Berezovskaya Anastasia

Information Security Engineer

For over three years, I have been deeply immersed in the field of security. I design processes, conduct research, and refine existing tools while developing my own. I am well-versed in common vulnerabilities and the strategies to mitigate them. I have a solid grasp of containerization principles and a keen interest in cryptography.

📌 Key Skills

SSDLC
Web Application Security
SAST
DAST/OAST
OSA/SCA
API Security
Vulnerability Management
Cryptography
Container Security
OWASP TOP 10

🛠 Technologies and Tools

  • Docker
  • Kubernetes
  • Burp Suite
  • nuclei
  • semgrep
  • git
  • SQL
  • PostgreSQL
  • Linux
  • KICS
  • trivy
  • Jira
  • CSS
  • cdxgen
  • HTML

👾 Programming Languages

Golang
Python
C/C++
Typescript
Scala

👩🏻‍💻 Work Experience

Swordfish Security

DevSecOps Engineer, Research Department

🗓 11/2023 - 11/2024 (1 year)
📝 Building the architecture of DevSecOps practices, Conducting research, Improving existing security tools
  • Developed a service for automating complex authentication scenarios (SSO, multi-step authentication) in DAST scanning, eliminating the need for manual session updates and scanner restarts
  • Implemented a tool for analyzing function call chains in Android applications using the RTA algorithm, ensuring compliance with Central Bank requirements for mobile application audits
  • Designed an IaC static analysis process covering both popular (KICS, Trivy, Checkov) and lesser-known (IaCSec, Glitch, DeepIaC) solutions
  • Developed automated rule generation for the Nuclei scanner based on service specifications, integrating the tool into CI/CD for API testing
  • Conducted an analysis of external library reachability assessment methods in the evinse utility (part of cdxgen), proposing improvements for OSA and ASOC products, reducing dependency analysis time
  • Fine-tuned a SAST result evaluation model based on CVEFixes, increasing its accuracy by 12%
  • Prepared a comparative analysis of fuzzing tools for API security, testing solutions with different approaches (property-based, dictionary, mutation, AI)
  • Published 5+ articles on Habr about DevSecOps and contributed to the DevSecOps Wiki, improving knowledge accessibility in cybersecurity

OZON.ru

Junior Application Security Engineer, Product Security Department

🗓 08/2021 - 09/2023 (2 years)
📝 Automation of InfoSec Processes, Vulnerability Management, Optimization of Security Scanner Rules
  • Organized the company's vulnerability management process, automated its tracking at every stage, and developed a centralized dashboard with metrics, achieving OWASP SAMM Level 3 maturity
  • Developed an automated system for tracking ticket deadlines, including escalation and enforcement in case of delays, reducing overdue tickets by 80%
  • Designed and implemented security controls in CI/CD to prevent the deployment of new features with vulnerabilities before production release
  • Optimized Semgrep rules to align with the company's coding specifics, reducing false positives
  • Developed an integration of GitLab API with the SCA solution CodeScoring, increasing dependency analysis coverage to 90% of services
  • Regularly conducted service audits and participated in supporting Ozon's Bug Bounty program, providing security recommendations to development teams
  • Established an on-call process for audits and bug report analysis, ensuring request processing within an SLA of up to 5 days
  • Developed a one-time link service for secure password transmission, eliminating issues with restoring user access to the internal network
  • Contributed to the development of an integration for certificate management

🎓 Education

Bauman Moscow State Technical University (BMSTU)

PhD Student, Mathematical and Software Support for Computing Systems, Complexes, and Computer Networks

🗓 2024 - 2027

Bauman Moscow State Technical University (BMSTU)

Specialist, Computer Security, with Honors

🗓 2016 - 2022

📚 Useful Skills in Development

  • Understanding of network operations and network protocols
  • Expertise in computer science (algorithms and data structures)
  • Advanced mathematical background in cryptography (encryption algorithms, hashing, PKI)
  • Knowledge in containerization and virtualization