Shitesh Sachan shitesh.sachan86@gmail.com

Ph: +91-9958184880 SUMMARY

Having 7 years experience in Core Application Security in IT Industry, working on Penetration testing of Web applications, Windows applications, Mobile Applications, E-Learning contents and applications, games. Currently working as a Sr. Lead Application Security Consultant in hCentive Technology India Pvt. Ltd

Having real-time experience in driving security best practices across business, vulnerability assessment & penetration testing of Web Applications.

Experienced in implementing/creating application security architecture organization wide from scratch to highly advance level

Ability to perform exhaustive security testing on any language based application.

Malware Analysis

Secure Source Code

Ability to trained the Dev and QA team for developing and testing web applications security

TECHNICAL SKILLS

Developed a FireFox Addon named “Counter” for displaying hidden elements of a Webpage using JS and XUL Language

https://addons.mozilla.org/en-US/firefox/addon/counter/

Author of Books: 1. Java Secure Coding Practices (Available on Amazon)2. Indepth Penetration Testing using BurpSuite Professional (Available on Amazon)

DAST Tools: IBM AppScan, Qualys, Acunetix, Burpsuite, Fidler, W3af, AccessDiver

SAST Tools: CheckMarx, Fortify, Findbugs, Pmd, OWASP Swaat Project, Vcg

Network Pentest: Metasploit, Nmap, Nessus, Wireshark

Security Attacks: XSS ATTACK, SQL Injection, Session Hijacking, URL Manipulation, Firebug DB Attack,CSRF Attack, Brute Force Attack, HTTP Parameter Pollution, DDOS attack, Request-Response Manipulation, HTTP Response Splitting, Registry Key Manipulation, Cracking, Hoogling/Dorking, Man in Middle, SSLStrip

Vulenrablity Reporting Tools : Jira, Pivotal, Bugzilla

Knowledge of Scripting Languages : VB Script, Java Script, ActionScript 1.0, 2.0, 3.0.

Knowledge of Programming : C, C++, Java, Assembly Language Languages Markup Languages : Xml, Xul

OS for Pen Testing : KaliLinux, BackTrack5 R2, Linux, Windows 7, Vista, XP, NT Server : Windows Server 2012

DB : Microsoft SQL Server 2008, MySQL

Achievements as a Hacker:

1. Received Quarterly Star Performer of the Year award in 2016 hCentive(Current Organization)1. Received Founders(Annual Star performer) award in 2015 hCentive(Current Organization)2. Received Appreciation from Accenture and US state MA-Cyber Intelligence team for informing vulnerability in Session Management in Massachusetts Healthcare solution.3. Informed Amazon about a way to bypass the Payment Gateway. 4. Informed FlipKart about a way to bypass the Payment Gateway. 5. Informed HDFC Bank about a way to steal credit card informations of any user and bypass the OTP Gateway6. Informed Idea Telecom about the Privilege Escalation vulnerability of fetching daily call details of any Idea User.

PROFESSIONAL EXPERIENCE

hCentive Technology India Pvt. Ltd. (Healthcare Solutions) Sep 2012 – Till date

hCentive provides US based healthcare solutions. hCentive is the first organization to build an exchange solution for OBAMACARE. hCentive has developed a deep understanding of the health insurance domain and have created solutions and services that align with federal and state regulations and meet or exceed all industry standards.My Involvement: I have created/implemented the overall application security architecture in hCentive from scratch to current advance level. Till the time no any single hacker is able to hack the applications tested by me and my team. Currently there are 4 team members in my team and every single appsec resource is working like as an individual contributor.

Project 1– MA-HIX (Dec 2012- Current)

Project Description— It’s a health-insurance-exchange solution for Massachusetts U.S.State. This solution has Four portals Individual, Employer, Agent with more than 10 types of Agent roles.

Project 2– PHIX (Sep 2012- Current)

Project Description— It’s a Broker based health-insurance-exchange soultion. This solution has four portals. Individual , Employer , Broker, Exchange Admin.

There are multiple other small projects too which take part in overall revenue generation of hCentive like SSO, WFM, WEM, HIXSHOP, Aetna, WellPoint which are in our targeted scope too.

Tools used –

Automated Security Testing(DAST): IBM AppScan

Manual Security Testing(MST): BurpSuite pro

Static Application Security Testing(SAST): CheckMarx

Responsibilities:

• Testing of OWASP top 10 Vulnerabilities and OWASP guide V4 scenarios

• Recon and analyze Applications from Security perspective

• Perform Penetration/Security Testing( SQL injection, URL manipulation, Cookie attack, Source Code manipulation, Brute Force Attack, Vulnerability detection, XSS attack, CSRF, Broken Authentication)

• Executing the Penetration Suite in Application layer and Network Layer as well

• Reporting vulnerabitlies in JIRA and Coordinate with developers for replicating the same.

Asvathaa Pvt. Ltd. ( Pen Tester ) April 2011 – August 2012

Asvathaa deals with developing Facebook Applications, Web Applications, Android Mobile applications.

Project 1– Android Application “Mobile Number Locator”

Project Description— This is android based application. In this application user has to login first and after login he can enter any mobile number on the provided text field to get the location of that number.

Project 2– Android Game “Super Monkey ( New Zombie Dash )”

Project Description— This is android based game. Super Monkey is a single player action game in which the player must jump over and avoid obstacles while the character runs continually forward without control. The fun comes from dodging obstacles sometimes with little to no notice and in trying to beat highscores.

Tools used – Revenssis, Shark for Root, DroidSheep and Manual Security Attacks

Project 3 – Desktop Application BMS( Bulk Message Sender )

Project Description— This software is able to send bulk messages on 1000s of diff Mobile numbers and Emails.

Tools used – Process Monitor, EchoMirage, Wireshark, BurpSuite and Manual Security Attacks

Project 4 – Facebook Game “Karma Kingdom”

Project Description— This is social app running on facebook.Its a social community based web game.On which only a registered facebook user can play this game. Objective of the user is to select the different items visualising on screen and build the city.

Tools used – Acunetix, Fiddler, WireShark and Manual Attacks for Security Testing

Pivotal for Bug Reporting/Tracking

Responsibilities:• Analyze Applications from Security perspective

• Perform Security Testing( SQL injection, URL manipulation, Cookie attack, Source Code manipulation, Brute Force Attack, Vulnerability detection, XSS attack, Packet Sniffing)• Reverse Engineering• File Structure and Stored data related pen tests

EDUCOSOFT (Security Tester) June 2010 – April 2011

Educo International Inc. (Educo International India Pvt. Ltd.) is a U.S.based E-Learning company in the field of developing e-courses, e-quizzes and various other e-solutions since 1985.

Project 1 – www.educosoft.com

Project Description— The purpose of this website is to provide E-Learning solution to their registered Members. Different types of registration processes are available on this website for higher studies, lower studies, for parents and students. The available Elearning Content on this website is developed in flash.

Project 2 – Educo Learning Management system

Project Description— This is system based application in which a student can perform multiple activities such as

MOPS (Multiple Options Practice Sheets), Practice Sheets, Quizzes, Homework, Math Expression keypad, Test Grader, Online Test.

Tools used – AccessDiver, BurpSuite and Manual Attacks for Security Testing

Responsibilities:• Analyze Applications from Security perspective

• Perform Security Testing( SQL injection, URL manipulation, Cookie attack, Source Code manipulation, Brute Force Attack, Vulnerability detection, XSS attack, Packet Sniffing)

• Finding the loopholes in Network layer and Application layer

QUALIFICATIONS

CERTIFICATIONS:

CEH (CERT NO: ECC05914108572) with 91.2% marks CHFI (CERT NO: ECC88646152389) with 84.6% marks HIPAA Privacy and Security Certification with 100% marks ISTQB CERTIFICATION with 82.5 % marks AHIP Certification with 70% marks Six Sigma White Belt Certification with 88.88% marks

PROFESSIONAL QUALIFICATION:

Completed B.Tech. in “CSE(Computer Science and Engineering)” with 70% in 2010 from “Faculty of Engineering and Technology Agra college”, Agra affiliated to U.P. Technical University Lucknow.

ACADEMIC QUALIFICATION :

Standard Board Session Aggregate percentage

10th U.P.board 1999-2000 69 12th U.P.board 2002-2003 65

PERSONAL PROFILE:Name : Shitesh SachanFathers Name : Mr. Raj Bahadur Sachan Present Address : D1/179D, Sec-52, Noida(201301), UP, IndiaPermanent Address : MIG 55 ,Gujaini,Kanpur(208022), UP, IndiaMobile : 9958184880E-mail : shitesh.sachan@gmail.comVisa : USA B1/B2DOB : 16-Dec-1985

Hobbies :

Ethical Hacking

Songs Creation

Music Composition

STRENGTHS :

Cracking

Reverse Engineering

Previlege Bypass

DECLARATION:

I hereby declare that all the information provided above is true and to the best of my Knowledge.Place: Noida (Shitesh Sachan)