypass
Context
An internal REST API powering a SaaS platform was flagged for security review before a major enterprise customer audit.
Approach
Performed black-box API penetration testing using Burp Suite Pro and custom Python scripts. Focused on authentication flows, JWT handling, BOLA/BFLA, and rate-limiting controls.
Impact
Discovered a critical authentication bypass via JWT algorithm confusion (CVE-class). Delivered a technical report with proof-of-concept, CVSS scoring, and a step-by-step remediation guide. Issue was patched and re-tested within 72 hours.