Vansh Devgan, Developer in Delhi, India
Vansh is available for hire
Hire Vansh

Vansh Devgan

Verified Expert  in Engineering

Security Engineer and Developer

Location
Delhi, India
Toptal Member Since
October 19, 2022

Vansh is an independent security researcher who has been actively working in cybersecurity for the last three years. He has worked with multiple big organizations like Microsoft, Google, Apple, Udemy, and NordVPN to help them discover vulnerabilities in their web applications. He has helped 150+ companies to secure their infrastructure through bug bounty or penetration testing. Vansh is also a full-stack developer and specializes in scripting and web scraping.

Portfolio

Yahoo!
Threat Modeling, Penetration Testing, Cloud Security, Source Code Review...
Novelship
JavaScript, Node.js, MERN Stack, React, Express.js, PostgreSQL, Docker...
CyberXplore Pvt
Application Security, GitHub, DevOps, DevSecOps, Software Architecture...

Experience

Availability

Full-time

Preferred Environment

Ubuntu Linux, Windows, MacOS, Visual Studio Code (VS Code), Burp Suite, Metasploit, NMap, Kali Linux, Slack, Amazon Web Services (AWS), Security Testing, Mobile Security, Intrusion Detection Systems (IDS), Kubernetes, Rekono, Managed Security Service Providers (MSSP), Information Security

The most amazing...

...vulnerability I've found is in the Microsoft Edge browser, for which I got rewarded with a bounty of $20,000.

Work Experience

Product Security Engineer | Threat Modeling Expert

2023 - 2023
Yahoo!
  • Contributed to the company by manually reviewing source code for their applications, offering constructive feedback for continuous improvement across the codebase.
  • Aided the company in performing threat modeling for diverse new features, collaborating with the product team to enhance comprehension and prioritize potential threats.
  • Assisted in coordinating dynamic penetration testing and software composition analysis (SCA) for newly introduced features and products at Yahoo.
Technologies: Threat Modeling, Penetration Testing, Cloud Security, Source Code Review, Cybersecurity, Security, IT Security, Architecture, Dynamic Analysis, Go, Java, Python, JavaScript, Amazon Web Services (AWS), Google Cloud, Checkmarx, SSL, HTTPS, Transport Layer Security (TLS), Managed Security Service Providers (MSSP), Information Security, Certified Ethical Hacker (CEH), Threat Intelligence, Azure Cloud Services

Product Security Engineer

2021 - 2022
Novelship
  • Integrated multiple payment gateways into a web application and performed security assessments.
  • Performed multiple security operations on assets, including source code review and internal penetration testing.
  • Searched for misconfigurations in AWS and other cloud applications as part of a cloud security assessment.
  • Implemented and managed single sign-on (SSO) solutions (Okta) successfully, streamlining user access and enhancing security.
Technologies: JavaScript, Node.js, MERN Stack, React, Express.js, PostgreSQL, Docker, Python 3, Burp Suite, Heroku, Ubuntu, IT Security, Security, Consulting, ISO 27001, Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), Python, Linux, CSS, HTML, Windows, Risk Assessment, Vulnerability Assessment, NIST, Google Cloud Platform (GCP), Authentication, Vulnerability Identification, APIs, DevOps, DevSecOps, Containers, Windows Server, SSL Certificates, SecOps, Data-level Security, Compliance, GDPR, Architecture, Data Protection, Amazon Web Services (AWS), Cloud Security, CISSP, MySQL, PHP, Security Management, SonarQube, Azure Active Directory, Technical Writing, Security Policies & Procedures, Azure, WAS, Web Security, WordPress, Web Architecture, Data Security, SOC 2, Amazon S3 (AWS S3), Security Architecture, Identity & Access Management (IAM), CI/CD Pipelines, AWS SDK, SIEM, Intrusion Prevention Systems (IPS), Mobile Security, System Administration, Java Security, Firebase, DDoS, Intrusion Detection Systems (IDS), JumpCloud, Database Security, OAuth, Gmail API, Jenkins, Terraform, Infrastructure as Code (IaC), Dynamic Analysis, Google Cloud, Cloudflare, Laravel Forge, Antivirus Software, IDS/IPS, Monitoring, Web App Security, ASP.NET, OWASP, OWASP Top 10, CISO, Group Policy, Governance, IT Governance, Data Governance, Security Engineering, Checkmarx, Computer Security, Algorithms, Okta, Kubernetes, Security Audits, React Native, Microsoft 365, PCI, Google Workspace, Azure DevOps, Grafana, Gobuster, OWASP Zed Attack Proxy (ZAP), Rekono, Cybersecurity, CAPTCHA, Fraud Prevention, Data Loss Prevention (DLP), SSL, HTTPS, Transport Layer Security (TLS), Managed Security Service Providers (MSSP), Information Security, Certified Ethical Hacker (CEH), Threat Intelligence, Azure Cloud Services, Release Management

Product Security Engineer

2020 - 2022
CyberXplore Pvt
  • Implemented secure solutions over AWS, integrating past, DAST, and hardcoded credentials checks over GitHub.
  • Collaborated closely with a small team of developers to implement new features and improve the overall security of the product.
  • Conducted audits of vulnerability assessment and penetration testing (VAPT) performed by several clients and helped them build a more robust security profile and team.
  • Gained significant experience detecting and fixing identity and single sign-on (SSO) issues, including those with Okta. I partnered with multiple companies to establish robust SSO solutions, enhancing their infrastructure security.
Technologies: Application Security, GitHub, DevOps, DevSecOps, Software Architecture, Risk Management, Threat Modeling, Vulnerability Assessment, NIST, Google Cloud Platform (GCP), Authentication, Vulnerability Identification, APIs, Cloud, Containers, Windows Server, SSL Certificates, SecOps, Data-level Security, Compliance, GDPR, Architecture, Data Protection, Amazon Web Services (AWS), Cloud Security, MySQL, PHP, Security Management, SonarQube, Azure Active Directory, Technical Writing, Security Policies & Procedures, Azure, WAS, Python, Web Security, WordPress, Web Architecture, Data Security, SOC 2, Amazon S3 (AWS S3), Security Architecture, Identity & Access Management (IAM), CI/CD Pipelines, AWS SDK, Docker, SIEM, Intrusion Prevention Systems (IPS), Mobile Security, System Administration, Java Security, Firebase, DDoS, Java, JumpCloud, Database Security, OAuth, Gmail API, Jenkins, Terraform, Infrastructure as Code (IaC), Dynamic Analysis, Google Cloud, Cloudflare, Laravel, Ubuntu, Antivirus Software, IDS/IPS, Monitoring, Web App Security, ASP.NET, OWASP, OWASP Top 10, CISO, Group Policy, Governance, IT Governance, Data Governance, Security Engineering, Checkmarx, Computer Security, Algorithms, Okta, Kubernetes, Security Audits, React Native, Microsoft 365, PCI, Google Workspace, Azure DevOps, Grafana, Gobuster, OWASP Zed Attack Proxy (ZAP), Rekono, Cybersecurity, CAPTCHA, Fraud Prevention, Data Loss Prevention (DLP), SSL, HTTPS, Transport Layer Security (TLS), Managed Security Service Providers (MSSP), Information Security, Certified Ethical Hacker (CEH), Threat Intelligence, Azure Cloud Services, Release Management

Synack Red Teamer

2020 - 2022
Synack
  • Reported numerous critical vulnerabilities to clients to help secure their infrastructures.
  • Assisted in verifying multiple patches for bug fixes.
  • Contributed to missions to support some standard security tests requested by clients.
  • Helped companies find misconfigurations in their Okta setup and helped them fix them for the proper security of their projects.
Technologies: Cybersecurity, Burp Suite, Ethical Hacking, Web Security, Penetration Testing, IT Security, Security, LDAP, Consulting, ISO 27001, Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), Security Testing, Certified Ethical Hacker (CEH), IoT Security, Python, Linux, Scripting, Windows, Risk Assessment, Vulnerability Assessment, NIST, Authentication, Vulnerability Identification, APIs, Cloud, DevOps, DevSecOps, Containers, Windows Server, SSL Certificates, SecOps, Data-level Security, Compliance, GDPR, Architecture, Data Protection, Amazon Web Services (AWS), Cloud Security, MySQL, PHP, Security Management, SonarQube, Azure Active Directory, Technical Writing, Security Policies & Procedures, Azure, WAS, WordPress, Web Architecture, SOC 2, Amazon S3 (AWS S3), Security Architecture, Identity & Access Management (IAM), CI/CD Pipelines, AWS SDK, Docker, SIEM, Intrusion Prevention Systems (IPS), Mobile Security, System Administration, Java Security, Firebase, DDoS, Java, Intrusion Detection Systems (IDS), JumpCloud, Database Security, Jenkins, Terraform, Infrastructure as Code (IaC), Dynamic Analysis, Google Cloud, Cloudflare, Ubuntu, Antivirus Software, IDS/IPS, Monitoring, Web App Security, ASP.NET, OWASP, OWASP Top 10, Governance, IT Governance, Data Governance, Security Engineering, Checkmarx, Computer Security, React Native, Google Workspace, Azure DevOps, Grafana, Gobuster, OWASP Zed Attack Proxy (ZAP), Rekono, CAPTCHA, Data Loss Prevention (DLP), Transport Layer Security (TLS), Managed Security Service Providers (MSSP), Information Security, Threat Intelligence, Release Management

CTF Player and Bug Bounty Researcher

2018 - 2022
Self-employed
  • Assisted multiple big clients, including Microsoft, Google, and Apple, to identify security issues in their web application assets, getting rewarded by them with massive bounties.
  • Obtained top hacker badges at various companies on HackerOne, including NordVPN, Pluralsight, and Teachable.
  • Participated in, conducted, and won many capture-the-flag (CTF) events and reached the top 15 of the national CTF event organized by Cisco SecCon CTF.
Technologies: Application Security, Applications, Vulnerability Assessment, Authentication, Vulnerability Identification, APIs, Data-level Security, Compliance, MySQL, PHP, Security Management, SonarQube, Python, Web Security, Data Security, Security Architecture, AWS SDK, Mobile Security, DDoS, Java, Infrastructure as Code (IaC), Dynamic Analysis, Ubuntu, Antivirus Software, IDS/IPS, Monitoring, OWASP, CISO, Okta, Google Workspace, Information Security

Penetration Tester

2021 - 2021
Plug&paid
  • Identified multiple race condition vulnerabilities in their web application which led to financial loss to the company, and helped them with possible mitigation for the problem.
  • Discovered an API leaking their AWS access key and secret key, giving an attacker complete control of their cloud infrastructure, and helped them migrate the issue, impacting their availability by 100%.
  • Assisted their team with consulting on security features implementation to prevent race conditions and brute-force attacks on critical functionalities provided as a part of the web applications.
Technologies: Applications, Application Security, Burp Suite, AWS DevOps, Amazon Web Services (AWS), Code Review, Consulting, Risk Assessment, Software Architecture, Risk Management, Threat Modeling, Vulnerability Assessment, NIST, Authentication, Vulnerability Identification, APIs, MySQL, PHP, Security Management, SonarQube, Python, Web Security, WordPress, Web Architecture, Data Security, SOC 2, Docker, Mobile Security, Java, Database Security, Google Cloud Platform (GCP), OAuth, Gmail API, Dynamic Analysis, OWASP, Compliance, CISO, Google Workspace, Cybersecurity, Managed Security Service Providers (MSSP), Information Security

Penetration Tester

2020 - 2020
Renderforest
  • Assisted as a product security engineer, helping them identify potential vulnerabilities in their web application APIs from a black-box perspective.
  • Consulted their developer's team on how to write good fixes for vulnerabilities found and gave some insights about how to write secure code and always sanitize inputs.
  • Helped integrate SAST and DAST into their CI/CD pipeline, working over AWS as a part of their DevSecOps.
Technologies: Application Security, Applications, Amazon Web Services (AWS), AWS DevOps, Burp Suite, Code Review, CompTIA, Consulting, Risk Assessment, Software Architecture, Risk Management, Threat Modeling, Vulnerability Assessment, Authentication, Vulnerability Identification, APIs, MySQL, PHP, Security Management, SonarQube, Web Security, WordPress, Web Architecture, Data Security, SOC 2, Mobile Security, Database Security, Google Cloud Platform (GCP), OAuth, Gmail API, Dynamic Analysis, OWASP, Cybersecurity, Managed Security Service Providers (MSSP), Information Security

Attack Surface Management Project

Developed a cyber security attack surface management project. It was similar to an SaaS product where user can input a domain or list of websites which are needed to test for security flaws or discovering an attack surface of an organization. I ran multiple microservices over AWS to perform the task over them and store the data in a database. I also generated a PDF report from it.

Subdomain Enumeration at Scale

This project involved building a script that takes a list of subdomains, performs subdomain enumeration on the scale for them, and then tries to monitor them continuously for some vulnerabilities through Nuclei.

Web Scraping For eCommerce Platform

I created an Amazon API Gateway for a company I worked with to scrape data from one of the sites, process the scraped data, and store the results in databases. This scraping was automated up to an extent like a cron job which runs daily as a part of the web application and feeds the data as an output to databases used by the application.

Mass Vulnerability Reporting

I developed a Python script to fingerprint certain types of third-party services over two million subdomains and check for misconfigurations over them. If the misconfiguration exists, the system processes its report template and saves the report as a draft to submit to the program over HackerOne or Bugcrowd.

Languages

Python 3, Python, CSS, HTML, PHP, JavaScript, Bash, Java, Go

Frameworks

ASP.NET, React Native, Express.js, Laravel, Next.js

Libraries/APIs

Node.js, React, Java Security, Gmail API

Tools

Slack, SonarQube, AWS SDK, Checkmarx, OWASP Zed Attack Proxy (ZAP), Metasploit, NMap, AWS ELB, Grafana, GitHub, Jenkins, Terraform

Paradigms

Penetration Testing, DevSecOps, Web Architecture, DDoS, DevOps, Azure DevOps

Platforms

Windows, Burp Suite, Docker, Google Cloud Platform (GCP), Amazon Web Services (AWS), Azure, WordPress, Visual Studio Code (VS Code), Kubernetes, Ubuntu Linux, MacOS, Kali Linux, Heroku, Linux, Windows Server, Firebase, Ubuntu, Web

Industry Expertise

Cybersecurity

Storage

MySQL, Azure Active Directory, Database Security, MongoDB, Docker Cloud, Amazon S3 (AWS S3), Azure Cloud Services, PostgreSQL, Google Cloud

Other

MERN Stack, Ethical Hacking, Web Security, IT Security, Security, ISO 27001, Security Testing, Certified Ethical Hacker (CEH), Software Architecture, Vulnerability Assessment, Authentication, Vulnerability Identification, APIs, SecOps, Compliance, Architecture, Security Management, Technical Writing, Security Policies & Procedures, Data Security, SOC 2, Mobile Security, System Administration, Dynamic Analysis, Antivirus Software, Security Engineering, Computer Security, Security Audits, Google Workspace, Gobuster, Rekono, SSL, HTTPS, Transport Layer Security (TLS), Managed Security Service Providers (MSSP), Information Security, Threat Intelligence, Source Code Review, Employee Training, Secure Web Development, CompTIA, AWS DevOps, DevOps Engineer, Web Development, Application Security, Dynamic Application Security Testing (DAST), Code Review, Consulting, Static Application Security Testing (SAST), Scripting, Risk Assessment, Risk Management, Threat Modeling, NIST, Containers, SSL Certificates, Data-level Security, GDPR, Data Protection, Cloud Security, WAS, Security Architecture, Identity & Access Management (IAM), CI/CD Pipelines, SIEM, Intrusion Prevention Systems (IPS), Intrusion Detection Systems (IDS), JumpCloud, OAuth, Infrastructure as Code (IaC), Cloudflare, IDS/IPS, Monitoring, OWASP, OWASP Top 10, CISO, Group Policy, Governance, IT Governance, Data Governance, Algorithms, Okta, Microsoft 365, PCI, Malware Removal, CAPTCHA, Fraud Prevention, Data Loss Prevention (DLP), Release Management, Web App Security, LDAP, IoT Security, Applications, Cloud, CISSP, CRTP, Laravel Forge

JULY 2023 - PRESENT

OffSec Certified Professional (OSCP)

OffSec

APRIL 2023 - PRESENT

Certified Red Team Professional

Altered Security

APRIL 2022 - PRESENT

CompTIA PenTest+

CompTIA

Collaboration That Works

How to Work with Toptal

Toptal matches you directly with global industry experts from our network in hours—not weeks or months.

1

Share your needs

Discuss your requirements and refine your scope in a call with a Toptal domain expert.
2

Choose your talent

Get a short list of expertly matched talent within 24 hours to review, interview, and choose from.
3

Start your risk-free talent trial

Work with your chosen talent on a trial basis for up to two weeks. Pay only if you decide to hire them.

Top talent is in high demand.

Start hiring