2002: Hired by a Fortune 100 client looking to purchase a company and product that offered commercial, enterprise-level , web-based system for project development/management. The company asked me to do a non-destructive security analysis on a production system.
The system was a complex multi-language web application using Java, Javascript, a custom JDK, Oracle, Websphere, and a number of supporting technologies. I conducted the external application security review, the pen test, and ran interviews with key programmers and developers. I successfully found several vulnerabilities using packet-level analysis and HTTP stream manipulation while not disturbing production system. Wrote and presented a detailed report identifying issues and suggested updates allowing client to secure system. System was purchased by client and became a key enterprise software suite.