Manideep K



Copyright © 2015-2020 "Manideep K",
All rights reserved.

About Me

Manideep Konakandla is an Author, Security Researcher, Speaker and a J.N Tata Scholar. He has 10 years of experience in security which includes around 6 years of industry experience. Manideep’s primary interest is in application/product security. He also likes exploring other areas in security and worked on container security, wireless security and physical devices security in the past. Manideep completed his Master’s in Information Security from Carnegie Mellon University (CMU) with an outstanding student service award for his research. At his graduation ceremony, CMU said - “Manideep undoubtedly helped raise the profile of CMU and INI”.

After Masters, he joined Amazon’s Application Security team in Seattle where he is currently a Senior Security Engineer and a Tech Lead. He recently started working as the tech lead for a new project on improving the security of Amazon’s mobile applications. Before this engagement, Manideep was the tech lead of a team working on designing, building secure by default controls into internal web frameworks to mitigate top web vulnerabilities. He also worked a lot on architecture reviews, threat modelling, code reviews and security testing for complex Amazon applications related to payments, identity and sellers. Manideep fixed lot of gaps in OWASP CSRF prevention cheat sheet and is now one of the primary author and editor of it.

Before Masters, Manideep worked as a Tech Lead for Core Security & Data Analytics team at Tata Consultancy Services (TCS) in INDIA where he led people with 3 to 4 times his experience. He worked with CIO, IT security head and received appreciations for his extraordinary performance in enhancing organization's security posture.

Below are some of Manideep’s career highlights

  • Featured in India's largest circulated newspapers including Deccan Chronicle, The Hindu, The Hans India, Vaartha, Andhra Jyothi, Sakshi, Andhrabhoomi etc. for his achievements in security domain. He was also interviewed by HMTV news channel
  • Presented research findings at multiple conferences including at OWASP AppSec USA, BSides San Francisco, Container World, RSA Conference (poster), ZonCon and WebdevCon (Amazon internal), Grehack etc.
  • Received ~45,000$ in scholarships for his master’s degree from ISC2 Organization, ISSA Foundation, J.N Tata Endowment and Carnegie Mellon University
  • Selected as an RSAC Scholar to represent Carnegie Mellon at RSA Conference 2017
  • Authored a book at an age of 21 which made him one of the youngest authors in INDIA to write a book on Hacking. Looking back at the book today, Manideep feels that he should have done better on it
  • Youngest member in a cyber-security exercise conducted by British Petroleum (BP). Rest of the members in the exercise include C.S.O of IBM, Wipro, HP, Infosys and TCS
  • Trained more than 15,000 people in the field of Information Security domain including corporate security teams, corporate developers, cyber police and students
  • Has bunch of certifications under his name
  • Reported critical vulnerabilities on many websites and applications including Yahoo Messenger, Jease CMS, universities providing masters in information and cyber security - CMU, Purdue, USC, NEU, SUNY Brook etc. Has 2 dozen (low critical) WP plugin, CMS CVE-IDs under his name
  • Speaker at more than 60 seminars and workshops on 'Cyber Crime Eradication' and 'Ethical Hacking & Cyber Forensics' including at IIT Guwahati, ISTE (Indian Society for Technical Education), CSI (Computer Society of India) and Tata Consultancy Services
  • Worked as a research assistant at Cylab, one of the world’s finest security research institutes
  • Cracked Sodexo MNC meal passes barcode algorithm and presented it at NULL security meetup
  • Co-author of Center for Internet Security (CIS) Docker 1.12 benchmark
  • Worked as a part-time faculty for C and C++ during sophomore days and trained more than 1000 people in designing games, anti-virus and virus codes etc. Also, worked as a part-time faculty for Ethical Hacking courses during junior and senior years
  • Despite his extra-curricular activities, Manideep was always one among the top 1% students throughout his academics

Email Manideep if you would like to get his resume.

Work Experience

Senior Security Engineer & Tech Lead at Amazon Jul 2020 – Present

Location: Greater Seattle Area, Washington, USA

Part of Amazon Application Security team.

I currently started working as the tech lead for "Amazon Mobile Application Security Program", a new project created to improve the security of Amazon's mobile applications. My roles and responsibilities include creating technical roadmap for the program and delivering/implementing key projects of it. I also assist management in setting up the vision and mission for this new team.

I also spend 25% of my time in doing architecture reviews, threat modeling, code reviews, trainings and consultations to Amazon developers.

Security Engineer 2 & Tech Lead at Amazon Jul 2018 – Jun 2020

Location: Greater Seattle Area, Washington, USA

Part of Amazon Application Security team.

I was the lech lead of the project "Aviator" whose mission was to design and build secure by default controls into internal web frameworks to mitigate top web vulnerabilities. My roles and responsibilities included creating the roadmap for few key modules, assisting other engineers in design reviews and to implement/deliver key projects in the roadmap. I designed and implemented secure by default controls to prevent and mitigate CSRF (Cross Site Request Forgery) vulnerability in widely used Amazon web frameworks. I designed a new CSRF protocol for Amazon. I also fixed lot of gaps in OWASP CSRF prevention cheat sheet and am now one of the primary author and editor of it.

I also spent 25% of my time in doing architecture reviews, threat modeling, code reviews, trainings and consultations to Amazon developers.

Security Engineer 1 at Amazon Jul 2017 – Jun 2018

Location: Greater Seattle Area, Washington, USA

Part of Amazon Application Security team.

I worked a lot on architecture reviews, threat modeling, code reviews, and security testing for complex Amazon applications related to payments, identity, sellers to make sure they are free of security vulnerabilities.

I spent some time on mitigating XSS (Cross Site Scriping) at Amazon under the project "Aviator" as part of which I released a slightly modified version of OWASP Java Encoder library (which is today used widely at Amazon). Additionally, I worked on CSP and also had specific team engagements w.r.t mitigating XSS.

Cloud Security Researcher Part-Time Intern at Adobe Feb 2017 – May 2017

Location: Greater Pittsburgh Area (Worked remotely while attending CMU), PA, USA

This is an extension to my full time intern at Adobe
1. Provided additional guidance on mitigating security issues in Adobe's container implementation projects
2. Provided guidance on mitigating specific issues in Kubernetes environments

Graduate Teaching Assistant - Browser Security at Carnegie Mellon University Jan 2017

Location: Greater Pittsburgh Area, PA, USA

Graduate Teaching Assistant for Browser Security (14-828) under Prof. Limin Jia. I could not work long under this role due to visa restrictions. In that very short time frame, I assisted Prof. Limin in creating a new assignment for students and also in evaluating students submissions.

Research Assistant at CyLab, Carnegie Mellon University Sep 2016 – Dec 2016

Location: Greater Pittsburgh Area, PA, USA

Security analysis (code reviews, testing etc.) of NPM (node.js package manager) packages. I also worked on a design to mitigate some critical vulnerabilities in these packages. This RA was under Prof. Limin Jia and Prof.

Cloud Security Researcher Intern at Adobe May 2016 – Aug 2016

Location: San Jose, CA, USA

1. Researched on security posture of containers (with concentration on Docker) and prepared a consolidated report including details about various vulnerabilities in containerized environments and how they can be fixed
2. Provided guidance on mitigating security issues in Adobe's container implementation projects
3. Co-authored CIS Docker 1.12 benchmark

Tech Lead - Core Security / Data Analytics at TATA Consultancy Services Jun 2012 – Aug 2015

Location: Hyderabad, Telangana, INDIA

Core Security/Data Analytics team is a part of Security Initiatives Group, one of the core security groups in TCS. I was the tech lead for this team for 1.5 years during which I successfully handled multiple projects. In some of the projects, I guided members who are 3-4 times experienced than me.

1. During my 3 years at TCS, I worked on various areas such as application security (architecture reviews, threat modelling, code reviews and security testing of sensitive applications), system security (evaluating and implementing tools such as Microsoft EMET), wireless security (detecting wireless attacks), forensics (erasing sensitive data securely) and physical security (implementing scalable physical access controls to locations containing sensitive data)
2. Worked with C.I.O (Chief Information Officer), C.S.O (Chief Security Officer), Global Head - IT Security in various security initiatives and investigations
3. Received knowledge pro and best performer awards
4. Provided security orientation to more than 1500 new hires

Education

Master’s in Information Security, Carnegie Mellon University Aug 2015 – May 2017

Location: Pittsburgh, PA, USA
GPA: 3.76 out of 4

1. Alumni Profile : https://www.cmu.edu/ini/academics/msis/manideep-k.html
2. "Outstanding Student Service Award" for research: https://www.cmu.edu/ini/news/2017/graduation2017.html
3. https://www.cmu.edu/ini/news/2016/buildtheshield.html
4. Courses: Introduction to Information Security (14-741), Secure Software Systems (18-732), Secure Coding (14-735), Mobile Security (14-829), Distributed Systems (18-842), Introduction to Software Reverse Engineering (14-819), Introduction to Computer Systems (14-513), Applied Information Assurance (14-761), Fundamentals of Telecommunications and Computer Networks (14-740), Independent Research Study - Container Security (14-708), Information Security Risk Management (14-782), Information Security Risk Management II (14-784), Entrepreneurship and Innovation in Technology (14-815) and Professional Speaking (95-718)

Media

Talks & Publications

Title: OWASP CSRF Prevention Cheat Sheet
Details: Major contributor to https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md

Title: Cracking Barcodes
Details: Presented a talk on this title at Null security meetup in Hyderabad, INDIA. Presentation can be found here

Title: A Complete Practical Guide to Ethical Hacking and Information Security
Details: Released a book on security basics during my final year of under-graduation. After the first version of the book was sold out, I never prioritized the work to release a second version.

Title: CIS Docker 1.12 and 1.13 Benchmarks
Details: I was the author of 1.12 benchmark and contributor to 1.13 benchmark. Those versions can be accessed here

Title: Breaking and Fixing Your Dockerized Environments
Details: Presented a talk on this title at OWASP Appsec USA'2016. Presentation can be accessed here and here

Title: How Secure are your Docker Images?
Details: Presented a talk on this title at Bsides SF USA'17. Presentation can be accessed here and here

Title: How secure is your Docker Container pipeline?
Details: Presented a talk on this title at Container World USA'17. Presentation can be accessed here

Title: Docker Container Security
Details: Presented a poster on this title at RSA Conference, USA'17. Presentation can be accessed here

Title: Is Docker Secure?
Details: Presented a talk on this title at GreHack Conference, France'16. Presentation can be accessed here

Title: Misc
Details: I presented multiple trainings, talks at various universities and corporates across INDIA and U.S.A

Projects

To be Updated

Certifications

All of these certifications were achieved 5 years ago. After TCS, I decided not to concentrate on certifications.

Cisco Certified Network Associate (CCNA)

Certified Security Analyst (ECSA v8)

Certified Hacking Forensic Investigator (CHFI)

Certified Ethical Hacker (CEH)

ISO 27001:2013 ISMS Lead Auditor

Juniper Networks Certified Professional Security (JNCIP-SEC)

Juniper Networks Certified Specialist Security (JNCIS - SEC)

ITIL v3 - Foundation

Certified Information Security Expert (CISE) from InnoBuzz

LinkedIn Feed

Selected LinkedIn Feeds.

Affiliations

Open Web Application Security Project (OWASP)
Ex-professional member

Association for Computing Machinery(ACM)
Ex-professional member

Asian Professional Security Association (APSA)
Ex-professional member

Computer Society of India (CSI)
Ex-student member

Null - The Open Security Community
Ex-member

Indian Society for Technical Education (ISTE)
Ex-student member

Testimonials

" Manideep worked on my team over the summer researching “bleeding edge” container security topics and making recommendations to the rest of Adobe on container security standards. It is extremely rare to find an intern I can trust with such an important topic and who can tell me what research needs to be done (rather than visa versa). Manideep is extremely bright, very hard working and needs little direction. Last but not least, Manideep is an excellent presenter and is fun to work with "

Liz McQuarrie

Director of Security Operations, Cloud Ops at Adobe

" Manideep is a bar raiser, a true leader, and an accomplished engineer. Manideep worked for me in 2 different security engineering capacities since mid-2019 and always exceeded expectations. Manideep delivers. While his technical accomplishments in Application Security speak for themselves, Manideep is capable of wearing multiple hats to push projects forward. He has a keen understanding of his professional goals and plans and executes efficiently. He is definitely a force multiplying asset on any team. "

Mohammed Hleihel

Application Security Engineering Manager, Amazon

" Manideep is a talented and dependable security engineer with a deep understanding of application security fundamentals, details and engineering tradeoffs. I look forward to working with him whenever we get an opportunity to collaborate. "

Tushaar Sethi

Principal Security Engineer, Amazon

" I have worked with Manideep for about a year and what comes to me instantly after communicating with him is his knowledge and experience when it comes to information security management "

Alan Pauh

Chief Operating Officer, Blancco Technology Group, APAC

" Manideep, you are one of the gem of the persons I met in my life. The way you had conducted ethical hacking sessions was simply great. I still remember few tips you taught almost 4-5 years back. "

Prathap Kolla

Head, Initial Learning Program - Xplore at Tata Consultancy Services

" I know Manideep for quite sometime now and he is a fantastic guy to work with. I was with him in TCS for 2 years. The amount of concentration levels he has towards things is extremely high which makes him unique from people I have seen at work. He has always been an excellent programmer which gives him a edge over other security engineers in the market. One should read his book to understand more about his skill set. If you a looking for a good security person, then he is the right one "

Abhijeth Dugginapeddi

Lead Security, BigCommerce

" Manideep is very concept oriented and has good knowledge in programming and security. He is an perfect guy for someone who is looking for a person who is proactive, technically strong and innovative. Not to forget - his presentation skills are excellent "

Madhu Akula

Cloud Native Security Specialist, Xebia

Quotes

Below are some of Manideep's quotes

1. Security skills can be taught but Security mindset comes only with passion
2. Hacking should be a weapon for Defense but not for Offense
3. Perfect practice makes a man perfect

Misc

  • I met Ron Rivest (R in R.S.A Algorithm), Adi Shamir (S in R.S.A Algorithm) and Whitfield Diffie (Diffie in Diffie-Hellman key exchange) during an RSAC Scholar dinner. It felt amazing listening to their stories and discussing my work with them. I also got chance to meet some other folks such as Shantanu Narayen (C.E.O of Adobe) and Kevin Mitnick during various events. Below are the pics with Ron Rivest and Whitfield Diffie. I will upload pictures with others soon.
    • Ron Rivest
    Diffie
  • When I applied for Master’s, I reported vulnerabilities on most of the university websites where I applied and sent the vulnerability reports to professors whom I believed to be on the admission panel (so that my profile would be spotlighted). I am not 100% sure if it helped me in getting admissions (I think it did) but I always believe in doing things unique.
  • I used MSWord and PowerPoint first when I was 18 years old. By 22 years, I published a book and also presented more than 50 talks.