Security Engineer - 22109 Outstaffing

Mobile application for IOS and Android - a wallet for cryptocurrency, which is used for transactions between different currencies

§ Analyze the system and prepare scope of work

§ Reverse Engineering of Android app

§ Testing security of the apps

§ Dynamic and Static testing

§ Test api and requests to the server

§ Prepare a detailed report on found vulnerabilities including executive summary, risk level of each vulnerability and recommendations on how to fix them.

During a penetration test of cryptocurrency website, a critical vulnerability was found. This vulnerability allowed to get all confidential information about the users, including emails, wallets and balances, etc. knowing user ID. The vulnerability was amplified with the fact that it was easy to generate all possible IDs with own written script. Our team helped to fix this vulnerability as soon as it was found.

§ analyze the system and prepare scope of work

§ gather information about the system

§ check used services and their versions

§ find exploits for these services

§ test api and requests to the server

§ get access to the database

§ prepare a detailed report on found vulnerabilities including executive summary, risk level of each vulnerability and recommendations on how to fix them.

Curl, Burp Suite, Requests interception, modification, injections of malicious code, own written bash script to brute force user ID values.

An enterprise company requested DDoS protection and full security audit of the website on AWS managed with Kubernetes. At the time of DDoS attacks Kubernetes scaled used resources up to 8 servers. However, even this scaling did not help agains the attacks. So our team has configured proper security rules, managed WAF and firewall and has written own solution. After this complex approach any attack could not harm the system.

§ external threat modeling

§ information gathering

§ testing AWS security groups

§ identity and access management

§ test data protection

§ internal threat modeling

§ web app code review

§ communication with client's security engineer

§ generating a report with executive summary, risk level of each vulnerability and recommendations on how to fix them

AWS, Kubernetes, Cloudflare, WAF, firewall, own solution written in php.

§ external threat modeling

§ information gathering

§ analyzing logs

§ performance monitoring

§ testing production environments

§ identity and access management

§ test data protection

§ internal threat modeling

§ communication with client's security engineer

§ generating a report with executive summary, risk level of each vulnerability and recommendations on how to fix them

Cloudflare, WAF, firewall, own solution written in php, Zabbix, Burp Suite.

An internal network of a software development company.

§ analyzing internal network traffic

§ security testing of devices in the network

§ analyzing logs

§ performance monitoring

§ testing production environments

§ test data protection

§ communication with client's security engineer

§ generating a report with executive summary, risk level of each vulnerability and recommendations on how to fix them

WAF, firewall, Zabbix, Burp Suite, Nmap, Wireshark.

Smart contract of token and bridge based on etherium. ERC20 standard

§ Smart Contract Audit

§ Check loops for miner attacks on timestamps and orders, and transaction order dependency

§ Determine inconsistency between specification and implementation

§ Identify defective design, logic, and access control

§ Provide recommendations to improve contract security and readability

  Visual Studio Code, Solidity, Slither, cloc, surya