Anitha Dakamarri
DFIN-Lead Security Engineer
Dallas, Texas, United States
Actions
I am Anitha Dakamarri, a seasoned IT professional with over 16 years of experience in the field of information security. My journey began with a Master of Computer Applications from Jawaharlal Technological University, which laid a strong foundation for my career. Over the years, I have honed my skills in various domains, including threat modeling, application security assessments, and network security assessments. My work experience spans across reputable organizations like DFIN, USCELLULAR, and Syntel Inc., where I have led teams, developed security standards, and implemented robust security frameworks. I am a Certified Information Systems Security Professional (CISSP) and hold several other certifications such as CEH and CHFI, which reflect my commitment to continuous learning and professional growth. My passion for security extends beyond technical assessments; I have also initiated and conducted security awareness workshops to educate and empower others. As a mentor, I am eager to share my knowledge and experiences to help others navigate the complexities of the IT security landscape.
Links
Area of Expertise
Topics
Privacy in design (PbD) in DevSecOps
Privacy by Design (PbD) in DevSecOps is a proactive approach that integrates privacy considerations into every stage of the software development lifecycle (SDLC), from initial design to deployment and operations. It ensures that privacy is not an afterthought, but a fundamental aspect of how systems and processes are built.
By systematically embedding privacy by design principles into DevSecOps, organizations can build more secure, compliant, and trustworthy applications and systems, ultimately benefiting both the business and its users.
Privacy by Design (PbD) is a fundamental approach to application security that ensures privacy is embedded into the design and architecture of IT systems, business practices, and networked infrastructure from the very beginning, rather than being an afterthought. It shifts the responsibility for data protection away from users and onto the organizations collecting, storing, and sharing the data.
SBOM adoptability in open source software scanning
Software developers always use open-source components to expedite the software development process. Though we have highest security applied for the proprietary code, these
open-source dependencies can expose us to a broad range of security and legal risks. We often see in the industry that security of Open-source libraries are just application security and
product teams responsibilities.
We often rely on application security team to perform SCA (Software composition analysis) to identify the vulnerabilities and communicate with product and engineering teams to work on
remediation. How ever we must adopt a holistic approach of dealing with open-source software.
We must have a policy of usage and policy of remediation at the organization level. We should have standards to specify how to set up and maintain repositories and libraries of open-source
software components that developers may utilize as part of a robustCI/CD pipeline.
SBOM adopatability in open source software scanning
Software developers always use open-source components to expedite the software
development process. Though we have highest security applied for the proprietary code, these
open-source dependencies can expose us to a broad range of security and legal risks. We often
see in the industry that security of Open-source libraries are just application security and
product teams responsibilities.
We often rely on application security team to perform SCA (Software composition analysis) to
identify the vulnerabilities and communicate with product and engineering teams to work on
remediation. How ever we must adopt a holistic approach of dealing with open-source software.
We must have a policy of usage and policy of remediation at the organization level. We should
have standards to specify how to set up and maintain repositories and libraries of open-source
software components that developers may utilize as part of a robust continuous
integration/continuous delivery (CI/CD) pipeline. We should have security awareness training
incorporated to prioritize the use of programming languages and frameworks that have built-in
guardrails to proactively mitigate common types of vulnerabilities. We should have a strong
change management discipline to clean-up the archived and decommissioned code
repositories.
CISA has an increase of adding vulnerabilities related to opensource libraries to the “Known
Exploited Vulnerabilities Catalog”. NIST has published the guidelines around open-source
security controls in supply chain attacks.
Hence, adopting the holistic approach of creating policy/standards and educating the
developers to use the trusted software components and having a robust application security
program which is baked into the Devops to identify and report the vulnerabilities. Having a
strong remediation policy to upgrade the outdated and vulnerable software packages will help to
reduce the attack surface and supply chain attacks.
Measuring What Matters: How to "Quantify Cyber Security Effectiveness"!
Information security metrics and key performance indicators (KPIs) are measurable values that track the effectiveness of cybersecurity efforts. These values provide insights into the overall organization security posture and also a quantifiable way see how an organization is preventing, detecting, and responding to the security attacks.
Security metrics are not limited to only incident response times, It must include all sub-team efforts of a CISO-team. Every sub-team of CISO team has goals that are aligned with the overall organizational goals. For example SOC2 certified or NIST CSF implementation and ISO certified.
So measuring goals via weekly, monthly and quarterly helps to track the progress and predict the road blocks.
Measuring What Matters: How to "Quantify Cyber Security Effectiveness"!
Information security metrics and key performance indicators (KPIs) are measurable values that track the effectiveness of cybersecurity efforts. These values provide insights into the overall organization security posture and also a quantifiable way see how an organization is preventing, detecting, and responding to the security attacks.
How AI will shape the shift-left in Appsec
AI significantly shapes the "shift left" approach in application security (AppSec) by enabling automated, real-time code analysis, identifying potential vulnerabilities early in the development lifecycle, providing context-aware recommendations to developers, and prioritizing critical security issues, effectively allowing developers to fix security problems as they code rather than waiting until later stages of development.AI willanalyze code context to better understand the intent behind code snippets, leading to more accurate vulnerability detection and reducing false positives in SAST and Open-source analysis.Most SCA scanning tools focus on manifest files which doesn't sync with source code and version-based vulnerability; hence we are 100% not sure if the engineering team uses the flagged version. .
I would like to present real time examples how AI can significantly enhance SAST/SCA/DAST/Vulscanning/Pentest (the important 5 pillars of software security).
How AI is perceived in shift left of Appsec
AI significantly shapes the "shift left" approach in application security (AppSec) by enabling automated, real-time code analysis, identifying potential vulnerabilities early in the development lifecycle, providing context-aware recommendations to developers, and prioritizing critical security issues, effectively allowing developers to fix security problems as they code rather than waiting until later stages of development.AI willanalyze code context to better understand the intent behind code snippets, leading to more accurate vulnerability detection and reducing false positives in SAST and Open-source analysis.Most SCA scanning tools focus on manifest files which doesn't sync with source code and version-based vulnerability; hence we are 100% not sure if the engineering team uses the flagged version. AI significantly enhance the perspective of SAST/SCA/DAST/Vulnerability scanning and Pentest in software security.
I would like to present real time examples how AI can significantly enhance SAST/SCA/DAST/Vulscanning/Pentest (the important 5 pillars of software security). I wanted to explain how AI algorithms can prioritize vulnerabilities based on their severity and potential impact, helping developers focus on the most critical security issues first. I also wanted to talk about skillset improvements.
DORA and TLPT
The Digital Operational Resilience Act is being enforced from January 17th 2025.It applies to 20 different kinds of financial entities and selected ICT service providers. DORA consists of multiple parts and one of those is mandatory Threat Led Penetration Testing (TLTP), which is essentially based on the TIBER-EU framework. I would like to present how to implement TLPT and highlight the differences between TLPT and a regular pentest. Talk about When and how internal pentesting team and external thid-party pentest teams will come under DORA and TIBER frameworks. explain about redteam/purple team/blue team under DORA act. Discuss how financial institutions will continue to adopt DORA by successfully implementing TLPT. Higher management buy-in for TLPT implementation.
i have strong and essential experience in implementing application security teams and red team practices. so i would like to personalize the content to make it more interactive for audience by adding the real time experiences for implementing TLPT. and also highlight the traditional pentest vs TLPT with real time examples.
ISC2 2025 conference Upcoming
OWASP LASCON 2025 Sessionize Event Upcoming
The Commit Your Code Conference 2025! Sessionize Event Upcoming
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top