Rewanth Tammana is a security ninja, open-source contributor, and an independent consultant. Previously, Senior Security Architect at Emirates NBD (National Bank of Dubai). He is passionate about DevSecOps, Cloud, and Container Security. He added 17,000+ lines of code to Nmap (famous as Swiss Army knife of network utilities). Holds industry certifications like CKS (Certified Kubernetes Security Specialist), CKA (Certified Kubernetes Administrator), etc.
Rewanth speaks and delivers training at international security conferences worldwide including Black Hat, Defcon, Hack In The Box (Dubai and Amsterdam), CRESTCon UK, PHDays, Nullcon, Bsides, CISO Platform, null chapters and multiple others.
He was recognized as one of the MVP researchers on Bugcrowd (2018) and identified vulnerabilities in several organizations. He also published an IEEE research paper on an offensive attack in Machine Learning and Security. He was also a part of the renowned Google Summer of Code program.
- Security Engineering
- Automation
- DevSecOps
- Development
Bachelors in Computer Engineering
National Institute of Technology, Kurukshetra, India
Experience
- Designing, building and managing PaaS security.
- Containers and Kubernetes security.
- Integration of automation and DevSecOps.
- Responsible for architectural and design reviews of new integrations and projects.
- Responsible for end-to-end security review of projects developed by multiple squads.
- Perform source code review, penetration testing, container review, etc.
- Developed open source projects extending Kubernetes functionalities.
- Delivered Android Mobile Application Security training’s to developers and pen-testers across the globe.
- Perform Cloud, Docker and Kubernetes security assessments.
- Implemented end-to-end workflow for DevSecOps service offerings.
- Perform security assessment of web and android applications (both black box and white box).
- Collaborate with experts while performing infrastructure assessments.
- Perform source code review to discover new vulnerabilities.
- Responsible for end-to-end client delivery.
- Published IEEE research paper on Machine Learning and security.
- Delivered training and talks at multiple international security conferences
- CISO Platform, Virtual
- Nullcon, Virtual
- PHDays, Moscow, Russia
- Hack In The Box (HITB), Amsterdam
- CRESTCon, London
- Bsides, Egypt
- Hack In The Box (HITB), Dubai
- DEFCON, Las Vegas (Couldn’t present there due to delayed visa process)
- Organized local security meetups as a part of null Pune chapter, India
- Developed automated web vulnerability scanner using Python, selenium and PhantomJS along with 3 other employees.
- The license of the product costs $2000 USD/year.
- Authored and integrated plugins to the vulnerability scanner.
- Developed module to save screenshot of the website when the payload is executed as a POC.
- Collaborated with experts on penetration testing projects
- One among the only 4 people (2 PhD’s and 1 B.Tech) to get selected around the world.
- My contribution during this 3 month period: Integrated 17,000+ lines of code into Nmap.
- Authored script to fetch smb enum services from remote windows machine.
- Authored script for enumerating (iOT)devices running on OpenWebNet protocol.
- Authored punycode and idna libraries for nmap to handle unicode input.
- Refactored http-enum script for optimization purposes.
- Made ncat enhancement to limit data using a delimiter while transferring data.
- Fixed issues related to cve-2014–3704 nse script.
- Enhancements made to cve-2014–3704 nse script.
- Removed redundant parsing functions by making enhancements from few libraries.
- Autocomplete feature for –script-args parameter in nmap. Due to lack of compatibility issues with Windows OS and zsh shell, it is not merged yet.
- Colored output for nmap.
- Added missing ip protocols to netutil.cc.
- Complete report - https://medium.com/@rewanthcool/gsoc-2017-with-nmap-security-scanner-80d9bd54a97a
- Security assessment of website and writing patches for the vulnerabilities found.
- Discovered and patched critical payment gateway bugs which saved thousands of dollars to the company.
- Handled the security of cloud services and servers.
- Impressed with my work they added my name to their About-Us page (I was just an intern).
- View me @ https://oxcean.com/About-us
- Integrated new features to the website.
- Optimized the functionality of existing features in the website.
Projects
Containers and Kubernetes security workshop
Notes for an extensive 2.5 hour workshop
Containers from scratch
Running a rootless container in a few lines of Go code with just linux syscalls
Damn Vulnerable Bank
Vulnerable Banking Application for Android
Detect phishing URLs with Machine Learning
Simple project that trains a model to detect phishing URLs.
Dictionary Attack Cyberoam
Dictionary Attack on NIT Kurukshetra User-Portal (Cyberoam)
Drone UI
UI interface for drone CI/CD
Firefox vuln headers extension
Firefox browser extension which parses the headers of all the requests which are being flowing through your firefox browser to detect for vulnerabilities
Grumpy: Cosign Validator
Runs as validating admission controller to verify integrity of images
Hack Kit
This kit automatically converts your firefox browser into a hacking tool by installing all the primitive hacker plugins
Harbor Enhanced Logging
Improving the security audit logging in Harbor using OpenResty & change of architectural design
Kubectl fields
Plugin to parse and search fields from kubectl resources hierarchy tree
Kubectl whisper secret
Plugin to create secrets with secure input prompt to prevent information leakages through terminal history, shoulder surfing attacks, etc
Kubernetes Goat
Kubernetes Goat is Vulnerable by Design Kubernetes Cluster. Designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security.
Kyverno App
Helm chart for Giant Swarm’s management of the Kyverno
Malicious Admission Controller
Kubernetes Admission Controller Webhook Demo
mp3 downloader
Downloads mp3 file of a youtube video
Nmap
Nmap - the Network Mapper. The swiss army knife network utility
NodeJS Coding Assessment Solutions
My proposed solutions to a few full stack developer interview questions
Sigstore The Easy Way
This book aims to be the most straightforward guide to getting started with sigstore, software signing & securing supply chain security
Starboard Exporter
A standalone exporter for vulnerability reports and other CRs created by Trivy Operator (formerly Starboard).
Techspardha
Annual technical fest website NIT Kurukshetra
Trivy App
Helm chart for Giant Swarm’s management of the Trivy vulnerability scanner
Trivy Operator
The Trivy operator automatically updates security reports in response to workload and other changes on a Kubernetes cluster & generating the reports
Trivy Operator App
App for deploying the Aqua Security Trivy operator
