About Salman, Khwaja. - CEH - Asana Certified Consultant Pro

He has been associated with Pakistan Software Industry for the last 14 years.

During his recent 3 years, he has performed consistantly on performingly levels. He has been moved from the time, when QA department was in trenches (around 2011) and has moved to Compliance.

During the same time frame, He was also looking after TFS (Team Foundation Server). He had the knack of transferring knowledge and transferred the TFS Administration and migration knowledge to Network team. This was very evident from the TFS Migrations, as the first TFS Migration was performed by Salman, Khwaja (TFS 2012 - 2013) and second migration was performed by Networks Team (TFS 2013 - 2015) and third was done by CI CD Team (TFS 2015-2018).

He was also the go to personnel for TFS till he transferred his TFS knowlegde to Networks.

He was passionately looking after Information Security or Application Security and made a switch from Compliance to Application Security. He learned the ropes of Application security and became the goto person for answering all the Application Security related queries to Development, QA, and Support Teams. He also became well versed with PCI- PA-DSS.

13+ years professional experience of Information Security Consultant who has worked in the capacity of a InfoSec. Consultant, Information Systems Auditor / Web Smith / Business Process Engineer to ensure that the policies / procedures for multiple standards, namely, ISO 9001:2008, ISO 27001, and Software Security are well documented, known to people (Software Engineers / Deployment Engineer) and Automated in CI / CD Pipeline.

Security Awareness Training Awareness

It is his knack of knowledge sharing, that he took the task of Training Manager of DevOps and he has been persuing the whole team to provide trainings. We are also implementing TPS Training Academy. On training front, he has provided the following trainings in TPS and TPSEdison can be assessed as evidence

• ASANA Training
• PA-DSS 3.2 training for PayAxis
• OWASP Top 10 for Web Training for Developers with Demonstration to discover basic vulnerabilities.

Implementation of SecDevOps

On the Application Security front, he has been implementing automation in Information Security from the time, he has been moved from Bussiness Excellence and then he decided to switch fully to DevOps. He implemented the DAST tools, namely Netsparker, Accunetix, and Owasp Zap into TFS Automation framework.

He has implemented the following in DevSecOps team

• Implemented Automated DAST Scanning, Active Scanning, and Reporting of Vulnerabilities
• Implemented IIS Automated Hardening
• Implemented IIS Automated Scanning Hardening Index
• Implemented IIS
• Implemented PA-DSS Audits

Speaking Gigs done so far.

1. The first user conference dedicated to OWASP ZAP and application security testing.
   Salman, Khwaja and Hammad ul Hassan discussed the ZAP IMPLEMENTATION IN PAKISTANI FINTECH in this conference.
   More information about SPEAKERS of this ZAP CON. https://zapcon.io/#speakers
   Linked in Event of this ZAP CON. Linkedin Event
   The whole talks is available on Youtube @ ZapCon Youtube Stream

2. Salman, Khwaja Speaking Session on All Day Dev Ops
   DevOps :: Story of Implementation of SecDevOps in Fin Tech Organization
   Linkedin Event
   Youtube Recording of the same

3. ECCouncil - SOC Analyst to combat Cyber Threats
   Linkedin Event
   Youtube Recording of the same
   

4. Salman, Khwaja and Umair Khalid on Improving Security and Productivity while Working from Home from the platform of Agile Development Society Linkedin Event
   Youtube Recording of the same
   Facebook Recording of the same
   

Implementation of Vulnerability Management Procedure

On the vunlerablity management front, he has been maintaing a blog on different posts and he has automated the task of dissemating the knowlegde of Vulnerability management to internal as well as external teams about different alerts, which ranges from differnet sources.

AgilePK functions

His primary functions right now are

• to conduct Penetration Testing & Vulnerability Assessment towards our clients’ Web application, Mobile Applications, Systems, Network and IT Infrastructures using industry recognized methodologies (OSSTMM and OWASP).
• Conduct Security Audit for servers and devices using recognized baselines such as CIS.
• Conduct Source Code review for Web and Mobile Application (added advantages)
• Research and discover new penetration tools and methodology.
• Liaise with our clients and prepare reports with remediation/recommendation.
• Implement ISO 27001:2013 in TPS
• Implement SDL in TPS
• Implement SecDevOps in TPS.

Worth Watching Repos

https://github.com/salmankhwaja/salmankhwaja.github.io/blob/master/worthwatchingrepos.md