Ashutosh Barot - Online Resume

// Application Security

// Vulnerability Management

// Purple Teaming

// Penetration Testing

Cyber Security Engineer - Deloitte [Cyber Risk]

[Jun 2017 - Present]

`About`

Found security issues that prevented leak of personal information belonging to 100 million+ people. I specialize in finding vulnerabilities in Web, Mobile applications, IT infrastructure, and consulting on why, how, and when to fix them.

`Featured`

Personal info of Akasa Air's passengers leaked, airline informs CERT-In

India shipping logistics giant Shipyaari exposed customer data

Coinbase: Celebrating 10 Years of our Bug Bounty Program

Download CV (Click to view, Right click, save link as to download) ,, Say Hi, ✉ [email protected]

`Blogs`

How I (ethically) hacked an Airline on its inaugural day
How I Received 3 CVEs for finding vulnerabilities in Quick Heal Total Security
Crypto-Mining Marketplace NiceHash Fixed a Vulnerability Which Leaked Miners’ Information
This Vulnerability in phpMyAdmin Lets An Attacker Perform DROP TABLE With A Single Click!

`Acknowledgements, CVEs`

- Found a critical Session Management issue in Rapid7 Nexpose (also for insightVM).(CVE-2019-5638, CVE-2019-5640, CVE-2019-5641, and CVE-2021-3844 assigned)

- Reported security issues in Quick Heal Total Security, an Antivirus software (CVE-2020-27585, CVE-2020-27586, CVE-2020-27587 assigned)

- Reported an Authorization vulnerability and other bugs in Crypto currency mining software Nicehash Miner (CVE-2019-6120, CVE-2019-6121, CVE-2019-6122 assigned)

- Found a CSRF in phpMyAdmin , submitted an exploit for the same on exploit.db, featured in prominent InfoSec blogs like The Hacker News, security week, etc. (CVE-2017-1000499 assigned)

- Received total 2+ Million award miles from United Airlines for finding security issues

- Acknowledged by Google, Apple, Rapid7, FireEye, United Nations, Govt of India, Amazon, United States- Department of Defense, IBM, Symantec, United Airlines, Coinbase, JPMorgan Chase, Twitter and multiple Fortune 500 companies for finding out security issues.

`Education`

2010-2015

Ahmedabad Institute of Technology

Bachelor's Degree-Computer Engineering

Studied Computer Engineering. Learned concepts of Computer Networks, Java, C, C++, asp.net, C#, Database Management System, Operating Systems, Microprocessors and more.

2015-2017

National Forensic Sciences University

MTech in Cyber Security and Incident Response (Masters Degree)

Masters Degree in Cyber Security. Learned performing Vulnerability Analysis, Incident Response, Application Security, SCADA Security, Risk Management and more

`Experience`

Jun 2017 - May 2019

Deloitte India - Cyber Risk

Cyber Security Consultant

Performed Application security assessments, Configuration Review, involved in kick off meetings, Explained security issues and remediations to Clients, management and developers

Jun 2019 - May 2022

Deloitte India - Cyber Risk

Assistant Manager

Promoted to Assistant Manager. Performed Vulnerability Management, Application Security Assessments, Penetration Testing and analysed alerts from Automated tools

Jun 2022 - May 2024

Deloitte India - Cyber Risk

Deputy Manager

Performed Purple teaming, Breach and Attack simulation, Developed scripts for automating 50+ attack scenarios

Jun 2024 - Present

Deloitte India - Attack Surface Management

Manager

Leading multiple VAPT, Appsec, Risk Management related engagements

`Testimonials`

Thank you for your great engagement in our program. It's a great pleasure to work with you

Google Security Team aka GoogleVRP

We greatly appreciate your assistance in helping to maintain and improve the security of our products.

Apple Security Team

We really appreciate all the time you have put into your research, thank you again for helping us to protect our customers.

Amazon Security Team

Thank you for participating in our Bug Bounty Program and helping us improve our security! We appreciate your participation in this program and encourage you to submit any other bugs you find.

United Airlines Security Team

Coinbase would like to thank you for your various findings over the years. Your research has been essential in helping Coinbase improve its security posture. We look forward to your future work.

Coinbase Security Team

Harvard appreciates responsible reporting of information security issues impacting our systems and networks. Thank you, Ashutosh!

Chief Information Security Officer, Harvard University

Thanks to @ashu_barot for reporting CVE-2019-5638 privately to Rapid7, which was fixed back in Nexpose version 6.5.51. All customers should have the update installed and running by now!
— Rapid7 (@rapid7) August 21, 2019

Hi Ashutosh,

Thank you for your words of appreciation !

Regards,

Team Quick Heal.
— Quick Heal (@quickheal) December 2, 2020

Critical Security Flaw Reported In #phpMyAdmin Lets Attackers Perform Dangerous Database Operations https://t.co/gtbErFcZb8 pic.twitter.com/0ADTc7MlU6
— The Hacker News (@TheHackersNews) January 2, 2018

Acknowledgement From @FireEye for reporting a Session Management vulnerability in FireEye Endpoint Security Console (FireEye HX).. #FireEye 2019 Q4 Security Advisory - https://t.co/26CeCgVzzk #HallOfFame #infosec #cybersecurity pic.twitter.com/yJxg41eIcj
— Ashutosh Barot (@ashu_barot) February 13, 2020