Embed Size (px)
Citation preview
Shitesh Sachan [email protected]
Ph: +91-9958184880 SUMMARY
Having 5 years experience in Application Security in IT Industry, working on Penetration testing of Web applications, Windows applications, Mobile Applications, E-Learning contents and applications, games. Currently working as a Lead Application Security Consultant in hCentive Technology India Pvt. Ltd
Experienced in communicating with Team, Customers, Business and Technical people.
Ability to perform exhaustive security testing on any language based application.
Malware Analysis
Secure Source Code Checklist
Ability to trained the Dev and QA team for developing and testing secured application
TECHNICAL SKILLS
Recently Developed a FireFox Addon named “Counter” for displaying hidden elements of a Webpage using JS and XUL Language
https://addons.mozilla.org/en-US/firefox/addon/counter/
Author of Books:
1. Java Secure Coding Practices (Available on Amazon)
2. Indepth Penetration Testing using BurpSuite Professional (Available on Amazon)
DAST Tools: IBM AppScan, Qualys, Acunetix, Burpsuite, Fidler+Watcher , Ironwasp, W3af, AccessDiver
SAST Tools: Fortify, Findbugs, Pmd, OWASP Swaat Project, Vcg
Network Pentest: Metasploit, Nmap, Nessus, Wireshark
Security Attacks: XSS ATTACK, SQL Injection, Session Hijacking, URL Manipulation, Firebug DB Attack, CSRF Attack, Brute Force Attack, DDOS attack, Request-Response Manipulation, Registry Key Manipulation, Cracking, Hoogling, Man in Middle
Vulenrablity Reporting Tools : Jira, Pivotal, Bugzilla
Knowledge of Scripting Languages : VB Script, ActionScript 1.0, 2.0, 3.0.
Knowledge of Programming : C, C++, Java, Assembly Language Languages Markup Languages : Xml, Xul
OS for Pen Testing : BackTrack5 R2, KaliLinux, Linux, Windows 7, Vista, XP, NT Server : Windows Server 2012
DB : Microsoft SQL Server 2008, MySQL
Achievements as a Hacker:
1. Received Star Performer of the Year award in hCentive(Current Organization)2. Received Appreciation from US state cyber Intelligence team for informing vulnerability in Session Management in Massachusetts Healthcare solution.3. Received appreciation from Amazon for informing them about bypassing the Amazon Payment Gateway. 4. Received appreciation from Flipkart for informing them about bypassing the Payment Gateway.
5. Received appreciation from HDFC Bank for informing them about a way to steal credit card informations of any user and bypass the OTP Gateway6. Last week I informed Idea Telecom about the Privilege Escalation vulnerability of fetching daily call details of any Idea User
PROFESSIONAL EXPERIENCE
hCentive Technology India Pvt. Ltd. (Healthcare Solutions) Sep 2012 – Till date
hCentive provides healthcare solutions. hCentive is the first organization to build an exchange solution for OBAMACARE. hCentive has developed a deep understanding of the health insurance domain and have created solutions and services that align with federal and state regulations and meet or exceed all industry standards.
Project 1– MA-HIX (Dec 2012- Current)
Project Description— It’s a health-insurance-exchange solution for Massachusetts U.S.State. This solution has Four portals Individual, Employer, Agent and Worker.
Project 2– KY-HIX (Sep 2012- Dec 2012)
Project Description— It’s a health-insurance-exchange solution for Kentucky U.S.State. This solution has four portals. Individual , Employer , Broker and Navigator.
Tools used – IBM AppScan, Qualys, BurpSuite, Nmap, Nessus, Fortify and Manual Security Attacks
Responsibilities:
• Testing of Owasp top 10 Vulnerabilities and guide V4 implementation
• Analyze Applications from Security perspective
• Perform Security Testing( SQL injection, URL manipulation, Cookie attack, Source Code manipulation, Brute Force Attack, Vulnerability detection, XSS attack, Packet Sniffing)
• Executing the Penetration Suite in Network layer and Application layer
• Reporting vulnerabitlies in JIRA and Coordinate with developers for replicating the same.
Asvathaa Pvt. Ltd. ( Pen Tester ) April 2011 – August 2012
Asvathaa deals with developing Facebook Applications, Web Applications, Android Mobile applications.
Project 1– Android Application “Mobile Number Locator”
Project Description— This is android based application. In this application user has to login first and after login he can enter any mobile number on the provided text field to get the location of that number.
Project 2– Android Game “Super Monkey ( New Zombie Dash )”
Project Description— This is android based game. Super Monkey is a single player action game in which the player must jump over and avoid obstacles while the character runs continually forward without control. The fun comes from dodging obstacles sometimes with little to no notice and in trying to beat highscores.
Tools used – Revenssis, Shark for Root, DroidSheep and Manual Security Attacks
Project 3 – Desktop Application BMS( Bulk Message Sender )
Project Description— This software is able to send bulk messages on 1000s of diff Mobile numbers and Emails.
Tools used – Process Monitor, EchoMirage, Wireshark, BurpSuite and Manual Security Attacks
Project 4 – Facebook Game “Karma Kingdom”
Project Description— This is social app running on facebook.Its a social community based web game.On which only a registered facebook user can play this game. Objective of the user is to select the different items visualising on screen and build the city.
Tools used – Acunetix, Fiddler, WireShark and Manual Attacks for Security Testing
Pivotal for Bug Reporting/Tracking
Responsibilities:
• Analyze Applications from Security perspective
• Perform Security Testing( SQL injection, URL manipulation, Cookie attack, Source Code manipulation, Brute Force Attack, Vulnerability detection, XSS attack, Packet Sniffing)• Reverse Engineering• File Structure and Stored data related pen tests EDUCOSOFT (Security Tester) June 2010 – April 2011
Educo International Inc. (Educo International India Pvt. Ltd.) is a U.S.based E-Learning company in the field of developing e-courses, e-quizzes and various other e-solutions since 1985.
Project 1 – www.educosoft.com
Project Description— The purpose of this website is to provide E-Learning solution to their registered Members. Different types of registration processes are available on this website for higher studies, lower studies, for parents and students. The available Elearning Content on this website is developed in flash.
Project 2 – Educo Learning Management system
Project Description— This is system based application in which a student can perform multiple activities such as
MOPS (Multiple Options Practice Sheets), Practice Sheets, Quizzes, Homework, Math Expression keypad, Test Grader, Online Test.
Tools used – AccessDiver, BurpSuite and Manual Attacks for Security Testing
Responsibilities:
• Analyze Applications from Security perspective
• Perform Security Testing( SQL injection, URL manipulation, Cookie attack, Source Code manipulation, Brute Force Attack, Vulnerability detection, XSS attack, Packet Sniffing)
• Finding the loopholes in Network layer and Application layer
QUALIFICATIONS
CERTIFICATIONS:
CEH (CERT NO: ECC05914108572) with 91.2% marks HIPAA Privacy and Security Certification with 100% marks ISTQB CERTIFICATION with 82.5 % marks AHIP Certification with 70% marks Six Sigma White Belt Certification with 88.88% marks
PROFESSIONAL QUALIFICATION:
Completed B.Tech. in “CSE(Computer Science and Engineering)” with 70% in 2010 from “Faculty of Engineering and Technology Agra college”, Agra affiliated to U.P. Technical University Lucknow.
ACADEMIC QUALIFICATION :
Standard Board Session Aggregate percentage
10th U.P.board 1999-2000 69 12th U.P.board 2002-2003 65
PERSONAL PROFILE:Name : Shitesh SachanFathers Name : Mr. Raj Bahadur Sachan Present Address : D1/179D, Arawali Apt., Sec-52, Noida(201301), UP, IndiaPermanent Address : MIG 55,Sector-E,Gujaini,Kanpur(208022), UP, IndiaMobile : 9958184880E-mail : [email protected] : USA B1/B2
Hobbies :
Ethical Hacking
Songs Creation
Music Composition
STRENGTHS :
Cracking
Reverse Engineering
DECLARATION:I hereby declare that all the information provided above is true and to the best of my Knowledge.Place: Noida (Shitesh Sachan)
