Rewanth Tammana

Rewanth Tammana

Senior Security Architect

Ex-Emirates NBD

*Upcoming talk* : KCD Istanbul, Turkey, DEFCON 32

Rewanth Tammana is a security ninja, open-source contributor, and an independent consultant. Previously, Senior Security Architect at Emirates NBD (National Bank of Dubai). He is passionate about DevSecOps, Cloud, and Container Security. He added 17,000+ lines of code to Nmap (famous as Swiss Army knife of network utilities). Holds industry certifications like CKS (Certified Kubernetes Security Specialist), CKA (Certified Kubernetes Administrator), etc.

Rewanth speaks and delivers training at international security conferences worldwide including Black Hat, Defcon, Hack In The Box (Dubai and Amsterdam), CRESTCon UK, PHDays, Nullcon, Bsides, CISO Platform, null chapters and multiple others.

He was recognized as one of the MVP researchers on Bugcrowd (2018) and identified vulnerabilities in several organizations. He also published an IEEE research paper on an offensive attack in Machine Learning and Security. He was also a part of the renowned Google Summer of Code program.

Interests
  • Security Engineering
  • Automation
  • DevSecOps
  • Development
Education
  • Bachelors in Computer Engineering

    National Institute of Technology, Kurukshetra, India

Experience

 
 
 
 
 
Independent Consultant
Oct 2022 – Present Remote
  • Working as an independent consultant with various companies across geographies - USA, Europe, UK, Australia, Africa, Israel, etc.
  • Working on numerous areas including Security, DevSecOps, CloudNative technology, open-source development, product development, marketing, sales, etc.
  • Leading teams to integrate security into their workflows to enhance overall security posture.
 
 
 
 
 
Senior Security Architect
Jun 2021 – Oct 2022 Dubai
  • Designing, building and managing PaaS security.
  • Containers and Kubernetes security.
  • Integration of automation and DevSecOps.
 
 
 
 
 
Security Architect
Nov 2020 – Jun 2021 Dubai
  • Responsible for architectural and design reviews of new integrations and projects.
  • Responsible for end-to-end security review of projects developed by multiple squads.
  • Perform source code review, penetration testing, container review, etc.
  • Developed open source projects extending Kubernetes functionalities.
 
 
 
 
 
Security Consultant
Jul 2018 – Nov 2020 Pune, India
  • Delivered Android Mobile Application Security training’s to developers and pen-testers across the globe.
  • Perform Cloud, Docker and Kubernetes security assessments.
  • Implemented end-to-end workflow for DevSecOps service offerings.
  • Perform security assessment of web and android applications (both black box and white box).
  • Collaborate with experts while performing infrastructure assessments.
  • Perform source code review to discover new vulnerabilities.
  • Responsible for end-to-end client delivery.
  • Published IEEE research paper on Machine Learning and security.
  • Delivered training and talks at multiple international security conferences
    • CISO Platform, Virtual
    • Nullcon, Virtual
    • PHDays, Moscow, Russia
    • Hack In The Box (HITB), Amsterdam
    • CRESTCon, London
    • Bsides, Egypt
    • Hack In The Box (HITB), Dubai
    • DEFCON, Las Vegas (Couldn’t present there due to delayed visa process)
  • Organized local security meetups as a part of null Pune chapter, India
 
 
 
 
 
Associate Security Researcher Intern
Provensec
Jun 2017 – Sep 2017 Remote
  • Developed automated web vulnerability scanner using Python, selenium and PhantomJS along with 3 other employees.
  • The license of the product costs $2000 USD/year.
  • Authored and integrated plugins to the vulnerability scanner.
  • Developed module to save screenshot of the website when the payload is executed as a POC.
  • Collaborated with experts on penetration testing projects
 
 
 
 
 
Nmap Developer
May 2017 – Aug 2017 Remote
  • One among the only 4 people (2 PhD’s and 1 B.Tech) to get selected around the world.
  • My contribution during this 3 month period: Integrated 17,000+ lines of code into Nmap.
  • Authored script to fetch smb enum services from remote windows machine.
  • Authored script for enumerating (iOT)devices running on OpenWebNet protocol.
  • Authored punycode and idna libraries for nmap to handle unicode input.
  • Refactored http-enum script for optimization purposes.
  • Made ncat enhancement to limit data using a delimiter while transferring data.
  • Fixed issues related to cve-2014–3704 nse script.
  • Enhancements made to cve-2014–3704 nse script.
  • Removed redundant parsing functions by making enhancements from few libraries.
  • Autocomplete feature for –script-args parameter in nmap. Due to lack of compatibility issues with Windows OS and zsh shell, it is not merged yet.
  • Colored output for nmap.
  • Added missing ip protocols to netutil.cc.
  • Complete report - https://medium.com/@rewanthcool/gsoc-2017-with-nmap-security-scanner-80d9bd54a97a
 
 
 
 
 
Security Engineer Intern
May 2017 – Aug 2017 Remote
  • Security assessment of website and writing patches for the vulnerabilities found.
  • Discovered and patched critical payment gateway bugs which saved thousands of dollars to the company.
  • Handled the security of cloud services and servers.
  • Impressed with my work they added my name to their About-Us page (I was just an intern).
  • View me @ https://oxcean.com/About-us
 
 
 
 
 
Full Stack Developer Intern
Appyfest
Jun 2016 – Jul 2016 Gurugram, India
  • Integrated new features to the website.
  • Optimized the functionality of existing features in the website.

Projects

*

Containers and Kubernetes security workshop

Notes for an extensive 2.5 hour workshop

Containers from scratch

Running a rootless container in a few lines of Go code with just linux syscalls

Damn Vulnerable Bank

Vulnerable Banking Application for Android

Detect phishing URLs with Machine Learning

Simple project that trains a model to detect phishing URLs.

Dictionary Attack Cyberoam

Dictionary Attack on NIT Kurukshetra User-Portal (Cyberoam)

Drone UI

UI interface for drone CI/CD

Firefox vuln headers extension

Firefox browser extension which parses the headers of all the requests which are being flowing through your firefox browser to detect for vulnerabilities

Grumpy: Cosign Validator

Runs as validating admission controller to verify integrity of images

Hack Kit

This kit automatically converts your firefox browser into a hacking tool by installing all the primitive hacker plugins

Harbor Enhanced Logging

Improving the security audit logging in Harbor using OpenResty & change of architectural design

Kubectl fields

Plugin to parse and search fields from kubectl resources hierarchy tree

Kubectl whisper secret

Plugin to create secrets with secure input prompt to prevent information leakages through terminal history, shoulder surfing attacks, etc

Kubernetes Goat

Kubernetes Goat is Vulnerable by Design Kubernetes Cluster. Designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security.

Kyverno App

Helm chart for Giant Swarm’s management of the Kyverno

Malicious Admission Controller

Kubernetes Admission Controller Webhook Demo

mp3 downloader

Downloads mp3 file of a youtube video

Nmap

Nmap - the Network Mapper. The swiss army knife network utility

NodeJS Coding Assessment Solutions

My proposed solutions to a few full stack developer interview questions

QB (cube) game

First ever 3D multiplayer game built for FlockOS

Sigstore The Easy Way

This book aims to be the most straightforward guide to getting started with sigstore, software signing & securing supply chain security

Starboard Exporter

A standalone exporter for vulnerability reports and other CRs created by Trivy Operator (formerly Starboard).

Syndi

Advanced windows local network file sharing software

Techspardha

Annual technical fest website NIT Kurukshetra

Trivy App

Helm chart for Giant Swarm’s management of the Trivy vulnerability scanner

Trivy Operator

The Trivy operator automatically updates security reports in response to workload and other changes on a Kubernetes cluster & generating the reports

Trivy Operator App

App for deploying the Aqua Security Trivy operator

Contact