Balaji.D

BALAJI D CEH v12 | EC-Council Information Security Engineer (Application Security, VAPT) Mob: - Email:- Overview: ➔ Certified Ethical Hacker with 1.5 years of experience as a freelancer in Web Application Security, focusing on Vulnerability Assessment and Penetration Testing (VAPT), DAST, OWASP Top 10, Security Hardening, and REST API Security. Skilled in identifying and reporting security flaws and helping teams implement effective remediation. Skill Summary: ➔ Conducted in-depth web application penetration testing using Burp Suite to identify security weaknesses and logic flaws. ➔ Specialized in detecting and exploiting OWASP Top 10 vulnerabilities, including SQL Injection (SQLi), Cross-Site Scripting (XSS), and Broken Authentication. ➔ Performed manual and automated testing to simulate real-world attack scenarios on web applications. ➔ Used tools like Burp Suite Intruder, Repeater, and Scanner to intercept and manipulate HTTP/HTTPS traffic for vulnerability analysis. ➔ Worked closely with developers and DevOps teams to deliver actionable remediation guidance and validate security fixes. ➔ Improved the overall security posture of applications by proactively identifying high-risk ➔ ➔ ➔ ➔ ➔ ➔ ➔ flaws before production release. Conducted thorough vulnerability assessments on web applications and APIs using a combination of manual techniques and automated tools (e.g., Burp Suite, OWASP ZAP, Nmap). Identified and validated critical security vulnerabilities, including those aligned with OWASP Top 10, using structured testing methodologies. Delivered comprehensive security reports detailing risk severity, CVSS scoring, technical impact, exploitability, and prioritized remediation steps. Documented clear and actionable findings tailored for both technical teams and nontechnical stakeholders, enhancing client understanding and response readiness. Provided risk-based recommendations to align remediation efforts with business impact and compliance requirements. Continuously refined testing approaches based on evolving threat landscapes, client feedback, and industry best practices. Assessed system and application configurations to identify security misconfigurations and compliance gaps. ➔ Applied hardening techniques based on Center for Internet Security, OWASP, and other industry best practices. ➔ Reduced attack surface by disabling unused services, ports, and insecure default settings. ➔ Recommended and implemented secure communication protocols (e.g., SSH, TLS) and ➔ ➔ ➔ ➔ ➔ ➔ disabled legacy/insecure protocols. Suggested and enforced access control mechanisms, including least privilege policies, rolebased access, and strong authentication settings. Enhanced system security posture through baseline configuration audits and ongoing policy adjustments. Developed professional-grade security assessment reports with clear technical summaries, impact analysis, and CVSS-based risk ratings. Created detailed proof-of-concepts (PoCs), including annotated screenshots and step-bystep reproduction instructions to validate findings. Provided remediation guidance tailored to the target environment, improving developer response time and reducing recurring vulnerabilities. Delivered reports structured for both technical teams and non-technical stakeholders, ensuring clarity, business relevance, and actionable outcomes. Professional Summary: ➔ 1.5+ years of freelancing hands-on experience in Application Security, Web Application Penetration Testing, and Vulnerability Assessment (VAPT). ➔ Proficient in identifying and exploiting OWASP Top 10 vulnerabilities in web applications and REST APIs. ➔ Skilled in using tools like Burp Suite, OWASP ZAP, Nmap, Nessus, sqlmap, and ➔ ➔ ➔ ➔ ➔ ➔ ➔ Metasploit for both manual and automated testing. Conducted DAST (Dynamic Application Security Testing) to uncover real-time application vulnerabilities. Performed network scanning and service enumeration using Nmap to assess infrastructure-level risks. Delivered professional security assessment reports with detailed PoCs, CVSS scoring, screenshots, and remediation instructions. Knowledge in REST API security testing, identifying issues like IDOR(insecure direct object reference), insecure authentication. Collaborated with cross-functional teams to integrate security into the Secure Software Development Life Cycle (SDLC). Strong documentation, reporting, and communication skills with the ability to explain findings to both technical and non-technical stakeholders. Committed to continuous learning and staying updated on the latest cybersecurity trends and tools. Tools Used: ➔ Burp Suite Professional / OWASP ZAP Conducted DAST for web applications to identify OWASP Top 10 vulnerabilities such as ➔ ➔ ➔ ➔ ➔ ➔ ➔ XSS, SQLi, and Broken Authentication. Used Intruder, Repeater, and Scanner modules for thorough analysis. Tenable Nessus Performed vulnerability assessments of infrastructure and servers; generated risk-based reports with CVSS scores and collaborated with teams for patch management. Sqlmap Utilized Sqlmap for detecting and exploiting SQL injection vulnerabilities in live applications and validating backend database exposures. Metasploit Framework Simulated real-world attack scenarios by exploiting known vulnerabilities; used auxiliary modules for post-exploitation and privilege escalation. Hydra Conducted brute-force testing on authentication mechanisms (FTP, SSH, HTTP login forms) to evaluate password strength and enforce account security. Nmap Executed advanced network scans for port discovery, OS detection, and service enumeration during initial recon and network-level assessments. OSINT Frameworks Leveraged open-source intelligence tools to gather publicly available data for reconnaissance and profiling targets during penetration tests. Kali Linux Knowledge on using Kali Linux distributions for VAPT, including hands-on with tools like Nikto, Dirb, DNSenum, and custom scripts for automation. Certifications: ➔ Certified Ethical Hacker (CEH) v12 – EC-Council Issued: Mar 2024 | Valid Until: Apr 2027 ➔ Pursuing ISC2 Certified in Cybersecurity (CC) Actively completing all domain modules; currently in progress ➔ Application Security Training Certificate – NullClass Completed hands-on VAPT internship and real-world assessment labs Academic Details: ➔ Master of Computer Applications (MCA) Sri Venkateswara University Year of Completion: 2022