██████╗ ███████╗██╗   ██╗███████╗███████╗ ██████╗  ██████╗ ██████╗ ███████╗
██╔══██╗██╔════╝██║   ██║██╔════╝██╔════╝██╔════╝ ██╔═══██╗██╔══██╗██╔════╝
██║  ██║█████╗  ██║   ██║███████╗█████╗  ██║      ██║   ██║██████╔╝███████╗
██║  ██║██╔══╝  ╚██╗ ██╔╝╚════██║██╔══╝  ██║      ██║   ██║██╔═══╝ ╚════██║
██████╔╝███████╗ ╚████╔╝ ███████║███████╗╚██████╗ ╚██████╔╝██║     ███████║
╚═════╝ ╚══════╝  ╚═══╝  ╚══════╝╚══════╝ ╚═════╝  ╚═════╝ ╚═╝     ╚══════╝

I'm a DevSecOps engineer at Ribbon Communications, working at the intersection of systems programming, container security, and supply chain integrity. My day-to-day spans from writing low-level C/C++ CLI features using YANG/ConfD, to building secure Kubernetes deployments and PKI environments for artifact signing — with vulnerability scanning woven into every stage of the pipeline.

I care about shifting security left — catching issues at the code and artifact level, long before anything reaches production.

role:       DevSecOps Engineer
company:    Ribbon Communications Pvt. Ltd.
location:   Bangalore, India
focus:
  - Systems Programming (C/C++ · ConfD · YANG)
  - Container Security & Signing (Cosign · OpenSSL · DigiCert HSM)
  - Kubernetes Operations & Debugging
  - Supply Chain Vulnerability Scanning

Built application-level CLI features for network management software using ConfD (Tail-f/Cisco's configuration management daemon) and YANG data modeling.

• Designed and implemented new CLI commands by authoring YANG models that define the data schema and calling ConfD's internal C APIs to wire up the logic
• Extended existing management plane features while maintaining backward compatibility with deployed network configurations
• Worked directly with low-level C/C++ to interact with ConfD's internal libraries — handling transaction hooks, validation callbacks, and data provider APIs
• Debugged complex configuration state issues by tracing through ConfD's transaction engine

Stack:  C · C++ · ConfD (Tail-f) · YANG · NETCONF
Domain: Network Management · CLI Engineering · Configuration Plane

Deployed and maintained production-grade Kubernetes environments for Ribbon's telecom products.

• Managed pod lifecycle operations — deployments, rollbacks, scaling strategies (HPA/VPA), and graceful shutdown behaviour
• Debugged complex production issues by deep-diving into Kubernetes Events (using kubectl/oc (OpenShift CLI client)) to trace pod failures, OOM kills, image pull errors, and scheduling issues
• Investigated container crashes by correlating pod logs, events, and resource metrics to isolate root cause across multi-service deployments
• Managed pod scaling decisions — understanding when to scale horizontally vs. vertically based on observed resource pressure

# Typical debugging workflow
helm install installname CHARTS_DIR --values values.yaml 
kubectl/oc exec -it pods shell

Stack:  Kubernetes · kubectl · Helm · Docker · Container Runtimes
Domain: Platform Engineering · SRE · Telecom Workloads

Built a complete artifact signing pipeline and PKI environment to ensure the integrity and authenticity of container images and build artifacts before deployment.

• Implemented artifact signing using OpenSSL with private keys, establishing a root-of-trust for build outputs
• Integrated Cosign (Sigstore) to sign and verify Docker container images, embedding signatures into OCI registries as attestations
• Worked with DigiCert HSM (Hardware Security Module)-backed root certificates — the private key never leaves the HSM, ensuring it cannot be exfiltrated even if the build system is compromised
• Handled pre-loaded one-time private keys associated with DigiCert root certs — understanding the trust chain from root CA → intermediate → signing key → artifact
• Built verification steps into the CI/CD pipeline so unsigned or invalidly signed images are rejected before deployment

                 DigiCert HSM
                      │
                 Root Certificate
                      │
              One-Time Private Key  ──►  Signs Artifact / Image
                      │
                 Cosign / OpenSSL
                      │
              Signature stored in OCI Registry
                      │
              Pipeline verifies before deploy  ✓

Stack:  Cosign · OpenSSL · DigiCert HSM · Docker · OCI Registries
Domain: Supply Chain Security · PKI · Code Signing · Zero Trust

Integrated a multi-layered vulnerability scanning strategy into the CI/CD pipeline, scanning container images before they are deployed to any environment.

• Configured scanners as pipeline gates — builds fail automatically if critical/high CVEs above a defined threshold are found
• Tuned policies to distinguish between fixable and accepted vulnerabilities to reduce noise without missing genuine risk
• Managed Trivy DB updates and ensured offline scanning capability for air-gapped environments
• Used Black Duck to enforce OSS license compliance — flagging copyleft licenses (GPL) that conflict with proprietary product distribution
• Correlated findings across tools to prioritize remediation — understanding that a CVE found by both Trivy and Grype in the same layer needs immediate action

# Example Trivy scan in pipeline
trivy image \
  --severity CRITICAL,HIGH \
  --exit-code 1 \
  --format json \
  --output trivy-report.json \
  your-registry/your-image:tag

Stack:  Trivy · Black Duck · Grype · JFrog Xray · CI/CD Pipelines
Domain: DevSecOps · SBOM · CVE Management · Compliance

{
  "languages": ["C", "C++", "Python", "Bash", "YAML"],
  "network_mgmt": ["ConfD", "YANG", "NETCONF", "RESTCONF"],
  "containers": ["Docker", "Kubernetes", "Helm", "OCI"],
  "security": {
    "signing":   ["Cosign", "OpenSSL", "DigiCert HSM", "PKI"],
    "scanning":  ["Trivy", "Black Duck", "Grype", "JFrog Xray"],
    "practices": ["Shift-Left Security", "SBOM", "Zero Trust", "Supply Chain Security"]
  },
  "ci_cd": ["GitHub Actions", "Jenkins", "Pipeline-as-Code"],
  "platforms": ["Linux", "Kubernetes", "Container Runtimes"]
}

► Supply chain security — after events like the Trivy/TeamPCP breach (March 2026),
  I think deeply about how build tooling itself becomes an attack surface.

► PKI and cryptographic trust — understanding the full chain from HSM root cert
  to deployed artifact signature.

► Shifting security left — making vulnerability detection part of the developer
  workflow, not a gate at the end.

► Low-level systems — there is something satisfying about writing C that talks
  directly to a configuration daemon managing live network state.

► how-trivy-a-tool-built-to-find-vulnerabilities-became-one
► bgp-border-gateway-protocol-in-depth

I'm always open to talking about DevSecOps, supply chain security, or anything related to securing software at the infrastructure layer.