Aseem Shrey
Securing Your Products, One Feature at a Time | Founder, ShipSec.ai - AI Security Copilot | Founder, SecureMyOrg | Earlier Security Engineer @ Yahoo, Rippling, Gojek & Blinkit
Pittsburgh, Pennsylvania, United States
Actions
🥷 Aseem Shrey is the founder of ShipSecure.ai, an AI-powered security agent platform designed to eliminate friction between product and security teams. ShipSecure automates core product security functions—such as threat modeling, pentesting, and security reviews—using LLMs and custom-built models, enabling teams to scale security without slowing down development.
🌏 He is also the founder of SecureMyOrg, a boutique cybersecurity consulting firm that specializes in building tailored security solutions using open source technologies. At SecureMyOrg, Aseem and his team help clients automate security workflows and conduct in-depth vulnerability assessments across web, cloud, and mobile applications.
🛠️ Previously, Aseem worked as a security engineer for companies like Yahoo (US), Rippling (US), Gojek, and Blinkit, where he focused on application and cloud security at scale. He’s also the creator of the popular YouTube channel HackingSimplified, where he educates thousands on practical application security concepts.
㊙️ Aseem has a strong background in offensive security and has responsibly disclosed critical vulnerabilities to organizations like the U.S. Department of Defense, the Government of India, and global enterprises including IBM, Sony, and General Motors.
💬 Talk to me about anything security !
Links
Area of Expertise
Topics
Beyond Plaintext State: Building Zero-Trust Infrastructure with OpenTofu's Advanced Encryption & Eph
State files for infrastructure are treasure troves for attackers—containing secrets, API keys, and sensitive config values. Traditional "sensitive" annotations hide values from CLI output but persist all in plaintext.
OpenTofu's added security features flip the script. Ephemeral resources exist only in runtime, write-only attributes guarantee secrets never find their way into state files, and S3 backend encryption unified encrypts data at rest and in transit.
In this talk:
1. Why traditional sensitive markings aren't enough for real security
2. How to implement ephemeral resources for temporary credentials and secrets
3. Deploying write-only attributes to eliminate plaintext passwords from state
4. Configuring OpenTofu's enhanced S3 encryption for multi-layered protection
5. Real-world strategies from vulnerable to zero-trust infrastructure
Attendees will learn to build truly secure infrastructure-as-code pipelines that protect sensitive data throughout the entire lifecycle.
Censoring the internet & how to bypass them
In recent times, internet censorship has increased throughout the world. With governments realising the potential of the internet in spreading information as well as misinformation.
To curb or rather control this, governments around the globe have taken to censoring parts of the internet by directing major ISPs to block access to those websites.
The ISPs around the globe have used different methods to block the access. Some resulting in DNS filtering to others doing SNI ( Server Name Information ) inspection.
There have been ways to bypass these restrictions, like DoH ( DNS over HTTPS ) and eSNI ( encrypted SNI ), now ECH ( Encrypted Client Hello ), supported by TLS 1.3.
To counter these, some authoritarian regimes ( like China ) have blocked eSNI traffic altogether, to be able to sniff the traffic and block the websites accordingly on their ‘Great Firewall’.
I will be talking about how these different mechanisms of blocking user traffic works, by doing a live demo of packet analysis using wireshark.
Later on in the talk, I would show a comparative study of the different ISPs around the globe and what their approaches are at blocking the internet ( if any ).
Towards the end, I would announce the open source repo, where people can contribute and use it for their own research purposes.
Exploiting GraphQL - For Fun & Profit
The "Exploiting GraphQL - For Fun & Profit" workshop is a comprehensive and hands-on training session focused on the security aspects of GraphQL. Participants will gain an in-depth understanding of GraphQL's architecture, its applications, and how to identify and exploit potential vulnerabilities. Over the course of two days, attendees will explore the fundamentals of GraphQL, learn about its real-world use cases, and discover techniques to locate GraphQL endpoints within web applications. The workshop will also cover security considerations specific to GraphQL, including injection attacks, access control flaws, and schema manipulation. Practical exercises and demonstrations will enable participants to analyse and exploit vulnerabilities while emphasising the importance of secure coding practices. This workshop is ideal for cybersecurity professionals, web developers, and penetration testers interested in expanding their knowledge of GraphQL security. Join us to acquire the practical skills needed to secure GraphQL APIs and mitigate potential threats in today's evolving web application landscape.
Security Champions LeaderBoard - Building and Gamifying the Security Culture at Your Organisation
At most places, security teams are quite lean on people in a company, where we could easily have a dev:security engineer ratio anywhere between 1:30 to 1:50. So having a larger set of people looking out for the security of the organisation would definitely help.
The idea was to make people proactively get involved in security and be more ‘security-savvy’. A lot of people love and play games in some form or the other, especially multiplayer games. We tried to gamify the 'security experience' to improve the security-savviness at our organisation. This would help us to recognise more 'security champions' from different teams and help to find early adopters for our security initiatives.
In this talk I go through the process of ideation to creation of the security champions leaderboard and how it’s improved the overall developer and security culture at the organisation. Easing out the security team’s work in the organisation.
Enforcing Security Best Practices using CI
High-performing teams usually ship faster, better, secure and often! Organizations irrespective of their level, focusing on stability and continuous delivery ( CD ), will deploy frequently.
Hundreds of continuous integration ( CI ) build run for every organization on a typical day. This means your code and system is more prone to bugs, accidental data exposure, third party vulnerabilities and hence open doors for attackers.
Hence to ensure that we are shipping quality and secure code, we should integrate security checking in our CI.
Getting a CyberSecurity Job In India
I got a job as a Security Engineer at Grofers, straight out of college. I would be talking about my journey about that and how you can plan your 4 years of college to make the most out of it.
Aseem Shrey
Securing Your Products, One Feature at a Time | Founder, ShipSec.ai - AI Security Copilot | Founder, SecureMyOrg | Earlier Security Engineer @ Yahoo, Rippling, Gojek & Blinkit
Pittsburgh, Pennsylvania, United States
Links
Actions
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top