Размещайте вакансии
Нанимайте без комиссий
Опыт работы пентестером и инженером по безопасности от 6 лет.
Навыки DevOps и SecDevOps с ориентацией на безопасность.
Продвинутые знания администрирования Linux, администрирования веб-серверов, стека LAMP, методов и методологий тестирования на проникновение.
Свободное использование сканеров уязвимостей, сканеров Linux и Windows, инструментов мониторинга сетевого трафика. Хорошее знание облачных сервисов, таких как AWS и Azure, навыки эластичного стека.
Имеет опыт тестирования безопасности технологий, связанных с криптовалютами: блокчейн, смарт-контракты, токены, мосты.
Использовать логический и методический подход к достижению задач и целей; способен строить и реализовывать сложные планы; решительный и решительный; проявлять инициативу, чтобы встречать и решать проблемы.
Родной язык – украинский.
Свободный русский, свободный английский.
Языки программирования/технологии
§ Питон
§ Баш
§ Php
§ Javascript
§ JavaEE
§ Рубин
§ С
§ С++
§ Исследования и разработки SaaS/SOA/RIA
§ СИЭМ
§ Техническая документация/Отчеты о тестировании на проникновение/Предложения
СУБД
§ Мой SQL
§ ПостгресSQL
§ SQLite
Методологии
§ ОВАСП
§ НИСТ
Операционные системы
§ Microsoft Windows 95/98/2000/XP/2003 Server/Vista/7/8/10
§ Кали Линукс
§ Убунту
§ ЦенОС
Среды виртуализации
§ VMWare
§ Виртуальная коробка
§ OpenStack
Аппаратное обеспечение
§ Сетевые технологии
§ Различное технологическое устройство
Приложения/веб-серверы
§ Нгинкс
§ Php-fpm
§ Кот
§ ИИС
§ Апачи
§ Редис
§ Активный каталог
§ DNS
§ DHCP
§ SNMP
§ малый и средний бизнес
Инструменты разработки
§ Доступный (базовый)
§ AWS/Кубернет
§ Лазурь
§ Докер
§ Дженкинс
§ Гитлаб
§ Гит
§ CI/CD
§ Открытая смена
Инструменты тестирования
§ Nкарта
§ Никто
§ Берп Люкс
§ ОВАСП ЗАП
§ Несс
§ Wireshark
§ Мальтего
§ SQL-карта
§ Гобастер
§ Метасплойт
§ Облачная вспышка
Другие технологии
§ Блокчейн
§ Смарт-контракты
§ Мосты для криптовалют
Administration of the website on AWS Kubernetes, which uses nginx, php-fpm, mysql. Control of resources in use and it’s optimization. Azure deployment
- testing security of the website
- optimizing mysql
- configuring dns records for main domain and subdomains
- controlling memory flows
- configuring
4 team members
Nginx, php-fpm, mysql, redis, DNS, Kubernetes, Jenkins, Zabbix
During a penetration test of cryptocurrency website, a critical vulnerability was found. This vulnerability allowed to get all confidential information about the users, including emails, wallets and balances, etc. knowing user ID. The vulnerability was amplified with the fact that it was easy to generate all possible IDs with own written script. Our team helped to fix this vulnerability as soon as it was found.
- analyze the system and prepare scope of work
- gather information about the system
- check used services and their versions
- find exploits for these services
- test api and requests to the server
- get access to the database
- prepare a detailed report on found vulnerabilities including executive summary, risk level of each vulnerability and recommendations on how to fix them.
Curl, Burp Suite, Requests interception, modification, injections of malicious code, own written bash script to brute force user ID values.
An enterprise company requested DDoS protection and full security audit of the website on AWS managed with Kubernetes. At the time of DDoS attacks Kubernetes scaled used resources up to 8 servers. However, even this scaling did not help agains the attacks. So our team has configured proper security rules, managed WAF and firewall and has written own solution. After this complex approach any attack could not harm the system.
- external threat modeling
- information gathering
- testing AWS security groups
- identity and access management
- test data protection
- internal threat modeling
- web app code review
- communication with client's security engineer
- generating a report with executive summary, risk level of each vulnerability and recommendations on how to fix them
AWS, Kubernetes, Openshift, Cloudflare, WAF, firewall, own solution written in php.
A website of an e-commerce company.
- external threat modeling
- information gathering
- analyzing logs
- performance monitoring
- testing production environments
- identity and access management
- test data protection
internal threat modeling
- communication with client's security engineer
- generating a report with executive summary, risk level of each vulnerability and recommendations on how to fix them
Cloudflare, WAF, firewall, own solution written in php, Zabbix, Burp Suite.
An internal network of a software development company.
- analyzing internal network traffic
- security testing of devices in the network
- analyzing logs
- performance monitoring
- testing production environments
- test data protection
communication with client's security engineer
generating a report with executive summary, risk level of each vulnerability and recommendations on how to fix them
WAF, firewall, Zabbix, Burp Suite, Nmap, Wireshark.
A website of an e-commerce company.
- recovery of the website after an attack
- analyzing logs
- performance monitoring
- automation of the main system processes
- handling system errors
- testing production environments
- identity and access management
- test data protection
- communication with client's security engineer
- generating a report with executive summary, risk level of each vulnerability and recommendations on how to fix them
Firewall, Zabbix, Burp Suite, Nmap.