profile-pic
Vetted Talent

Suraj Bagad

Vetted Talent
With over 18 years of experience in the field of security and software architecture, I have honed my skills in the areas of endpoint device security, C/C++ programming, and software architecture. Throughout my career, I have actively contributed to the development and implementation of robust security measures, ensuring the protection of sensitive data and systems. My extensive knowledge and expertise in security protocols, coupled with my proficiency in programming languages such as C/C++, have allowed me to design and create innovative security software solutions. As an experienced professional in the field, I am dedicated to continuously enhancing security practices and staying ahead of emerging threats to provide optimal protection for organizations and their valuable assets.
  • Role

    Security Technical Consultant

  • Years of Experience

    18 years

Skillsets

  • Security - 16 Years
  • Django - 1 Years
  • Python - 1 Years

Vetted For

7Skills
  • Roles & Skills
  • Results
  • Details
  • icon-skill_image
    Product Security EngineerAI Screening
  • 59%
    icon-arrow-down
  • Skills assessed :Familiarity with fintech., open source contributions, Conduct design reviews, identify threats and suggest mitigations, penetration tests, SOC2/1 audits, Update the threat model and implement mitigations.
  • Score: 59/100

Professional Summary

18Years
  • Aug, 2022 - May, 2023 9 months

    Technical Architect

    Forcepoint
  • May, 2020 - Aug, 20222 yr 3 months

    Technical Architect

    Quick Heal
  • Jan, 2007 - May, 202013 yr 4 months

    Principal S/W Engineer

    Symantec By Broadcom
  • Aug, 2004 - Aug, 20062 yr

    Software Engineer

    Acusis
  • Aug, 2006 - Dec, 2006 4 months

    S/W Engineer

    Geomatric

Applications & Tools Known

  • icon-tool

    Wireshark

  • icon-tool

    Windows Performace Analyzer

  • icon-tool

    threat Modelling

  • icon-tool

    SOC Audit

  • icon-tool

    Mitigation

Work History

18Years

Technical Architect

Forcepoint
Aug, 2022 - May, 2023 9 months

    Responsibilities-

    • Worked on CASB, SWG, and ZTNA technology products.
    • Had overall analysis , security suggestions, technical guidance on improvement Of CASB product.
    • Present team for understanding technical topics such as Performance and Security.
    • Led architectural analysis of SASE (Secure Access Service Edge) and created Architectural diagrams.
    • Developed major features supporting SaaS MS Office applications through Azure AD And implemented security fixes based on SAST tool reports.
    • Recognizing a challenge within my team, I observed that support team members Faced difficulties coordinating with customers due to limited technical Knowledge on the ZTNA product, with no available resources for assistance.
    • To Address this issue, I proactively delved into the code, configurations, and Relevant details, leveraging my expertise to assist them in debugging customer Support issues.
    • By understanding their pain points and providing hands-on Support, I facilitated smoother communication and problem resolution, enhancing
    • Overall team efficiency.
    • Mentored team members, established interview processes.

Technical Architect

Quick Heal
May, 2020 - Aug, 20222 yr 3 months

    Responsibilities-

    • Led and optimized leading AV engine, achieving a remarkable 30% performance Improvement.
    • Oversaw team processes, identifying gaps, interaction across team, discussion With leaders, acting representative for AV engine and implementing enhancements For increased efficiency.
    • In my role, I encountered a challenge with the Windows native library code an Area that puzzled the entire team.
    • With a keen eye for complex code structures, I took the initiative to dissect and comprehend the intricate workings of these Native libraries. Not only did I unravel the complexity, but I also innovatively
    • Implemented an interactive password-based validation feature during the Windows Booting process. This feature empowered users with the choice to opt for or skip Boot-time scanning, showcasing my ability to understand, enhance, and bring User-centric solutions to intricate technological challenges.
    • Mentored team members, setup interview processes, facilitated cross-functional Collaboration, malware analysis collaboration, and conducted POC initiatives to Drive innovation.
    • Achieved the prestigious 'Bheema Award' for adeptly managing projects independently,
    • Demonstrating strong coordination skills with various stakeholders, including leaders,
    • Cross-functional team members, and internal collaborators.
    • I have helped Organisation in mitigation of threats using lot of techniques like left shift approach ( Threat modelling proactive approach) and also helped mitigation of threats using reactive approach (based on test cases results) From SOC perspective
    • Security Architecture Design: Played a key role in designing security architectures that align with SOC2 principles, incorporating robust controls and measures.
    • Compliance-Driven Development: Demonstrated a commitment to compliance by embedding SOC2 considerations (e.g. using CIS benchmarks) into the development lifecycle, proactively addressing security and privacy concerns.

Principal S/W Engineer

Symantec By Broadcom
Jan, 2007 - May, 202013 yr 4 months

    Responsibilities-

    • Developed features for diverse Security Products, including IDS, IPS, Cloud Security solutions, and Compliance products based on CIS benchmark.
    • Recognizing a critical resource gap in Windows Driver Debugging within my team And business unit, I proactively took the initiative to independently learn and Master these techniques. With only one resource available, I realized the Vulnerability this posed to our projects.
    • In alignment with my unwavering Commitment to organizational growth, I voluntarily undertook the responsibility to Address this gap, shouldering a significant portion of the driver issues.
    • This Proactive approach wasn't prompted by anyone but stemmed from my dedication to ensuring a robust and successful endpoint project.
    • Pioneered the implementation of Threat Modelling within the team, leading to robust security features and recognized with Applause awards for outstanding Contributions and customer-driven approach.
    • I used the threat modelling tool to identify the threat vectors and inputs and worked on a feature of encrypting the sensitive information using openssl AES apis In the memory itself.
    • This was done to prevent any memory attack , which can happen Due to exposure of data in plain text.
    • I worked on an SVA (Security Virtual Appliance) project for protection of VMware Based virtual machines which works on the concept of Host based Security solution.
    • Instead of installing all AVs on all VM machines, this solution will be deployed On only one machine as an Appliance. The activities of all VM machines will be Passed to this appliance using VMwares network drivers.
    • Received positive feedback and achieved top-quality ratings for excellence in Security Virtual Appliance and security compliance products. Implemented innovative
    • Functionalities for Windows Login customization in custom Active Directory Management System.
    • I started with the Active Directory project which was a custom solution for organizations for managing their organization's network using Microsoft's Active Directory technology.
    • From mitigation of threats perspective: I have helped Organisation in mitigation of threats using lot of techniques like left shift approach ( Threat modelling proactive approach) and also helped mitigation of threats using reactive approach (based on test cases results) From SOC perspective
    • Security Architecture Design: Played a key role in designing security architectures that align with SOC2 principles, incorporating robust controls and measures.
    • Compliance-Driven Development: Demonstrated a commitment to compliance by embedding SOC2 considerations (e.g. using CIS benchmarks) into the development lifecycle, proactively addressing security and privacy concerns
    • Data Protection Measures: Implemented comprehensive data protection measures within security products, ensuring compliance with SOC2 standards regarding data confidentiality, integrity, and availability.
    • Security Training and Awareness: Contributed to fostering a security-aware culture within the organization, emphasizing the importance of SOC2 principles through training programs and awareness initiatives.

S/W Engineer

Geomatric
Aug, 2006 - Dec, 2006 4 months

    Responsibilities-

    • Demonstrated expertise in working with highly complex OpenGL-based software 'Godrej Interior' utilized for office interior design.
    • Achieved substantial knowledge within a short period and effectively implemented gained knowledge in the project.
    • Recognized for exceptional performance, I received an unsolicited salary increase within just two months of joining the company, a testament to my immediate impact and dedication to delivering quality results.

Software Engineer

Acusis
Aug, 2004 - Aug, 20062 yr

    Responsibilities-

    • Developed feature additions and enhancements for client-server architecture, displaying a commitment to continuous learning in this domain.
    • Utilized COM and multithreading to optimize system performance effectively.
    • Demonstrated expertise in advanced technologies like Remoting (.NET) and web services while innovatively implementing them in a Speech Recognition project.

Achievements

  • Achieved the prestigious 'Bheema Award' for adeptly managing projects independently, demonstrating strong coordination skills with various stakeholders, including leaders, cross-functional team members, and internal collaborators
  • Recognized with Applause awards for outstanding contributions and customer-driven approach
  • Received positive feedback and achieved top-quality ratings for excellence in Security Virtual Appliance and security compliance products
  • Received an unsolicited salary increase within just two months of joining the company

Testimonial

Forcepoint

Sanyam Gandhi

I have had worked with Suraj closely at Forcepoint in WebServices and Agents team. Suraj possesses a unique combination of technical expertise, leadership skills and a vast knowledge in Cyber Security domain. He is a true team player and leaded and contributed to many projects at Forcepoint. His willingness to share knowledge and helping everyone is his best strength.

Acusis

Raghunath KM

I remember Suraj as a very diligent developer and he was very tech savvy.

Major Projects

3Projects

Implement Conditional Access Policy for IDAM (Azure) for SAAS product

Forcepoint
Dec, 2022 - Mar, 2023 3 months

    Project Overview:

    Implemented a robust solution for a client seeking enhanced security measures for their Azure user authentication using Azure Identity and Access Management (IDAM). The primary goal was to block users attempting to access Azure authenticated applications without proper network or Cloud Access Security Broker (CASB) server verification.

    Key Responsibilities:

    • Requirement Analysis: Conducted a thorough analysis of the client's requirements to understand the scope and objectives of the project.
    • Impact Analysis: Identified and assessed the key areas impacted by the implementation of the enhanced authentication feature:
    • UI (User Interface): Integrated IDAP and Azure-related information seamlessly into the CASB product's settings page.
    • Backend: Implemented storage mechanisms for IDAP policy settings to ensure secure and efficient data management.
    • Operational: Facilitated the upload of trusted certificates for the reverse proxy, ensuring a secure and reliable connection.
    • Implementation: Executed the necessary changes in the backend area, guided and coordinated with other 3 team members for remaining changes.
    • Testing: Conducted rigorous testing to validate the functionality and security of the implemented solution. This included user authentication scenarios, policy enforcement, and certificate validation.
    • Documentation: Prepared comprehensive documentation detailing the implemented changes, including step-by-step guides for administrators and end-users.
    • Collaboration: Collaborated closely with cross-functional teams, including UI/UX designers, backend developers, and operational staff, to ensure a cohesive and effective implementation.

AntiVirus Engine Performance Enhancement

Quick Heal
Jun, 2021 - Jan, 2022 7 months

    Project Overview:

    Led efforts to significantly enhance the performance of an Antivirus (AV) engine widely utilized across enterprise and retail products for comprehensive malware scanning. The primary objective was to optimize the AV engine's performance, resulting in a remarkable 30% improvement.

    Key Responsibilities:

    1. Optimization of AV Engine: Undertook the responsibility of optimizing the AV engine's performance by addressing various aspects, ensuring efficient malware scanning for enterprise and retail products.
    2. Continuous Memory Presence: Redesigned the AV engine to operate as a daemon, ensuring continuous memory presence of its components. This strategic enhancement eliminated the need for reloading during scanning requests, significantly reducing turnaround time for frequent scanning requests.
    3. Definitions Footprint Reduction: Implemented a targeted file type scanning approach, specifically .dex files (Android-based), on the server to reduce the footprint of AV engine definitions. This tailored scanning approach contributed to a more streamlined and efficient engine.
    4. Cross-Team Collaboration: Collaborated with diverse teams such as Server, Malware Analysis, and Signature Writing teams. Leveraged insights from security and technical expertise to fill knowledge gaps, offering guidance to junior team members.
    5. Expanded Responsibilities to IPS Product: Took on additional responsibilities by managing the Intrusion Prevention System (IPS) product. This extended role involved ensuring the seamless integration and performance optimization of the IPS product alongside the AV engine.

Authorize Windows Boot Login Scanning

Quick Heal
Jun, 2021 - Dec, 2021 6 months

    Project Review:

    • In my role, I encountered a challenge with the Windows native library codeine area that puzzled the entire team.
    • With a keen eye for complex code structures, I took the initiative to dissect and comprehend the intricate workings of these native libraries.
    • Not only did I unravel the complexity, but I also innovatively implemented an interactive password-based validation feature during the Windows
    • Booting process.
    • This feature empowered users with the choice to opt for or skip boot-time scanning, showcasing my ability to understand, enhance, and bring
    • User-centric solutions to intricate technological challenges.

Education

  • Bachelor of Engineering - BE

    University of Mumbai (2003)

Certifications

  • CISSP

    LinkedIn (Jun, 2023)

  • secure product lifecycle

    Noble Work Foundation (Jun, 2023)

  • software architecture security

    Udemy (Feb, 2023)

  • Architect Saas Application

    Udemy (Feb, 2023)

AI-interview Questions & Answers

Okay. So Hey. Uh, I'm Suraj Bagan, and I'm having 18 plus years of experience in secure software development. I am mainly working as a, you know, technical architect, uh, you know, uh, in my, you know, last organization. So in 2 organizations at the designation of, the technical architect. Uh, so my roles and responsibilities actually, uh, overall, uh, if you consider, It is mainly, uh, developing security solutions, uh, for, uh, on prem products or on cloud products. So last experience which I had in Forcepoint was related to cloud security. And, mainly, I was working in the, uh, for the CASB product, which is cloud access security broker, which is completely, um, a cloud security product message. So as far as my expertise is, uh, concerned, I'm, um, you know, mostly involved into, uh, development of security products from, uh, year 2007, and I started, um, as a software engineer, uh, in 2004. And, uh, my last designation was technical architect, basically. So I've actually Grown into the ladder from software engineer to as a technical architect. Yeah. But my main focus, um, from 2007, uh, now was into, uh, development of security products. And I'm also preparing for, uh, CISSP, which is a gold standard for security. Uh, and I will be, uh, you know, soon attempt attempting the exam, uh, for clearing the CSS. So I think that's a a brief introduction about myself. And, uh, I would like to tell you one thing that I'm a security enthusiast, and I try to keep on writing articles on LinkedIn, uh, related to information security awareness and some kind of attacks. And, uh, basically, uh, the technical aspect behind the attacks and how the 3 pillars of Information security. That's CIA confidentiality and availability is affected, and I try to write articles on those on LinkedIn. Yeah. So that's brief about me. Thank you.

Yes. Uh, so, basically, uh, an example, uh, where a chain Would you know, that resulted in a threat being mitigated without an explicitly secured implementation as an area, You know, where, uh, I was, you know, required, for, you know, making sure that whatever confidential files are getting generated out of our product, you know, that must be, in the secured form. Right? So, uh, so first thing, you know, which, you know, I try to do, from the code perspective is I try to, you know, encrypt, uh, whatever files are getting generated, you know, out of the, you know, result of the, uh, endpoint analysis that was encrypted using, uh, AES encryption, uh, methodology. So there's a code change which I, uh, done in order to, you know, mitigate a threat because, Uh, you know, uh, a threat suggested that, uh, there might be a potential attack, uh, considering if the information is, you know, uh, sensitive, uh, which is getting generated on the, uh, you know, endpoint. So, uh, there's one of the, Uh, you know, code example which I can remember, which I implemented, uh, you know, immediately in a short span of time to, uh, mitigate a security threat. And apart from that, uh, there are, like, many other solutions, you know, that have been, you know, implemented, um, considering, uh, like, you know, simple example if we say that, you know, If, uh, you know, privileges kind of Privilege is assignment 2, you know, sensitive files, basically. So if there are, uh, you know, privileged files, Then, uh, they would be mostly, um, you know, having just a read only permission, and they would be, you know, authenticated to authentication mechanism. So that's another, uh, kind of implementation which I, you know, did for mitigating, uh

What are key considerations when performing a penetration tests on a high system? Um, so there are many key considerations which we need to, you know, consider while doing a Penetration, uh, test, uh, that to be on a high transaction system. So I, uh, consider that a high System means that the transactions which are happening on the systems are very critical, like, you know, uh, bank kind of, uh, you know, transactions. Uh, so I consider, you know, that scenario. I'll try to tell you, like, you know, in that kind of scenarios, it is, uh, you know, Very, uh, important to, you know, identify, uh, the threat vectors or the means by which, Uh, you know, attack can be performed onto your, um, you know, endpoint application or where Your transactions are basically high, uh, uh, taking place. Right? So one of the, uh, most important, uh, part of the penetration test, which I will consider for the high transaction system is, You know, I would try to design a penetration test wherein I will try to, um, you know, uh, do some transactions, which are not, uh, authorized or which are kind of, you know, um, uh, which are not kind of legal transactions. Uh, it is sort of the 1st testing, basically, uh, just trying to, um, do some transactions, um, which are which are not the normal transactions, uh, maybe. So that kind of, uh, penetration test, I would like to, you know, uh, develop. So this is, uh, you know, one of the aspect. And, um, there are another aspect which, uh, you know, I would, you know, try to, uh, do is, You know, uh, uh, try to work on the test case where, uh, you know, man in the middle attack can be performed, Um, because in general, in these kind of, you know, systems, if, uh, you know, if, uh, man in the middle attack happens, the end user doesn't know. All its, uh, communication are being heard, and, uh, information disclosure can happen. So based on that, Uh, you, uh, would try to design the, you know, uh, penetration test where we could actually, uh, try to perform a man in the, Middle attack. So there's another aspect which I would try to do it, uh, as a part of the, uh, you know, penetration testing. So as I mentioned, so first would be, Uh, doing unauthorized kind of transactions and just to check whether the transaction is successful or not. Uh, and the second one will be trying to, uh, you know, act as a a man in the middle attack. Uh, so this, I would try to, You know? Try to, you know, uh, perform a test case where, uh, for this, uh, uh, for this particular scenario where a high transaction system is, uh, concerned. Yeah. Thank you.

So approach identifying false positives during the penetration tests. So mostly, um, there are a lot of approaches, uh, which we can use for identifying, uh, you know, false positives. So one of the, um, you know, uh, important factor to consider, uh, that it's a false positive that we should be having the, uh, you know, uh, kind of instant alert happening for, you know, whatever, uh, test you are trying to perform and those results which you need to compare with some kind of, uh, expected results, or the baseline. Okay? So consider that if you are, uh, um, you know, trying to, um, it do a penetration test case, uh, wherein, Uh, you know, you you are trying to do some kind of, uh, you know, transactions on a system. Okay? Uh, and, uh, maybe that transaction you have performed using a login, maybe that's a valid transaction. But, Uh, you know, for some reason, your system says, you know, that, uh, it is an illegal transaction. Right? So for that, uh, maybe you need to be, uh, having some kind of uh, steps or analysis benchmark that, uh, you need to be comparing with, uh, you know, saying that yeah. So, uh, in our, um, as per our baseline. If the login has happened, then the and the, uh, the uh, expected user who has a relative, uh, has, uh, his privileges to execute the transaction. In that case, it is a legal transaction. So only, uh, the case, the transaction will not be considered as illegal when the user is not logged in or it's kind of an anonymous user. So that's kind of, um, uh, you know, um, approach. One of the example which I've shown that you need to, uh, use it to, uh, you know, identify false positives. And, um, I was thinking, like, if automation is the case by which we can try to handle it, uh, but maybe then you need to be having a very advanced kind of tool. It's like, uh, I think wherein uh, you are trying to, um, you know, uh, provide those inputs which are created out of the penetration testing to that tool and analyze with the uh, benchmarking stuff, but then you need to have some kind of automation in that case. So so that is another way. So first is a manual way and another way is a automated way you can try to find out uh, the, uh, false positive.

What is your methodology for assessing the impact of a potential threat identified, uh, in code review? Uh, so yeah. So in order to identify the act of a potential threat, You need to be understanding, uh, which are areas your code changes is going to impact, basically. So that is basically, uh, you need to understand whatever code changes we have, you know, done, what areas, uh, you know, it is going to impact. For example, if, uh, you have, uh, you know, uh, done some kind of code in in relation, uh, to database transaction. Right? In that case, you need to be understanding what Data, the impact area will be like, you know, the the kind of data that will be affected or impacted after the transaction. Uh, okay. So, uh, that analysis you need to, uh, be doing, um, in order to, you know, identify the impact of your potential threat. So once you, um, you know, identify the areas where it is going to create the impact and based On the areas of the impact, then you need to be identifying, uh, you know, how, See as a threat is considering how much damage it is going to make the, uh, it is going to provide to the system. It is kind of, uh, you need to be Doing the, uh, what you say, valuation, uh, for that. Right? How much the so how much impact it is going to? So this is this typically is called as a The quantitative process, uh, into the security terms wherein you try to, um, you know, identify, um, you know, in a mathematical terms, Like, uh, the single loss expectancy, uh, what is the damage it will happen, and multiplied by AR that is annualized rate of occurrence. So With this mathematical formulas, you, uh, try to derive what impact is going to, you know, make it, based on yearly basis if it has to be, uh, an early term, like annual loss expectancy. So there's a quantitative approach, uh, which you need to be using for, uh, you know, assessing the impact of, uh, you know, potential threat. Because quantitative uh, analysis. Um, we'll give you an exact number, uh, as to how much impact it is going to, you know, make, Uh, if a if a particular, uh, you know, uh, threat becomes true, basically. So, uh, you need to perform the calculations for doing early. And, um, for that matter, earlier, you need, uh, but before that, you need to be, uh, doing some kind of, uh, you know, analysis of and, um, so impacted it. As I mentioned, whatever impact areas are there, you need to be, Uh, doing a asset evaluation for that, like, um, uh, how much priority or critical is the area which is getting impacted? Because based on that, uh, you'll be assigning some numbers, uh, to the impacted area. And, uh, with that respect, you will be actually calculating the impact of the potential. Thank you.

A recent penetration test uncovers that an application is susceptible to SQL in how would you address a vulnerability in the code, and what steps would you take to prevent similar vulnerabilities in the future? Yeah. Those are very, uh, good questions. So SQL injection attacks, All kind of attack, uh, attacks, uh, which listed in, uh, you know, uh, the in also. So SQL, uh, uh, so in order to prevent SQL injection attack, the most important thing which you need to do is the in sanitization or input validation. So whatever input, whatever, um, ways by which the user is going to input into your system or it is going to accept the system, those inputs needs to be validated. So that can mean from the, you know, uh, syntactical validation, uh, like, if it is a proper syntax or not. For example, some people, you know, uh, try to, uh, write some kind of SQL queries into the input with some, uh, single quote actually so that the, uh, uh, you know, with the quote with the first quote, the, uh, query ends after the semicolon. After that, they write a query. Right? So that kind of violations, you need to make sure that, you know, um, uh, those are validated and only Correct. Input is expected. For example, if the text input expects only digital values, you should be, uh, accepting only digital values. Thus, all the values should be discarded saying that it's sent in, uh, a proper format. Right? And, again, this this was the first part. The second part is you should be using, uh, SQL stored procedures and parameterized form of SQL queries. So parameterized form of SQL queries means that whatever, Input to you will be giving, uh, you know, uh, into the textbooks. That will be coming as a parameter into the SQL query at the end into the database. And, uh, with that, what will happen is any any sort of, you know, Any sort of, uh, queries which the user is trying to write in this, uh, text box, uh, you know, that can be prevented because, uh, parameterized query Will fail if the, uh, expected parameters of not that data type is going to fail. So that are the 2 main methods that input validation you need to. You need to be using, uh, uh, SQL procedures. And the third one is the, um, the parameterized query you should be using for SQL query. Yeah. Thank you.

This principle check logic reflect on what might be a potential pit fall of the following code snippet with regards to principle. So there is a class board with a function fly. And the stretch, uh, there is another class, which is written, uh, with name Ostrich, which is inherited from the board. And it is overriding the function fly. And, uh, it is, uh, trying to throw an exception, uh, saying that it cannot fly. Okay. So we need to be finding out, uh, okay. So, uh, what might be a potential pit fall of the following codes with regard to the scope substitution prints? Okay. So if, um, mhmm, someone is trying to create, um, check of, um, ostrich is trying to implement fly. He will be getting the exception. Uh, Shane cannot fly. So I just need some time to think over it. Just let me think for it. Okay. Okay. So it will be from okay. So this has been overwritten. So this function will be called instead of that. So the ostrich object is called and the obstruct fly of functions getting called. Okay. The main pitfall, I think, is that, you know, if the function fly is implemented, right, That can get, um, executed because, uh, no, it's overwritten functions, and it is throwing an exception. So the exception will be thrown Only in the case of, uh, the bird ostrich, and it is very specific to the, uh, inherited class. And, uh, that that is, uh, I mean, the the implementation of the main board, right, uh, which is which is supposed to give the, uh, you know, function execution will not be implemented. I think, uh, yeah, I think the only thing which I can think of is that, you know, ostrich only the bot ostrich will be throwing this exception. And, uh, this will be applicable to ostrich bird only. Press other birds. If the function was implemented, that'll be directly executed through, you know, fly functionality. And, I think, uh, Yeah. Okay. That much. Thank you.

What appear incorrect in the following singleton implementation return in pseudo code? Please explain. Expect. Uh, private static instant. Okay. It's singleton constructors here, which is empty, and the get instance is Okay. Uh, okay. That's a static function. Instance okay. So that instances of type singleton. Okay. So I think The issue is with the pseudo code. If instance, you go to a instance, you go to a new singleton and return instance. Okay. Okay. If instance equal to null. So first instance, if it is a null, It will create a new instance, and then, uh, it will create that instance and return that instance. So next, Moment of that, uh, a static, uh, a singleton class object is created next time. Uh, if it Find there if it's not in return in that instance only. Um, okay. So incorrect, uh, I think there is, Uh, for the line where it is written, if instance equal to equal to null and the code is returned in instant instant. At that point, Uh, we need to be adding, you know, 1 more conditions, uh, you know, uh, again, saying if instance equal equal to null. So it it has to be 2 conditions because It is, uh, for, um, multithreaded app so if it is in the multithreaded application, right, this, uh, part It's going to create a problem because suppose, uh, if the 1st certificate is trying to create, uh, instance of that, uh, class, In that case, instance called a new singleton will be created. Okay? And it's not yet created. Right? And the second Uh, that comes into picture, uh, you know, uh, which it checks, basically, That, you know, uh, if instance equal equal to null, in that case, also, it will get executed because of the timing immediately if that Time in this call and for that reason, it's recommended for a multi threaded application. You should be writing if instance equal equal to none, uh, 2 times. 1st, Uh, is the level wherein it actually checks if it's not really created. And the 2nd time, if it's going to change check if instance is equal to null, At that point, uh, uh, you know, again, it will try to check if the instance is actually being assigned or not. So this is for making sure that, uh, in a multi thread application, if some other thread has already not created that instance. I think that is the, You know, uh, single change which needs to be done into this singleton class, Uh, as far as, you know, basic thing which we can observe. Yeah. Thank you.

How do you ensure that penetration test results are effectively communicated to relevant, uh, stakeholders? Okay. See, um, when you say that, uh, when we need to, you know, ensure that penetration test results Are, uh, you know, effectively communicate to relevant stakeholders that should be in form of the, Document all kind of, uh, the results that you prepare out of your end, the kind of SVM performed And the results which you have obtained, you have to, you know, summarize all your, What do you say? That is cases which we have written and performed and the results which we have obtained. Right? So, of course, we have to sum summarize, and It depends on, like, you know, uh, what kind of stakeholders you are trying to, you know, address, uh, this report. If it's going to be upper management, Basically, you would be, uh, not writing technical details into it. You know? Uh, what test cases, how they Form and what are the results? Mostly, we'll be trying to give an overall view, uh, you know, to the management, In summary saying that, uh, you know, for example, if, uh, you know, TLS encryption is not used, then man of the middle attack is possible. So that kind of, you know, uh, simple kind of, uh, you know, Some of these can be used or, like, for example, a database needs to be encrypted. It cannot be left unencrypted. So these kind of, you know, uh, simpler results or as simple languages needs to be used for providing it to the management. So if it is for, uh, you know, technical persons, it has to be more detailed kind of, uh, you know, report wherein, uh, you will be mentioning the test cases which you have performed. Uh, like, for example, uh, if you're trying to, uh, you know, check the passwords, and maybe you're using some password tracking tools, and you're trying to find out, Um, if users are trying to use passwords as for the password policies or not, in That kind of test case we have designed it, and you're going to details what tools we have used and the results which you found, you know, in detail. So so that basically forms the, uh, detailed report. So this detailed report, would be for the, you know, technical, uh, stakeholders. So that depends on, like, you know, uh, how the, uh, uh, which Stakeholder which kind of stakeholder is expecting that result? So as I said, like, if there's a technical stakeholders, you need to be having the technical details into it. And if he's a management person, he needs to be having summary kind of, uh, results in a very understandable, uh, English language form, but if where you can understand, you know, um, if these kinds of, uh, things are there, like, and encrypt database, then the can be hacked or the database is vulnerable to, uh, information disclosure, that kind of stuff. So it has to be, Um, more, uh, English, which that has to be there in the penetration test results summary. So these are 2 ways which you can, uh, use to, uh, convey your penetration test results.

Okay. Uh, I'm back. Thank you. So the deployment of high availability service has been expedited, but the threat model is outdated. How will you update and adjust the threat model while maintaining the deployment schedule. Identify which factors will influence your decisions. Okay. So when you're talking about high availability services. Okay. How would you update and adjust to the threat model while maintaining the deployment okay. So so if you say that, uh, the, you know, uh, threat model is outrigger and you would like to update pressed through the threat model while maintaining, the deployment of a high availability service has been expedited, but the threat model is outdated. How we so, um, so if if you're talking about, you know, adjusting the threat model. It it means that we need some time to update the threat model. Right? So what we would be doing is when you're talking about high availability services, and you need to be considering the redundancy part of it. So whatever services are, uh, you know, presently in there, you need to be creating a copy of it. Right? Uh, replica of it needs to be created, and, uh, that is needed when one of your services goes off. Your other service can pitch in and provide high availability. So till the point your threat model is updated, okay, till that point of time, you should be having a replica of your high availability service. You need to be working on it. You need to be, you know, updating the threat model in parallel. So in the production, there's already your existing services are already working with whatever existing setup you have, right, with existing services. So, after replication is being done with your, uh, whatever, you know, uh, areas you need to work upon, uh, for the, you know, algorithm model based on that. Once it is complete, then you will be using the model, for the, you know, replica of the high availability services. With that, whatever results you'll be getting or whatever work you'll be doing in parallel, those results will be then finalized in parallel. Till that moment of time, your, uh, existing service will be working, you know, as usual. Right? Then you need to be performing the various kind of, you know, a test mechanism for it. Right? So this is very important, uh, which typically is called as, uh, regression testing. Regression testing. Why I'm saying is it because of the there is some kind of change, as you said, that, you know, that model is outed and you're bringing some kind of change into your high availability service that needs to be verified before it is deployed. Right? So once, you know, all your user acceptance testing and your regression testing, everything is being done, and you have verified that it, uh, you know, um, you know, behaves, you know, in an expected manner. So there are various kind of testings you can perform. You can try to, you know, uh, use the, uh, what do you say, recorded the inputs basically and try to perform some kind of testing on it, as if it is kind of a real kind of transactions going on for your high, uh, for that your high availability service that you'll be just performing it, uh, you know, stand alone with whatever, uh, test cases you have, you know, formed based on whatever changes we have done. Right? So once those are approved by, uh, typically what is called as a change management. That approval is being done. It's being verified. Then, uh, your deployments come into picture. After that, you will be deploying your high availability, uh, you know, servers, and, uh, basically, uh, you will be, uh, you know, trying to, you know, keep it in active active form. So I'm seen as an active active form is basically, uh, in that case, your request will be performed by both of the uh, services, basically. Uh, so, uh, that will be the newer one and the older one, basically. Right? So they will be trying to, you know, process the service. And in that case, if there is any kind of issues that is happening

That can be, uh, you know, rectified or, you know okay. I think I'm done with that. So how does a proper code review process support compliance with privacy focus regulatory frameworks? So code review process is very much important, uh, for supporting compliance, uh, with privacy focused regulatory frameworks because Nowadays as a you know, the breaches are just increasing, you know, uh, day by day, um, and, uh, you know, uh, information of, you know, consumer customers? They're you know, everywhere. Every organization is concerned about the, you know, privacy of their customers and, uh, if it is basically tied to any, uh, you know, regulatory frameworks, basically? So, Uh, there are various kind of regulated frameworks. There's a there's a PCI d s is there, which is, uh, you know, related to different industries. It applies for health care and PCI d s is for the, um, credit card transaction processes? Right? So now, um, code review process is something, which happens very early, uh, in the stage when you are actually writing the code of it? And if something is caught at the earlier stage, some issues are caught at the earlier stage, There are very less chances that that is going to create problem, you know, later stages into your deployment or where actually it has been working? So it's very important to try to, you know, take care of, things that the code review process? And very best example I would like to give you, uh, about is that, you know, the prevention of SQL injection attacks. So if that is being prevented at your coding level itself? Uh, when you're trying to code it with the help of input sanitization, with the help of, uh, SQL procedures, with the help of, um, a parameterized query? Uh, your SQL injection attack will be, you know, uh, curved at that level only at the code level only? It will not be happening at the later stages. So because if you've not done this part and you have deployed your code and Suddenly, someone tries to put some code into, uh, the, uh, just just try to put some SQL queries into the input text box and try to, you know, Uh, do the SQL injection attack. It's very, very possible. So doing instead of at the late stages wherein, uh, you know, Uh, industries have to pay hefty fines, basically, uh, because of any kind of the data breaches also happens. It's mandatory that, uh, you need to report it and reputation is at stake for the organizations, which is the highest kind of impact for any organization. So better to handle these kind of incidents at a very early stage, um, which is at, uh, the code level itself? And for that reason, you have to make sure that Code review is properly happening, and if it is specifically bound to regulatory frameworks, Then in that case, you have to make sure that proper, uh, so that the latest thing was that your data needs to be encrypted with so and so standard. You need to make sure that in the code review that you have used that particular encryption technique into your code? And if it is not, you should be pointing out that in the code review, And that should be fixed in the code review and, uh, like, input validation, which are already covered, right, and compliance related things also have covered. So this is very important aspect when you try to do code review. Uh, you try to solve the problems, uh, you know, early into the life cycle of life cycle of the product, which is called as a left shift approach? This typically is called as a left shift approach, uh, and it has been quietly, you know, used nowadays in industries to, uh, prevent attacks

Approach encrypting sensitive data within a code base for line with SOC 2, uh, type 1 audits. So, uh, if you're talking about I'm concerned with the SOC 2 type 1 report, uh, or SOC 2 or 1. I'm not sure. If it's associate 2 or associate 1, uh, it's for both kind of I'm I'm considering it that way. I'm not considering it for the type, reports. Right? So for the compliance reports, if you have to approach, uh, an encrypting system or within a code base. Right? So it's Very important. Right? It's it's it's very important that, uh, what kind of, You know, recommendations are there for In encrypting the, uh, sensitive data, considering that, uh, whatever technique you use for encrypting your sensitive data, uh, has to be effective in a way that, uh, it should not result in an information disclosure, and, uh, that can happen only through by selecting, uh, the Appropriate, uh, encrypting algorithms, which are, you know, uh, proven by, uh, you know, Standards or organizations like NIST framework, which they approve. So for example, if it is recommended that you do, Uh, typically, the, uh, encryption of the, uh, data address is done by, uh, symmetric encryption algorithm, which encrypts, in the, uh, bulk form. It does include in the bulk form. AES 256 is considered the very stable, strong, Uh, encryption standard to encrypt your sensitive data. It can be, um, you know, uh, you know, other kind of algorithms also, but they needs to be make sure that that algorithm is yet not being broken, and it is an open standard algorithm that is based on the principle, which sees that only, uh, if the, uh, encryption key is not revealed and everything Is revealed. Still, your encryption should not be able to, uh, break, basically. So this principle. So, Uh, keeping those things in mind, uh, whichever algorithm is recommended, those algorithms you should be using for encrypting your sensitive data. So you should not be using, like, uh, this kind of, uh, this or 2 this kind of algorithms, which are already broken by, broken in, uh, passed basically by, uh, you know, hackers or cryptanalytic uh, analyzers. They've been broken. So you need to be selecting, uh, good encryption algorithm, which is not broken yet, And, uh, uh, it is open, uh, open standard as per the principle. So that, Uh, thing which you need to be, you know, taking care while, um, encrypting any, uh, sensitive data. So as far as This SOC, uh, uh, this compliance reports a concern. SOC 2 or, you know, SOC 1. So SOC 1 is typically Dealing with the financial reports and SOC 2 is dealing with the, uh, control analysis is security controls, uh, you know, analysis, which is basically useful, providing the any kind of security. So it is for analyzing, you know, those controls. So how Uh, your controls are, uh, you know, working. That would be, uh, that would depend upon the kind of encryption Algorithms we have used. So the stronger the encryption algorithm, uh, I mean, the less chances are are there that, uh, it is Acceptable to, uh, you know, breaking off that algorithm or breakage of that algorithm on, uh, doing the information disclosure.