Rewanth Tammana

Rewanth Tammana

Senior Security Architect

Ex-Emirates NBD

*Upcoming talk* : Introduction to developing Krew plugins
*Upcoming presentation* : BlackHat Asia 2023

Rewanth Tammana is a security ninja, open-source contributor, and a full-time freelancer. Previously, Senior Security Architect at Emirates NBD (National Bank of Dubai). He is passionate about DevSecOps, Cloud, and Container Security. He added 17,000+ lines of code to Nmap (famous as Swiss Army knife of network utilities). Holds industry certifications like CKS (Certified Kubernetes Security Specialist), CKA (Certified Kubernetes Administrator), etc.

Rewanth speaks and delivers training at international security conferences worldwide including Black Hat, Defcon, Hack In The Box (Dubai and Amsterdam), CRESTCon UK, PHDays, Nullcon, Bsides, CISO Platform, null chapters and multiple others.

He was recognized as one of the MVP researchers on Bugcrowd (2018) and identified vulnerabilities in several organizations. He also published an IEEE research paper on an offensive attack in Machine Learning and Security. He was also a part of the renowned Google Summer of Code program.

Interests
  • Security Engineering
  • Automation
  • DevSecOps
  • Development
Education

  • Bachelors in Computer Engineering

    National Institute of Technology, Kurukshetra, India

Experience

 
 
 
 
 
Freelancer/Contractor
Oct 2022 – Present Dubai
  • Working remotely with clients in Europe & UK.
  • Securing cloud native technologies, Kubernetes, containers, cloud, DevSecOps, etc.
  • Contributing to open source projects.
 
 
 
 
 
Senior Security Architect
Emirates NBD
Jun 2021 – Oct 2022 Dubai
  • Designing, building and managing PaaS security.
  • Containers and Kubernetes security.
  • Integration of automation and DevSecOps.
 
 
 
 
 
Security Architect
Emirates NBD
Nov 2020 – Jun 2021 Dubai
  • Responsible for architectural and design reviews of new integrations and projects.
  • Responsible for end-to-end security review of projects developed by multiple squads.
  • Perform source code review, penetration testing, container review, etc.
  • Developed open source projects extending Kubernetes functionalities.
 
 
 
 
 
Security Consultant
Payatu Software Labs LLP
Jul 2018 – Nov 2020 Pune, India
  • Delivered Android Mobile Application Security training’s to developers and pen-testers across the globe.
  • Perform Cloud, Docker and Kubernetes security assessments.
  • Implemented end-to-end workflow for DevSecOps service offerings.
  • Perform security assessment of web and android applications (both black box and white box).
  • Collaborate with experts while performing infrastructure assessments.
  • Perform source code review to discover new vulnerabilities.
  • Responsible for end-to-end client delivery.
  • Published IEEE research paper on Machine Learning and security.
  • Delivered training and talks at multiple international security conferences
    • CISO Platform, Virtual
    • Nullcon, Virtual
    • PHDays, Moscow, Russia
    • Hack In The Box (HITB), Amsterdam
    • CRESTCon, London
    • Bsides, Egypt
    • Hack In The Box (HITB), Dubai
    • DEFCON, Las Vegas (Couldn’t present there due to delayed visa process)
  • Organized local security meetups as a part of null Pune chapter, India
 
 
 
 
 
Associate Security Researcher Intern
Provensec
Jun 2017 – Sep 2017 Remote
  • Developed automated web vulnerability scanner using Python, selenium and PhantomJS along with 3 other employees.
  • The license of the product costs $2000 USD/year.
  • Authored and integrated plugins to the vulnerability scanner.
  • Developed module to save screenshot of the website when the payload is executed as a POC.
  • Collaborated with experts on penetration testing projects
 
 
 
 
 
Nmap Developer
Google Summer of Code
May 2017 – Aug 2017 Remote
  • One among the only 4 people (2 PhD’s and 1 B.Tech) to get selected around the world.
  • My contribution during this 3 month period: Integrated 17,000+ lines of code into Nmap.
  • Authored script to fetch smb enum services from remote windows machine.
  • Authored script for enumerating (iOT)devices running on OpenWebNet protocol.
  • Authored punycode and idna libraries for nmap to handle unicode input.
  • Refactored http-enum script for optimization purposes.
  • Made ncat enhancement to limit data using a delimiter while transferring data.
  • Fixed issues related to cve-2014–3704 nse script.
  • Enhancements made to cve-2014–3704 nse script.
  • Removed redundant parsing functions by making enhancements from few libraries.
  • Autocomplete feature for –script-args parameter in nmap. Due to lack of compatibility issues with Windows OS and zsh shell, it is not merged yet.
  • Colored output for nmap.
  • Added missing ip protocols to netutil.cc.
  • Complete report - https://medium.com/@rewanthcool/gsoc-2017-with-nmap-security-scanner-80d9bd54a97a
 
 
 
 
 
Security Engineer Intern
Oxcean
May 2017 – Aug 2017 Remote
  • Security assessment of website and writing patches for the vulnerabilities found.
  • Discovered and patched critical payment gateway bugs which saved thousands of dollars to the company.
  • Handled the security of cloud services and servers.
  • Impressed with my work they added my name to their About-Us page (I was just an intern).
  • View me @ https://oxcean.com/About-us
 
 
 
 
 
Full Stack Developer Intern
Appyfest
Jun 2016 – Jul 2016 Gurugram, India
  • Integrated new features to the website.
  • Optimized the functionality of existing features in the website.

Certifications

Certifited Kubernetes Security Specialist
Linux Foundation Mar 2021
See certificate
Certifited Kubernetes Administrator
Linux Foundation Feb 2020
See certificate
Certifited Kubernetes Application Developer
Linux Foundation Jan 2020
See certificate

Projects

*
All Self Team Contributions

Containers and Kubernetes security workshop

Notes for an extensive 2.5 hour workshop

Containers from scratch

Running a rootless container in a few lines of Go code with just linux syscalls

Damn Vulnerable Bank

Vulnerable Banking Application for Android

Detect phishing URLs with Machine Learning

Simple project that trains a model to detect phishing URLs.

Dictionary Attack Cyberoam

Dictionary Attack on NIT Kurukshetra User-Portal (Cyberoam)

Drone UI

UI interface for drone CI/CD

Firefox vuln headers extension

Firefox browser extension which parses the headers of all the requests which are being flowing through your firefox browser to detect for vulnerabilities

Grumpy: Cosign Validator

Runs as validating admission controller to verify integrity of images

Hack Kit

This kit automatically converts your firefox browser into a hacking tool by installing all the primitive hacker plugins

Harbor Enhanced Logging

Improving the security audit logging in Harbor using OpenResty & change of architectural design

Kubectl fields

Plugin to parse and search fields from kubectl resources hierarchy tree

Kubectl whisper secret

Plugin to create secrets with secure input prompt to prevent information leakages through terminal history, shoulder surfing attacks, etc

Kubernetes Goat

Kubernetes Goat is Vulnerable by Design Kubernetes Cluster. Designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security.

Kyverno App

Helm chart for Giant Swarm’s management of the Kyverno

Malicious Admission Controller

Kubernetes Admission Controller Webhook Demo

mp3 downloader

Downloads mp3 file of a youtube video

Nmap

Nmap - the Network Mapper. The swiss army knife network utility

NodeJS Coding Assessment Solutions

My proposed solutions to a few full stack developer interview questions

QB (cube) game

First ever 3D multiplayer game built for FlockOS

Video

Sigstore The Easy Way

This book aims to be the most straightforward guide to getting started with sigstore, software signing & securing supply chain security

Starboard Exporter

A standalone exporter for vulnerability reports and other CRs created by Trivy Operator (formerly Starboard).

Syndi

Advanced windows local network file sharing software

Slides

Techspardha

Annual technical fest website NIT Kurukshetra

Trivy App

Helm chart for Giant Swarm’s management of the Trivy vulnerability scanner

Trivy Operator

The Trivy operator automatically updates security reports in response to workload and other changes on a Kubernetes cluster & generating the reports

Trivy Operator App

App for deploying the Aqua Security Trivy operator

Recent & Upcoming Talks

Runtime Security and Observability
Sneak peek into kernel, syscalls, ebpf, kprobes, runtime security, Kubernetes API server bypass, tetragon protection, bypassing protection & more.
Apr 27, 2023 12:00 AM Virtual
Rewanth Tammana
Code Slides
Ship Securely - Automated security testing for developers
Workshop for developers & DevOps on shipping secure software
Dec 10, 2022 Dubai
Mohammed Fazalullah, Rewanth Tammana
SBOM - The inescapable way of tracking dependencies
The talk will focus on increasing awareness about SBOM, a key buzzword in the wake of cyber-attacks, and discussing its importance, formats, and ways to generate, manage, and monitor SBOMs in different stages of SDLC.
Dec 7, 2022 Virtual
Rewanth Tammana
Video
SBOM - The inescapable way of tracking dependencies
Software Supply Chain Security: No Kill Switch Yet
This talk aims to introduce the seriousness of software supply chain security
Oct 13, 2022 Dubai
Rewanth Tammana
Video
Software Supply Chain Security: No Kill Switch Yet
Security myths about managed Kubernetes Clusters
This workshop aims to break the security myths about managed Kubernetes clusters & demos a takeover attack on an exposed EKS cluster with default configuration & insecure workloads.
Sep 12, 2022 12:00 AM Dubai
Rewanth Tammana
Slides
See all events

Contact