Hi 👋, I'm Anshumaan Singh

Shift Smart, Not Just Left

Security should be abstracted into the platform. If the paved road is secure, teams ship faster with less risk.

Identity is the Control Plane

Network boundaries are porous. Strong workload identity + OIDC federation enables keyless, verifiable trust.

Guardrails over Gates

Guardrails preserve velocity while preventing catastrophic failures. Enforce safety without blocking delivery.

Detection as Code

Alerts must map to response playbooks. If an alert has no action, it becomes noise and reduces trust.

CI/CD Security Control Plane

• Engineered multi-stage DevSecOps pipelines enforcing security at build → scan → deploy → validate stages.
• Implemented PR-only merges + CODEOWNERS approvals + branch protections to eliminate bypass paths.
• Standardized dependency graph: verify → build → tag → scan → push → deploy → post-deploy validation.
• Integrated Slack notifications with build metadata (commit, author, workflow run, status).
• Stored scan results as pipeline artifacts to support audit trails, RCA, and compliance evidence.

Supply Chain Integrity + SBOM

• Enforced immutable image versioning (v1.0) and removed “latest” to eliminate deployment drift.
• Built controlled promotion workflow: QA promotes scanned images Dev → UAT → Prod (no rebuilds in prod).
• Ensured only approved + scanned digests are eligible for deployment via registry path enforcement.
• Created evidence chain: scan outputs + approvals + image digest tracking.

Kubernetes Runtime Guardrails

• Implemented kubeaudit checks to detect risky workload patterns and enforce baseline hygiene.
• Standardized secure deployment baseline: probes, limits, safe defaults, namespace patterns.
• Reduced runtime risk by preventing privileged workloads and unsafe configurations.

AppSec + Secrets Remediation

• Led response for hardcoded Azure storage keys, OAuth secrets, and leaked tokens in repositories.
• Coordinated secure secret rotation without production impact.
• Performed web/API/mobile penetration testing and delivered actionable remediation guidance.

Core Security Invariants

• Identity is the control plane → short-lived credentials, least privilege, verifiable trust.
• Verification is deterministic → CI gates are non-bypassable and produce evidence.
• Artifacts are immutable → digests + version tags + controlled promotion (no rebuilds in prod).
• Runtime is constrained → policy + RBAC + secure contexts reduce attacker movement.
• Everything is auditable → logs + scan outputs + approvals move with the release.

Design Principles I enforce

• Guardrails over manual reviews.
• Secure paved roads for engineering velocity.
• Risk-based gating (severity + exploitability + probability).
• Policy as code, evidence as artifacts.
• Traceability: commit → build → digest → deployment.

Secrets Leakage Response

• Detected hardcoded Azure Storage keys + OAuth secrets in repos and validated exposure scope.
• Coordinated secure rotation and remediation without production downtime.
• Implemented prevention guardrails: secret scanning + branch protections + required checks.
• Outcome: reduced recurrence through enforcement + governance + audit evidence.

Prisma twistcli inconsistent vulnerability results

• Observed Prisma returning zero vulnerabilities for known-vulnerable base images.
• Cross-validated findings using Trivy + public CVE references to confirm true risk.
• Improved pipeline trust by enforcing scan evidence retention + validation gates.
• Outcome: fewer production pipeline failures caused by scanner inconsistency.

Controlled Promotions (Dev → UAT → Prod)

• Implemented “build once, promote many” model to prevent rebuild risk and drift.
• Added approval gates + registry path enforcement to block unauthorized deployment paths.
• Outcome: digest-level traceability strengthened across environments.

OWASP ZAP DAST with Kubernetes dynamic URL

• Automated DAST using runtime service discovery via kubectl for real endpoint validation.
• Ensured post-deploy security checks reflect production-like behavior.
• Outcome: improved coverage beyond static environment assumptions.

Primary Threat Vectors

• Credential theft (tokens, OAuth secrets, cloud keys)
• Pipeline compromise (runner persistence, secret exposure)
• Dependency compromise (typosquatting, malicious packages)
• Container base image vulnerabilities + drift via latest tags
• Kubernetes privilege escalation (privileged pods, host mounts)
• Lateral movement (east-west traffic abuse)
• Data exfiltration (egress misuse, weak PII boundaries)

Control Mapping (Kill Chain → Defense)

• Recon → WAF + rate limiting
• Initial Access → secrets scanning + SAST + admission deny
• Privilege Escalation → RBAC + securityContext hardening
• Lateral Movement → segmentation + mesh + mTLS
• Exfiltration → egress restrictions + PII boundaries
• Impact → SIEM detections + incident response containment

Evidence Pack includes

• Scan outputs: SAST, SCA, Secrets, IaC, Image scan, DAST reports
• Build metadata: workflow run ID, commit SHA, branch, actor
• Artifact metadata: image digest, tags, registry path
• Promotion approvals: QA / release gates / policy decisions
• Retention: artifacts stored per pipeline for compliance and RCA

SBOM Snapshot (Implementation proof)

This image is used as proof-of-implementation artifact.

Inputs to Risk Scoring

• CVSS → technical severity baseline
• EPSS → likelihood of exploitation in the wild
• Exploit maturity → weaponization / public exploit availability
• Reachability → exposed surface + runtime path
• Compensating controls → RBAC, WAF, egress, segmentation

Policy Gate Outcomes

• Block → exploitable critical vulnerabilities or policy violations
• Allow with evidence → low-risk findings with traceability and audit pack
• Allow with exception → tracked risk acceptance + expiry and follow-up actions
• Auto-promote → clean evidence + approved digest across environments

Netflix Clone — Secure CI/CD Pipeline

• Built CI/CD pipeline with SAST, SCA, secrets scanning, Trivy image scan, and controlled deployment.
• Implemented Slack notifications with build + commit metadata.
• Focused on immutable image tags (v1.0) and evidence retention.

Kubernetes Security Validation Toolkit

• Combined kubeaudit + cluster checks for misconfiguration detection.
• Designed baseline enforcement for risky workload patterns.
• Mapped findings to remediation playbooks for engineering teams.

Secure Build Provenance

• Expanding provenance metadata to include environment and runner identity.
• Improving attestations for artifact traceability across Dev → UAT → Prod.

Policy as Code Expansion

• Strengthening policy gates for Kubernetes workload hardening.
• Improving enforcement for registry paths + digest allowlisting.

Risk-based Security Gates

• Reducing false positives by aligning severity with exploitability.
• Tracking risk acceptance and expiry-based exceptions.

Security Metrics & KPIs

• Measuring gate pass rate, mean time to remediate, recurrence of secrets leakage.
• Building dashboards for release integrity and evidence coverage.

DevSecOps + CI/CD

• GitHub Actions, Jenkins, pipeline orchestration
• Branch protection, CODEOWNERS, PR-only enforcement
• Artifact retention, evidence generation, release governance

Supply Chain Security

• SBOM generation, artifact signing, digest traceability
• Immutable versioning + controlled promotions
• Container security scanning: Prisma twistcli, Trivy

Application Security

• Web/API/Mobile penetration testing
• AuthZ/AuthN testing, misconfigurations, API abuse validation
• Remediation guidance + secure design reviews

Kubernetes Security

• RBAC, namespaces, workload hardening baselines
• kubeaudit-based checks and enforcement patterns
• Ingress exposure and blast radius reduction

Certifications

• CKS — Certified Kubernetes Security Specialist
• CKA — Certified Kubernetes Administrator
• GCP Professional Cloud Security Engineer
• GCP Professional Cloud Architect
• Terraform Associate

Security Engineering Outcomes

• Implemented security enforcement across 350+ microservices delivery scope.
• Built CI/CD security gates with evidence retention and audit-ready outputs.
• Enabled controlled promotions with immutability and digest-level traceability.
• Reduced secrets exposure risk through scanning + governance + rotation response.