Home

Danish Siddiqui

Senior Product Security Engineer
AppSec • Cloud Security (AWS) • DevSecOps • Bug Bounty • ISO 27001

📍 Dubai / Abu Dhabi (Open to relocate)
🔗 LinkedIn • GitHub • Writing • ✉️ danishismyname1@gmail.com
Featured: Exploring LLM Security Risks & OWASP Top 10 for LLMs

---

Summary

Senior Product Security Engineer with 6+ years of experience owning and scaling end-to-end security programs across Application Security (AppSec), Cloud Security (AWS), and DevSecOps in high-growth product environments. Experienced in Secure SDLC, CI/CD Security, and vulnerability management lifecycle across web, API, and mobile products.

First dedicated security hire at product companies, responsible for security architecture decisions, risk management, bug bounty program governance, and ISO 27001:2022 compliance readiness, working directly with engineering, platform, and leadership teams.

Strong background in offensive security and real-world attack paths, enabling a pragmatic, risk-based approach that balances developer velocity, audit readiness, and business impact. Experienced in embedding security through automation (SAST, SCA, container security), OWASP Top 10 and OWASP API Top 10 coverage, and stakeholder management.

Security Ownership Overview: How I operate as a security owner

---

Target Roles

Product Security • Application Security • Cloud Security (AWS) • DevSecOps

---

Selected Impact

• Reduced critical production-bound vulnerabilities by ~30% by integrating Semgrep and Trivy into CI/CD.
• Built and scaled Product Security as the first dedicated security engineer across web, mobile, APIs, and cloud.
• Launched CyberShield360 (ASM product), increasing client engagement by ~200%.
• Led ISO 27001:2022 readiness as primary security SPOC across engineering, IT, HR, and finance.
• Designed and operated a bug bounty program with clear scope, triage workflows, and payout governance.

---

Core Competencies

• Product & Application Security (Web/API/Mobile)
• API Security (OWASP API Top 10)
• Cloud Security (AWS: IAM, VPC, WAF, ALB, GuardDuty, CloudTrail)
• DevSecOps & CI/CD Security (SAST/SCA/Container Security)
• Bug Bounty Operations (triage, governance, payout model)
• Threat Modeling (STRIDE) & Secure-by-Design Reviews
• Governance, Risk Management & Compliance (ISO 27001:2022 readiness)
• Secure SDLC & Vulnerability Management Lifecycle
• AI/LLM Security (prompt injection, data leakage)

---

Tooling & Stack

• Semgrep, Trivy, Burp Suite, Prowler, ScoutSuite, ThreatMapper
• AWS (EC2, IAM, VPC, ALB, WAF, CloudTrail, GuardDuty)
• Nessus, Metasploit, Nmap, Wireshark

---

Security Products Built

• CyberShield360 — Building an Attack Surface Management Product from Scratch

---

Case Studies

• Building Product Security from Scratch (Licious)
• DevSecOps Pipeline Security: Semgrep + Trivy
• AWS Misconfiguration & Attack Path Findings
• Bug Bounty Program Revamp
• ISO 27001 Readiness Ownership

---

Writing & Research

• Writing Index
• Exploring LLM Security Risks & OWASP Top 10 for LLMs

---

Community & Industry Engagement

• Seasides Security Conference — Volunteer. Supported event operations and attendee coordination.

---

Certifications

• Multi-Cloud Red Team Analyst (2024–Present)
• Certified Red Team Professional (CRTP) (2022–Present)
• Certified Ethical Hacker (CEH) (2020–Present)
• Certification repository: Google Drive

---

CVEs & Recognition

• CVE-2026-23521, CVE-2025-29074, CVE-2024-57459, CVE-2025-29075–29078
• 160+ Hall of Fame mentions (Atlassian, Google, Mastercard, SoundCloud, Paytm, etc.)
• Bugcrowd profile: bugcrowd.com/djvirus

---

Downloads

• Resume (PDF)
• Cover Letter (PDF)