“Shortly after joining MIO, Sunit built the foundations of our first application security program. Everything from policy, procedures, severity guides, AST tooling and training were thoughtfully procured and implemented. A master at his tradecraft, Sunit comes highly recommended to build, lead and mature application security programs. ”
About
Application security professional with a experience in code reviews,security architecture…
Activity
-
Some key takeaways from my talk "Hitchhikers guide to secure AI Development" at AI Dev World 2025. Adding security by design/default in each phase…
Some key takeaways from my talk "Hitchhikers guide to secure AI Development" at AI Dev World 2025. Adding security by design/default in each phase…
Liked by Sunit Guldas
-
Excited to share that I've joined @Attentive as a Staff Application Security Engineer!
Excited to share that I've joined @Attentive as a Staff Application Security Engineer!
Liked by Sunit Guldas
-
I am ecstatic to share that I've been selected to join the 2025 SANS Security Awareness Summit Board!! Since moving into security in 2019, I've…
I am ecstatic to share that I've been selected to join the 2025 SANS Security Awareness Summit Board!! Since moving into security in 2019, I've…
Liked by Sunit Guldas
Experience
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Education
Licenses & Certifications
Volunteer Experience
-
founder joint secretary
yuva jagruthi youth forum
- Present 12 years 10 months
Social Services
Courses
-
Advanced computer network security
-
-
Applied cryptography
-
-
Big data computing
-
-
Computer system security
-
-
Foundations of algorithms
-
-
Information assurance and security
-
-
Introduction to theoretical computer science
-
-
Principles of programming languages
-
-
Randomization and approximation algorithm
-
-
Software security
-
Projects
-
SDN-based Network IDPS and security analysis system in a Cloud
• Successfully deployed intrusion detection system which scans for vulnerabilities and generates an attack graph based on the severity.
• Applied deep packet inspection mechanism which makes the attack behavior more prominent and detectable.
• Improved the attack detection probability through programmable network approaches that improves the attack resilience of system by correlating attack behavior and employing effective countermeasures without interrupting existing services.
• Tools…• Successfully deployed intrusion detection system which scans for vulnerabilities and generates an attack graph based on the severity.
• Applied deep packet inspection mechanism which makes the attack behavior more prominent and detectable.
• Improved the attack detection probability through programmable network approaches that improves the attack resilience of system by correlating attack behavior and employing effective countermeasures without interrupting existing services.
• Tools used: KVM, OpenStack, Open vSwitch, POX, Python, Attack Graph Modeling-MulVal, SDN, Penetration Test Tool- (Nessus, Metasploit), Snort.Other creators -
-
Analyzing logs of tweets related to superbowl to analyze the level of support for team using hadoop
-
• Developed python code for map and reduce function to analyze tweet logs
• Generated a single file result to summarize the number of tweets in support of a team
• Tools used: python, hadoop, ‘R’ programming language.
-
Building a basic compiler to compile a language similar to C:
-
• Developed a lexical analyzer which tokenized the input.
• Developed a syntax analyzer which checked the syntax of the program and reported the errors.
• Developed a recursive decent parser which reported errors by line numbers.
• Developed a semantic analyzer incorporating it with the lexer and parser.
• Developed a final compiler which generates intermediate code that consists of machine language which could be further executed for results.
• Tools Used: C, C++, Eclipse…• Developed a lexical analyzer which tokenized the input.
• Developed a syntax analyzer which checked the syntax of the program and reported the errors.
• Developed a recursive decent parser which reported errors by line numbers.
• Developed a semantic analyzer incorporating it with the lexer and parser.
• Developed a final compiler which generates intermediate code that consists of machine language which could be further executed for results.
• Tools Used: C, C++, Eclipse IDE.
-
A Secure Banking System
-
• Developed a secure Java/J2EE web application based on spring MVC framework incorporating spring security framework and hibernate utilizing the backend MySQL workbench(RDBMS) database.
• Created modules that authorize stakeholders of a bank to create, delete, modify employees, customers and merchants and designed user interface utilizing HTML, CSS, JavaScript and Ajax.
• Implemented security features such as PKI for transaction authentication, self signed Certificate Authority for…• Developed a secure Java/J2EE web application based on spring MVC framework incorporating spring security framework and hibernate utilizing the backend MySQL workbench(RDBMS) database.
• Created modules that authorize stakeholders of a bank to create, delete, modify employees, customers and merchants and designed user interface utilizing HTML, CSS, JavaScript and Ajax.
• Implemented security features such as PKI for transaction authentication, self signed Certificate Authority for certificates management, OTP during transactions, input validations, SSL implementation, session management, hashing and salting of passwords and encrypting PII information.
• Conducted security testing using application security testing tools such as webscarab and burp suite.
• Tools used: Spring MVC, Hibernate, MySQL, HTML, CSS, JavaScript, AJAX.
Other creators -
-
Co-operative caching in Wireless P2P networks
-
• Developed an efficient algorithm for cooperative caching of data and to reduce overhead of copying data between user space and kernel space by implementing cooperative caching in wireless P2P network.
• Identified requirements, created technical specifications, coded user interface and performed unit and integration testing.
• Tools/Technologies: Netbeans, JAVA, JAVA Swings, MySQL
-
Paper: “Survey on Authentication Techniques for Internet of Things (IoT) to Improve Network Security”
-
Other creators -
-
Seminar and Implementation of client-side Load balancer using cloud
-
• Designed a load balancer over the client side which would handle the web application traffic demand fluctuations by using a clouds on-demand, pay-per-use capability.
• Created technical specifications and user interface, performed unit and integration testing and presented a seminar.
• Tools/Technologies: Eclipse, HTML, JavaScript, MySQL, PHP
Languages
-
English
Full professional proficiency
-
Kannada
Native or bilingual proficiency
-
Hindi
Native or bilingual proficiency
-
telgu
Elementary proficiency
Recommendations received
2 people have recommended Sunit
Join now to viewMore activity by Sunit
-
Artificial Intelligence (AI) is everywhere, and lot of organizations are trying to make sense of security and compliance issues around it. AI…
Artificial Intelligence (AI) is everywhere, and lot of organizations are trying to make sense of security and compliance issues around it. AI…
Liked by Sunit Guldas
-
As Sharan Hegde blocked me, I can not ask him the clarifications any more. If there are any members of his club, can they clarify or get the…
As Sharan Hegde blocked me, I can not ask him the clarifications any more. If there are any members of his club, can they clarify or get the…
Liked by Sunit Guldas
Other similar profiles
Explore more posts
-
Michał Walkowski, PhD
🚀 New Writeup Published 🚀 I’m excited to share my latest blog post: HTB Sherlock - BOughT Writeup! This forensic challenge involves a non-technical client who bought a used computer and began experiencing internet connectivity issues. Using memory dumps and disk artifacts, I walk through investigating and identifying hidden problems. Check out my full breakdown on my blog for all the details! Link in the comments! #DFIR #HTB #Cybersecurity #Forensics #MemoryAnalysis #Volatility #MalwareAnalysis
3 Comments -
Bojan Simic
Hey IAM folks, if someone polled your co-workers today, how would they rate the authentication experience they have today on a scale of 1-10? Here's what kills the ratings for most enterprises: 1. Inconsistency - Having to use multiple and inconsistent MFA tools to access company apps. 2. MFA Fatigue - Requiring users to re-authenticate or do MFA again when unnecessary 3. Lockouts - When providing the wrong credential or expired passwords lead to account lockouts that stop people from working Only by unifying the authentication experience and streamlining can we ever expect to win over everyone in the company. Here is a diagram of our Authentication Speedway, a map to getting to the most frictionless and highly secure authentication experience for your workers! https://lnkd.in/g92bnSgS
-
Shakeel Ali
Google Fixes GCP Composer Flaw That Could've Led to Remote Code Execution: A now-patched critical security flaw impacting Google Cloud Platform (GCP) Composer could have been exploited to achieve remote code execution on cloud servers by means of a supply chain attack technique called dependency confusion. The vulnerability has been codenamed CloudImposer by Tenable Research. "The vulnerability could have allowed an attacker to hijack an internal software dependency https://lnkd.in/gC6MNq7D
-
Oleg Dulin
Security policies are meant to solve specific problems. They are not meant to exist in a vacuum, to irritate and annoy end users, or for self-perpetuation. Articulate the security problem you want solved to engineers and work with them to solve it -- as opposed to mandating inexplicable policies from the ivory tower.
-
Sachin Kumar Talan
🚨 $154M Insider Threat at Macy’s: A Wake-Up Call for All Organizations A trusted employee exploited weaknesses in Macy’s internal processes, concealing $154 million over several years. This insider fraud highlights the critical risks posed by internal actors and the limitations of traditional audit and GRC systems. Here’s what happened: 👉 Scope & Duration: A multi-year scheme revealed systemic gaps in controls. 👉 Methodology: Small accounting manipulations added up to massive losses. 👉 Discovery: Only uncovered after significant financial discrepancies impacted reporting. The fallout? 💸 Financial Loss: A direct hit to Macy’s bottom line. 🔒 Reputation Damage: Eroded trust among investors and customers. ⚙️ Operational Disruptions: Diverted resources to investigations. 📋 Regulatory Scrutiny: Increased oversight and potential penalties. How can we prevent this? 🔍 With Securonix UEBA, organizations can detect anomalous behavior and trigger alerts for suspicious activity. 🤖 Securonix EON extends this with real-time insights, data integration, and automated investigations. Insider threats are tough to spot, but with advanced tools, you can safeguard your organization. 🔗 Read the full blog to learn how Securonix can help protect your organization: https://lnkd.in/g8VvxUrZ
-
Ashish Desai
2025: Run LLM's on your phone offline Happy New Year everyone. Its the new age of AI, its a new year, use your phone to run AI models locally. 1. Get a iPhone (or use one built in past 2 yrs) 2. Install MLC Chat app https://lnkd.in/e8r6KbzS 3. Download model (Llama 3.2 Instruct) within the app. Chat away...ask about health issue, or have it write code while lying on the beach with no Internet access. STOP making excuses, go build the future....
-
Eugene Sergeev
Just got off the phone with a friend of mine, former IAM consultant, desperately trying to stay in IAM domain. No luck. He applied to ~100 positions, got ~10 responses, had only 1 full interview loop. As a recap on what you should be aware of, should not do or say on interviews in year 2024: 1. We’re not in 90ies anymore 2. Your jokes make no sense to other generations and cultures 3. No one needs your truth or facts 4. “I failed, we achieved” - forget it. 5. ChatGPT can be also used to summarize your AI-inflated CVs, yet human produced ones are filtered out by poorly configured CV parsers on steroids. Have a section for robots, be a SEO 6. Upbeat tone, overal positive and energetic employee is a better option for employers than grumpy experts. 7. Don’t speak technical to recruiters, just be nice 8. Ghost positions are the new norm. You apply and you never hear back. Then you are automatically denied due to a timeout and that position is republished over and over again. Market research it is. This is how you justify your “competitive” salary: look, I got XXk applications in 1 week, why give you a raise? Yeah, the same crowd keeps applying to everything semi-automatically, making it almost impossible to get in without a referral What did I answer? sorry, I don’t have any open positions :( And a couple of random thoughts on where we’re heading to… Like in 2000s when we had a .com bubble, we’re facing consequences of way too many CS graduates. We had this with CPAs, then came TurboTax. We had this with lawyers, being automated as we speak. Next? SDEs. Not SDEs as a profession, but SDEs as coders, not tech spec writers, architects and PMs. Why SDEs? ‘cause if one can do Google Driven Development, then it could be automated and the SDE name to hire is CoPilot. And it is great. No joke. What’s left? Ability to think (AI is still just a search engine), ability to solve problems (not math or code problems, come on, why are we asking to do bubble sort? Are we developing a hardware driver? Why not assembler then?), ability to take ownership and lead, be responsible and proactive. I kept saying this to my team since day one. Hope they listened. They same applies to consultants. Consultants don’t do configurations, those are configurators, consultants solve business problems. If recruiters are reading this, consider this as anonymous feedback, collected from 3 different IAM candidates. #IAM #IGA #IdentityManagement
9 Comments -
Teri Radichel 🩵
How to Figure Out What’s Running On a Specific Port on Linux ~~ Some strange process is running on a particular port — what is that? ~~ In this case looking at STUN/TURN/ICE traffic which is used for peer to peer connections to bypass NATs and Firewalls https://lnkd.in/e-BcKWq2
-
Bollina Bhagavan
I was dabbling with both AWS Infra and SIEM tools since past couple of weeks. As we all know that if cloud environment scales, so does the complexity and the potential attack surface associated with it. Imagine one fine morning, you receive alerts about unexpected API activity. As cloud sec engineer, you should be able to quickly pinpoint the issue, prevent potential damage, and reinforce your system's defenses. Below are the points that came to mind while configuring CloudTrail. Please feel free to add your thoughts! 1. Encrypt your CloudTrail files enabling SSE-KMS encryption in your bucket. 2. Prevent accidental loss of CloudTrail data by enabling versioning and MFA-delete on the S3 bucket. 3. Deliver all CloudTrail logs to a central S3 bucket with strong access control. Ideally in another AWS account, using a restrictive S3 resource policy. 4. Always enable log file validation for your files, in order to prevent tampering. 5. Enable CloudTrail Insights to automatically detect unusual operational activity within your AWS accounts. Additionally, I've written few rules to third party monitoring tools to detect and alert on CloudTrail configurations changes such as StopLogging, DeleteTrail, and UpdateTrail. #AWS #cloudsecurity #dev #infosec
10 Comments -
Teri Radichel 🩵
AWS re:Invent Brain Dump 2024: Capturing all the thoughts before they slip away Some things I’m thinking about after AWS re:Invent. As always I’m most interested in security announcements, but I am also developing some new software and pondering AI. https://lnkd.in/eqibk5te
-
William W Collins
The Surge of Identity and Access Management (IAM): Unveiling the Catalysts by madhav via Security Blogs via Fayda on Inoreader ([Global] GDPR) URL: https://ift.tt/32DBhKz The Surge of Identity and Access Management (IAM): Unveiling the Catalysts madhav Thu, 08/22/2024 - 07:02 The domain of Identity and Access Management (IAM) has undergone a remarkable surge, underpinned by a myriad of factors spanning technology, regulatory dynamics, and security imperatives. Against the backdrop of heightened recognition of the critical role of robust access control and identity management, the growth of the IAM market has been steered by a confluence of compelling drivers. A recent survey by KuppingerCole Analysts found that almost 95% of organizations have an IAM solution implemented. In fact, medium to large organizations typically have multiple IAM solutions for various IAM capabilities, highlighting the growing significance of IAM in IT security. Unveiling the multifaceted forces propelling IAM expansion provides valuable insights into the evolving landscape. Let's delve into the nuanced landscape of the pivotal drivers fueling the growth of IAM: Escalating Cybersecurity Threat Landscape The pervasive escalation of cyber threats, encompassing data breaches, ransomware incursions, and identity-related malfeasance, has precipitated a heightened sense of urgency among organizations to fortify their cybersecurity defenses. IAM solutions have emerged as linchpins in mitigating cyber risks, ensuring that only authorized individuals can access sensitive systems and data. The upsurge in the frequency and sophistication of cyber-attacks has propelled organizations to prioritize significant investments in IAM to fortify their defenses and shield critical information assets. Regulatory Mandates and Compliance Imperatives The regulatory landscape governing data privacy and security has undergone a seismic shift, marked by the advent of stringent mandates such as the GDPR (General Data Protection Regulation) and the CCPA (California Consumer Privacy Act). These regulations impose rigorous stipulations on organizations to safeguard individuals' personal data. With robust identity governance, access controls, and audit capabilities, IAM frameworks have emerged as imperative enablers for organizations striving to meet and uphold regulatory expectations. Compliance-oriented initiatives have been instrumental in catalyzing the adoption of advanced IAM frameworks to ensure regulatory adherence. Cloud Infusion and Digital Metamorphosis The pervasive embrace of cloud technology and the proliferation of digital transformation initiatives have rendered traditional perimeter-based security paradigms obsolete. IAM frameworks have metamorphosed to cater to the necessities of cloud-based applications, the mobile workforce panorama, and the burgeoning array of IoT (Internet of Things) devices. These advanced IAM paradigms empower organizations ...
-
Antoine Vastel
In my latest blog post, I discuss the role of weak fingerprinting signals in the context of bot and fraud detection. I use the example of language-related signals to illustrate how even signals that may look insignificant can be leveraged to detect inconsistencies introduced by bot frameworks and anti-detect browsers. https://lnkd.in/eZ2hcKeH
4 Comments -
Wade Baker, Ph.D.
What does security debt (old, unresolved flaws in code) look like across applications in your organization? Perhaps similar to one of these 20 anonymous organizations we sampled during a recent analysis of #appsec scan data. Each rectangle represents a different organization, which is subdivided into sections corresponding to the size of its active applications. The color applied to those applications measures their density of security debt. You can think of this as a depiction of the shape and status of the application attack surface for each organization. Organization 4 is relatively clear of debt across most of its applications, with a few exceptions in the lower right corner. Organization 9 below it shows pretty much the opposite trend—one tiny debt-free application floats alone in a sea of debt. Other organizations in this sample exhibit a relatively even distribution of debt across applications (e.g., Org 14) to an application attack surface that runs the gamut of debt density (e.g., Org 6). So, what makes one organization look so different from another when it comes to the distribution of security debt across their applications? Is it possible for teams to reverse indebtedness for the applications they develop and manage? Download the full report from Veracode, with analysis by Cyentia Institute, to find out! Get is here: https://lnkd.in/evh5jm2Z #softwaresecurity #applicationsecurity #devsecops #devops
-
Arthur Rabatin
#CrowdStrike #RootCauseAnalysis now available. It kind of reads like 'We got a RegEx wrong' but I am sure (I hope?) that was not really the issue. It does show how complex modern system deployment is. The solution has to be to reduce that complexity and thus make it more testable. This will reduce the commercial scope of products but from a user point of view should be safer. https://lnkd.in/eU4tTJqX
1 Comment -
Scott Scheferman
Update: Best contextual summary so far with new info on both pagers and walkie-talkie explosions: https://lnkd.in/gxEUcU6t On the topic of exploding pagers in Lebanon and Syria. After exchanging thoughts with folks that have hardware hacking skills, and speaking with others about this: my personal take thus far is simple: 1) No need to panic or worry about your cellphone batteries exploding 2) More likely a supply chain interdiction and unlikely to be the batteries themselves. Rather a charge placed in them or on them at a factory in combination with listener logic for a specific message. (simultaneous detonations, and video evidence of pages received immediately prior to explosion). The explosions are strong enough to knock a person over and bystanders holding their ears after, in shock. (videos are graphic, be aware) 3) Likely part of a larger strategic move, with Israeli troops amassing at boarder, the Iranian ambassador in Lebanon injured, 7 reported deaths also in Syria from the same cause. Consider that capability now burned as an operation, which infers there is a larger strategic operation underway. 4) Numbers up to 3000 now being reported 5) Airlines and cell phone providers hopefully won't be inundated with panic and questions, but I'm guessing they well unless the media is quick to course-correct on initial reports of OTA firmware updates and battery BMS trickery causing batteries to explode via logic alone. The scope and methods are narrow here, not universal. 6) Again, no need to panic. Expect a lot of mis-information, attribution, narrative, and public reaction from all sides of the conflict. Sharing my personal understanding, take, and reaction thus far. EDIT: Context or Cooincidence, you decide: Today, Israel's internal security service, Shin Bet, just announced it thwarted a Hezbollah plot to assassinate a former senior Israeli security official via an explosive device. Yet, in 1996, the Chief bombmaker of Hamas and leader of the West Bank battalion of the Izz ad-Din al-Qassam Brigades (Yahya Abd-al-Latif Ayyash) was assassinated by Shin Bet... wait for it, by implanting an explosive in his cell phone that killed him when he answered it. ref: https://lnkd.in/g2f-zMrM and https://lnkd.in/gahGicWd Either way, this tactic has been around for many decades. This time, however, it was done to a large supply of new same-model pagers delivered to a specific customer. In general, unlikely to be carried out by Shin Bet, as they do not operate outside of country boarders apart from Gaza and West Bank. EDIT 2: Pagers were for about 5 months in the hands of victims before this event. A small amount of explosive (PET_N) was place inside near the battery and the devices were remotely made to heat up sufficiently to set off the charge. This, via inference, per reporting here: https://lnkd.in/gH3rPpmh
7 Comments -
Shakeel Ali
Critical GitHub Enterprise Server Flaw Allows Authentication Bypass: GitHub has rolled out fixes to address a maximum severity flaw in the GitHub Enterprise Server (GHES) that could allow an attacker to bypass authentication protections. Tracked as CVE-2024-4985 (CVSS score: 10.0), the issue could permit unauthorized access to an instance without requiring prior authentication. "On instances that use SAML single sign-on (SSO) authentication with the https://lnkd.in/gKi_JiDq
Explore collaborative articles
We’re unlocking community knowledge in a new way. Experts add insights directly into each article, started with the help of AI.
Explore More