Ashruf Ali Naazneen Ashfur
Student pursuing Diploma in Information Security and Forensics at Ngee Ann Polytechnic
ISF
Awards and Achievements:
  • Ngee Ann Polytechnic Merit Award
  • SAC Award for Contribution and Performance in CCA (Bartley Secondary School)
  • SAC Award for Being the Top Student in Tamil Language for GCE 'O' Levels (Bartley Secondary School)
  • National Youth Achievement Award (Bronze)
  • GCE 'O' Levels, L1R4: 8
Skilled in:

      Programming Languages

    • Python
    • Object Oriented Programming (C#)
    • HTML
    • CSS
    • JavaScript
    • MySQL

      Software

    • Microsoft Word
    • Microsoft Powerpoint
    • Wireshark
    • VirtualBox (Linux, Ubuntu)
    • Visual Studio
    • Microsoft SQL Server Management

      Languages

    • Proficient in written and spoken English and Tamil

      CCAs and Leadership

    • Vice President of ICT Society
      • Ngee Ann Polytechnic, InfoComm Technology Society
    • Quarter Mistress, Bartley Military Band
      • Bartley Secondary School

About Me!

Hi! I am Naaz. I am an outgoing and enthusiastic individual who loves to meet new people. I am pretty much extroverted in nature.

I developed my passion in IT related things when I was 11. I started to notice the importance of Information Security in today's industry. I realized that if one has control over the networking systems, they literally have control over everything. Thus, Information security is really important.

I started working really hard in secondary school to enter this course in Ngee Ann Polytechnic. Once I came into poly, I started to read up on all the security related matters like data breaches and scams. This further motivated me to work harder so that one day in the future, I can protect people and their data.

As part of the FP modules in Ngee Ann, I have been part of certain activities such as service learning and career networking. You can read up more about them by clinking the link below!

Service Learning
Industry Engagements Cybersecurity Talk @ SIM Career Networking Event

You can check out my website here!

You can check out my LinkedIn page here!


Project

Continuous Penetration Testing Service Development

Web Application Penetration Testing

Description

Cyber Intelligence House has been looking into and developing a Continuous Penetration Testing service as part of their Cyber Exposure Monitoring service portfolio. Being referred to as Situational Awareness (SA), the service would allow clients to learn and find out more about their company’s security posture at any given time. The penetration testing would be done to continuously monitor the vulnerabilities on the client’s end and keep them updated regarding it. The objective of this service is to help companies, to prevent compromising their data due to a vulnerability that could have newly emerged after the client decides to implement new features or modification to their system.

The Continuous Penetration Testing development project is a joint project that consists of four members – Teo You Xiang, Nur Shahidah Binte Imran, Ashruf Ali Naaazneen Ashfur and Jani Kirmanen,. Three of which are Intern Students and one is a full-time working staff in the company.

Responsibility

The team was required to perform gray-box Web Application Penetration Testing (WAPT) on the domains belonging to a client of Cyber Intelligence House, hereafter known as ‘Client XYZ’ for confidentiality purpose. Client XYZ is an airline company that was already subscribed to the Cyber Exposure Monitoring service. When CIH proposed the service to them, Client XYZ agreed to it and thus, is co-developing the service with CIH by allowing their domains to be tested using the service.

Client XYZ gave CIH 10 domains to be tested. 3 of the domains were already tested by the project manager alone before he decided to form a team to make the testing much more efficient. The domains that were given are in use by the client’s web and mobile applications – XYZ Mobile Application, XYZ Web Application, XYZBook Mobile Application, and XYZBook Web Application.

Purpose

The purpose of this assignment is for the team of penetration testers to perform Web Application Penetration Testing (WAPT) on Client XYZ’s seven domains. By performing WAPT, the team is to find any vulnerabilities that might exist and pose a threat to the client’s business services and to find so before any malicious entity have the opportunity to discover and exploit it. After the discovery and exploitation of the vulnerabilities, the team is required to document all findings and include remediations for the vulnerabilities. This report would be used by the client to improve their security posture.

In addition to that, this project also aims to equip and train the penetration testing team at CIH with the necessary knowledge and skills required to perform penetration testing services to clients. By doing so, CIH would have in-house penetration testers and wouldn’t have the need to outsource and find testers. Having well trained penetration testers would also mean that the continuous penetration testing development project can be developed with ease and eventually be implemented into the Monitoring Dashboard.

Knowledge & Skills

- Web Application Penetration Testing
- Information Security
- Report Writing


Reflection

This assignment provided numerous opportunities for the student to experience an industry standard web application penetration testing exercise. Being able to perform WAPT exercise on seven domains allowed the student to apply and practice her knowledge and skills on penetration testing which she acquired during her polytechnic education. Despite all the lab exercises that she performed in school, she realized that out in the real world, WAPT exercises are not very straight forward and are actually quite difficult. The penetration testing cases that the student had experience with in school was very different to the industry ones in terms of the penetration testing process and simplicity.

The student feels that the knowledge and skills that she had worked on and picked up along the course of this assignment would be extremely beneficial for her in the long run. Being able to work with professional from the industry also allowed her to ask questions and clarify any doubts that she had. In addition to that, she received several useful tips and knowledge from him.

During times when the student could not progress any further, her teammates were extremely patient with her and guided her through the exercise. They were very patient when it comes to addressing any mistakes made by the student and always viewed each action as a learning experience for the next exercise. The positive minded people that the student had the opportunity to work with, made this assignment very smooth sailing for her.

In addition to the technical knowledge and skills, the student could also improve her soft skills such as communication, teamwork, team management and research work. This project required a lot of communication among the team members and with the client. When technical issues or doubts occurred, instead of making assumptions, the penetration testers had to convey their thoughts and suspicions to the rest to hear their opinion. In addition, during times of conflict of interest, the penetration testers had to talk it out to each other instead of just ignoring the problem. Each exercise, the penetration testers would take turns leading the team in terms of task delegation of the work (testing on which features, domains etc.), report writing and time management. Being able to manage the team and ensure that work was submitted on time was a skill that the student had from her polytechnic days of doing projects, but the experience she had during her internship was very different. For starters, instead of doing it for a grade, the penetration testers had to do it with the security and well-being of the client in mind. Last but not least, research work. There were often times where the penetration testers had to deal with application types and technical terms that they had no prior knowledge of. Thus, it was vital for the penetration testers to constantly read up and research on the various types of vulnerabilities, tools and exploits so that the knowledge can be used during the actual WAPT exercise.




View Project


Personal Portfolio

Worldskills Singapore