Berezovskaya Anastasia
Information Security Engineer
For over three years, I have been deeply immersed in the field of security. I design processes, conduct research, and refine existing tools while developing my own. I am well-versed in common vulnerabilities and the strategies to mitigate them. I have a solid grasp of containerization principles and a keen interest in cryptography.
📌 Key Skills
SSDLC
Web Application Security
SAST
DAST/OAST
OSA/SCA
API Security
Vulnerability Management
Cryptography
Container Security
OWASP TOP 10
🛠 Technologies and Tools
- Docker
- Kubernetes
- Burp Suite
- nuclei
- semgrep
- git
- SQL
- PostgreSQL
- Linux
- KICS
- trivy
- Jira
- CSS
- cdxgen
- HTML
👾 Programming Languages
Golang
Python
C/C++
Typescript
Scala
👩🏻💻 Work Experience
Swordfish Security
DevSecOps Engineer, Research Department
🗓 11/2023 - 11/2024 (1 year)📝 Building the architecture of DevSecOps practices, Conducting research, Improving existing security tools
- Developed a service for automating complex authentication scenarios (SSO, multi-step authentication) in DAST scanning, eliminating the need for manual session updates and scanner restarts
- Implemented a tool for analyzing function call chains in Android applications using the RTA algorithm, ensuring compliance with Central Bank requirements for mobile application audits
- Designed an IaC static analysis process covering both popular (KICS, Trivy, Checkov) and lesser-known (IaCSec, Glitch, DeepIaC) solutions
- Developed automated rule generation for the Nuclei scanner based on service specifications, integrating the tool into CI/CD for API testing
- Conducted an analysis of external library reachability assessment methods in the evinse utility (part of cdxgen), proposing improvements for OSA and ASOC products, reducing dependency analysis time
- Fine-tuned a SAST result evaluation model based on CVEFixes, increasing its accuracy by 12%
- Prepared a comparative analysis of fuzzing tools for API security, testing solutions with different approaches (property-based, dictionary, mutation, AI) Published 5+ articles on Habr about DevSecOps and contributed to the DevSecOps Wiki, improving knowledge accessibility in cybersecurity
OZON.ru
Junior Application Security Engineer, Product Security Department
🗓 08/2021 - 09/2023 (2 years)📝 Automation of InfoSec Processes, Vulnerability Management, Optimization of Security Scanner Rules
- Organized the company's vulnerability management process, automated its tracking at every stage, and developed a centralized dashboard with metrics, achieving OWASP SAMM Level 3 maturity
- Developed an automated system for tracking ticket deadlines, including escalation and enforcement in case of delays, reducing overdue tickets by 80%
- Designed and implemented security controls in CI/CD to prevent the deployment of new features with vulnerabilities before production release
- Optimized Semgrep rules to align with the company's coding specifics, reducing false positives
- Developed an integration of GitLab API with the SCA solution CodeScoring, increasing dependency analysis coverage to 90% of services
- Regularly conducted service audits and participated in supporting Ozon's Bug Bounty program, providing security recommendations to development teams
- Established an on-call process for audits and bug report analysis, ensuring request processing within an SLA of up to 5 days
- Developed a one-time link service for secure password transmission, eliminating issues with restoring user access to the internal network
- Contributed to the development of an integration for certificate management
🎓 Education
Bauman Moscow State Technical University (BMSTU)
PhD Student, Mathematical and Software Support for Computing Systems, Complexes, and Computer Networks
🗓 2024 - 2027Bauman Moscow State Technical University (BMSTU)
Specialist, Computer Security, with Honors
🗓 2016 - 2022📚 Useful Skills in Development
- Understanding of network operations and network protocols
- Expertise in computer science (algorithms and data structures)
- Advanced mathematical background in cryptography (encryption algorithms, hashing, PKI)
- Knowledge in containerization and virtualization