Roger's Portfolio Website!

Category: Security & DevOps

  • 2024 Capris Security Assessment

    Scope: Client-Side Infrastructure Security Review & Remediation

    Summary: I was engaged by a client to independently validate and expand upon a vulnerability assessment report previously conducted by a third-party contractor. The report focused on seven interconnected web applications, each with unique objectives and security profiles critical to the client’s infrastructure.

    Tasks:

    • Review the original vulnerability assessment report
    • Validate findings and assess accuracy
    • Conduct a deeper, independent security audit
    • Identify overlooked vulnerabilities
    • Develop and execute a comprehensive remediation plan
    • Coordinate with the original assessment team for final verification

    Actions:

    While the third-party report covered surface-level issues, it missed a dozen+ critical vulnerabilities—primarily due to a lack of familiarity with the underlying CMS technologies (primarily WordPress) and custom application logic. For example:

    • No enumeration or assessment of vulnerable WordPress plugins
    • No review of insecure custom logic and business workflows
    • Lack of testing around access control and input sanitization

    Additionally, I worked directly with the businesses internal teams over a mutli week engagement performing actions like:

    • Manually validated each finding from the original report and expanded coverage with my own black-box and white-box testing
    • Conducted a CMS-aware audit, discovering misconfigurations, outdated components, and plugin vulnerabilities
    • Reverse-engineered custom application flows to uncover logic flaws and insecure implementations
    • Created a prioritized remediation gameplan, balancing business risk and development effort
    • Remediated vulnerabilities directly by patching code, hardening server configurations, and removing insecure plugins
    • Worked with the original assessment vendor to verify that all issues had been mitigated to their satisfaction

    Results:

    All sites were successfully hardened, patched, and revalidated, improving the client’s security posture significantly. This engagement emphasized my ability to critically evaluate third-party assessments, identify gaps, and provide end-to-end remediation and coordination with multiple stakeholders The 3rd party security auditing team confirmed and validated the remediation and controls I implemented, concluding the engagement.

  • 2023 Ultimay Security Assessment

    Application Penetration Testing & Remediation Guidance for a SaaS Platform

    Category: B2B SaaS (Project & Client Management for Marketing/Software Agencies)
    Stack: Debian, Apache, PHP (Laravel), JavaScript (Angular), Python Microservices

    I was brought in by the Ultimay engineering leadership to perform a targeted security assessment of their flagship SaaS platform, which supports project management workflows across multiple roles—Owner, Manager, Developer, and Customer.

    🎯 Scope of Engagement:
    Full-scope authenticated web application pentest

    Coverage of multi-role permission testing and custom file handling logic

    Direct collaboration with the internal development team to review security architecture and advise on remediation

    Bonus input into feature architecture for safer future implementations

    🛠️ Tools & Methodology:
    I performed a thorough black-box and authenticated assessment using:

    nmap for port and service enumeration

    OpenVAS for infrastructure-level vulnerability scanning

    Burp Suite for proxy-based web testing and XSS/IDOR exploitation

    Nikto and Dirb for directory traversal and server misconfiguration discovery

    Custom multi-user testing scripts to simulate role-based access control abuse scenarios

    🚨 Key Findings:
    I discovered multiple high-impact vulnerabilities, including:

    Stored Cross-Site Scripting (XSS) across project notes and comment interfaces, allowing persistent JavaScript injection and potential session hijacking via stolen cookies

    Insecure Direct Object References (IDORs) enabling cross-account access to documents, client notes, and internal timelines by manipulating resource identifiers

    Remote Code Execution (RCE) via a race condition in the file upload and zip handler, where a malicious PHP payload could be temporarily executed before sanitation logic was applied

    🤝 Outcome:
    I worked hands-on with the internal engineering team to:

    Reproduce and patch all identified issues with proper input validation, session scoping, and secure file handling

    Build unit tests and regression logic to prevent future reintroduction of similar bugs

    Advise on secure-by-design principles for upcoming features in their roadmap

    This engagement demonstrated my ability to combine deep application security knowledge with collaborative engineering processes, ensuring that Ultimay could ship safer code with confidence.

  • 2022 DormMom Security Engineering

    Scope: Python Test Automation & High-Impact Security Vulnerability Discovery

    Summary: I was initially brought in by DormMom to build comprehensive Selenium-based test units for their CI/CD pipeline. This testing suite focused on validating role-specific functionality across multiple user types, including end users, managers, and franchise owners.

    My relationship with the client expanded after I proactively identified and reported a critical bug during testing—leading to a formal security testing engagement that uncovered multiple high-severity vulnerabilities.

    Tasks:

    • Design and implement automated UI test coverage for key features
    • Ensure stable, role-aware test logic for Franchise, Manager, and User workflows
    • Proactively identify bugs or gaps in the frontend/backend interface
    • Scope and execute a targeted security assessment of the user portal
    • Report vulnerabilities with technical recommendations

    Actions:
    Through manual security testing and code behavior analysis, I uncovered two Broken Access Control vulnerabilities (IDOR) with significant impact:

    1. Full Account Takeover via Hidden Input Tampering
      • A hidden form field containing the user ID could be manipulated to modify the email of any account.
      • This allowed an attacker to trigger a password reset and gain full access to victim accounts.
      • OWASP Category: Broken Access Control → Insecure Direct Object Reference (IDOR)
    2. Lateral User Data Manipulation via ID-based Input/OnClick Handlers
      • Multiple frontend features improperly exposed database user IDs via onclick handlers and input value fields.
      • This allowed users to update or overwrite data associated with other users of similar privilege (agents, clients).
      • Affected features included phone number updates, special instructions, and widget configuration.
    • Wrote dozens of Python Selenium test units, validated across multiple roles and edge cases
    • Delivered automated coverage for onboarding flows, franchise management, and user profile handling
    • Identified a serious bug in the user profile logic and initiated security testing scope
    • Manually tested frontend inputs and network behavior to uncover IDOR logic flaws
    • Documented and disclosed vulnerabilities with annotated screenshots and impact analysis
    • Delivered practical, low-friction security recommendations aligned with DormMom’s architecture

    Results:

    • The owner commended my test coverage and code quality, and welcomed the security audit findings
    • Both vulnerabilities were acknowledged and prioritized for remediation
    • I provided a secure session-based handling recommendation, helping DormMom move toward proper role isolation and access control

    This engagement showcases my ability to move fluidly between automated QA, security testing, and secure coding consultation—delivering tangible value and trust across the software development lifecycle.