- Having 9+ years of experience in financial and insurance industries, specialized in Network Security Architecture & Design, Web Application Security, Security Architecture & Design, AWS Cloud Security, API Security, Penetration Testing, Secure Coding, Mobile Application Security, Security Information and Event Management (ArcSight SIEM, Splunk), Application Security Controls and Validation, Regulatory Compliance and Secure Software Development Life Cycle (secureSDLC) and Continuous Integration (CI) and Continuous Delivery (CD) of security scanning Risk Assessments, IT Risk Assessments.
- Hands - on with Penetration Testing, DAST, SAST and manual ethical hacking.
- Experience with Cloud Access Security Broker (CASB).
- Working knowledge of OWASP Top 10 and SANS Top 25 software guidelines, Federal Financial Institutions Examination Council's (FFIEC) regulations, including Payment Card Industry (PCI-DSS), HIPAA and Sarbanes-Oxley Section404 (SOX).
- Experience in implementing Security Incident and Event Management System (SIEM) using HP ArcSight.
- Experience in conducting IT Security Risk Assessments in accordance to NIST and FFIEC framework.
- Worked with global security teams performing application and IT infrastructure security assessments.
- In-depth knowledge of penetration testing for web and mobile (iOS and Android) applications.
- Performed security design and architecture reviews for web and mobile applications
- Hands-on experience in developing threat models, security controls, threat analysis, creation of risk control matrices and risk mitigation strategies.
- Working knowledge of AWS Cloud Security in implementing Web Application Firewalls (WAF).
- Working knowledge on cloud security engineering and administrating for SaaS,PaaS, and IaaS (including AWS and Azure)
- Ability to handle multiple tasks and work independently as well as in a team.
- An efficient team player in challenging and creative environment with excellent capacity to adapt new technologies and skills.
- Possess strong technical aptitude with strong analytical, work ethic, problem solving and communication skills.
Security Tools: AppDetect, SIEM HPArcSight Logger, SmartConnectors, Express, Splunk, AppRador, Checkmarx, Oracle Identity Manager, BeyondTrust PowerBroker Password Safe, Oracle Access Manager,JHijack, Metasploit Pro, Whitehat Sentinel, ZED attack proxy, ArcSight SIEM, Logger, SQLMAP, Wireshark, WebScarab, Paros, Nmap, BMC BladeLogic, Nessus, Rapid7 Nexpose, Tripwire, Symantec Vontu, DBProtect, e-DMZ Password Auto Repository (PAR), Varonis, Amazon Web Services (AWS) Cloud security.
Cloud Security: AWS IAM, EC2, S3, Docker, ECS, ECR, VPC Security
Identity & Data Protection Tools: SafeNet KeySecure, ProtectDB, ProtectFile, RSA Single Sign-On (SSO), Two-Factor (2F) authentication, SafeNet eToken 5110.
DAST and SAST tools: IBM AppScan Enterprise (ASE), Standard & Source editions, HP WebInspect, QualysGuard, BurpSuite Pro, Acunetix, Fortify SCA, SQLMAP
Operating Systems: Oracle Solaris UNIX, RedHat LINUX 4/5, Windows Server2003/2008.
Java & J2EE Technology: Spring Framework, EJBs, Struts2, Servlets, JavaServerPages (JSPs), JMS, Java Mail API, JNDI, LDAP, JDBC, JTS, RMI, AWT, Swing, Socket Programming, IONA Orbix CORBA.
Application Servers: Weblogic Server, iPlanet, Netscape Application Server and Microsoft IIS.
Languages: Java, Python, Ruby, C/C++, C#.NET, Perl, UML.
Middleware: TIBCO EMS, IBM WebSphere MQ, JMS
Databases: Oracle, MS SQL Server, Sybase.
Web Services: RESTFul/SOAP, SOA, UDDI, WSDL.
Web Servers: Apache Tomcat, Netscape Enterprise Server3.5, Jboss and JRun.
Confidential, Leesburg, VA
Lead Security Engineer
- Managed security assessments to ensure compliance to firm’s security standards (i.e., OWASP Top 10, SANS25). Specifically, security testing has been performed to identify XML External Entity (XXE), Cross-Site Scripting, ClickJacking, and SQL Injection related attacks within the code.
- Conducted security testing of Internet of Things (IoT) and provided recommendations to resolve the security vulnerabilities.
- Strong experience on RSA Archer GRC platform with good understanding of GRC concepts and Architecture.
- Implemented Security Group Policies for Elastic Compute Cloud (EC2), Simple Storage Service (S3), Docker Containers, ECS, ECRs within AWS. Developed AWS Service Roles to protect Identity Provider access.
- Implemented security controls for AWS Virtual Private Clouds (VPCs), EC2 instances, RDS and Route53.
- Participated in the implementation of Cloud Access Security Broker (CASB) for applications being deployed in the Cloud. Developed WACLS and configured to rules and conditions to detect security vulnerabilities in the Cloud Front.
- Develop security requirements for applications and infrastructure deployed in the Cloud. Ensured that Cloud security best practices have been followed.
- Developed Security requirements for Intrusion Detection and Data Loss Prevention ( DLP ) specifically for Data at Endpoint, Data In-transit, and Data at rest.
- Conducted Monitor, and administer, user access processes to ensure operational integrity of security systems via Active Directory for Windows Servers.
- Validated database security for SQL servers deployed in Azure Cloud environment. Implemented Integrated Windows authentication supported by Azure Active Directory.
- Developed security controls for implementing Azure storage security. The RBAC with Azure AD has been implemented for securing the storage account. The data transmission between applications and Azure has been secured by client-side encryption, HTTPS, SMB3.0.
- Performed Web Application Security, Penetration Testing in accordance with OWASP standards using manual techniques and also automated tools.
- Conducted network Vulnerability Assessments using tools to evaluate attack vectors, Identify System Vulnerabilities and develop remediation plans and Security Procedures.
- In-depth internal and external network penetration tests.
- Conducted technical analysis and troubleshooting of Fortify Static Code Analyzer and WebInspect.
- Detailed knowledge of international regulations and best practices covering ITIL , COBIT , ISO 27001 , SOX , PCI , HIPAA , NIST , FedRAMP , FISMA .
- Developed Application Security program ( DAST and SAST ) at the enterprise level to identify, report and remediate security vulnerabilities from applications deployed in DEV, PRE-PROD and PROD environments. Implemented Identity and Access Management (IAM) for various AWS accounts, including password rotation policies. Set up Access Keys and Secret Assess Keys for newly created users.
- Participated in the development of IT security risk assessments for enterprise applications. The NIST framework has been utilized for IT risk assessments. This included leading the data discovery meetings, identification of existing controls and validates them against the expected controls. The control gaps or non-compliance to security policies were presented to the stake holders for remediation.
- Interacted with third party vendors in conducting security assessments and security compliance audits (Type 1 and Type II).
- Reviewed Window Active Directory (AD) and developed GPOs to enforce corporate security policies covering, local admin rights, domain admis access rights, DNS transfers etc.
- Developed Application Security program (DAST and SAST) at the enterprise level to identify, report and remediate security vulnerabilities from applications deployed in DEV, PRE-PROD and PROD environments.
- Automated the security scanning process as part of DevSecOps efforts using Jenkins, Maven, Gradle to support CI/CD inititatves.
- Good configuration Knowledge with SSO, Fortify, Checkmarx, AppScan, Cenzic for Web and Mobile Applications and remediation of issues.
- Configured SafeNet ProtectDB to enable column level encryption for securing confidential customer data.
- Designed security architecture for web and mobile apps. Reviewed Solution overview Documents (SODs) to identify security anomalies in the system architecture and design, and provided recommendations to address data security and privacy concerns.
- Developed threat modeling framework (STRIDE, DREAD) for critical applications to identify potential threats during the design phase of applications.
- Implemented file system security by applying hashing techniques for protecting data stored in files on the file servers.
- Implemented Identity Access Management and Privileged Access Management solution using BeyondTrust Password Safe and Powerbroker ( Windows and Linux , Unix ).
- Administered cryptography, certificate management and implemented dual keys to address segregation of duties issue between DBAs and security admins.
- Working knowledge of Splunk in developing search queries including, knowledge objects such as Event Types, Tags, Database Queries etc.,
- Implemented SSO for AzureAD & Mobile applications
- Implemented authentication for applications using OAuth and SAML2.0 frameworks.
- Conducted accountability, management and leadership of GE's RSA multi-factor authentication and CyberArk highly privileged access management platforms.
- Rolled out IBM AppScan products such as AppScan Enterprise (ASE), Standard, Source, Developer plug-ins to various development teams across the business lines.
- Strong knowledge of web application security, web-related protocols (HTTP, HTTP/2, SSL, WebSockets, etc.)
- Worked extensively with software development teams to review the source code, triage the security vulnerabilities generated by IBM AppScan, BurpSuite, Whitehat Sentinel, HP WebInspect, HP Fortify, Checkmarx and eliminated false positives.
- Generated executive summary reports showing the security assessments results, recommendations (CWE, CVE) and risk mitigation plans and presented them to the respective business sponsors and senior management.
- Conducted monthly developer workshops to educate and train developers on secureSDLC, scan source code using IBM AppScan Source, triage and resolve the security vulnerabilities.
- Worked with DevOps teams to automate security scanning into the build process.
- Reviewed Android and iOS mobile source code manually and recommended code fixes.
- Participated in the Proof of Concept (POC) in implementing Arxan application protection software for Mobile apps.
- Analyzed security incidents originated from various network/application monitoring devices (e.g., Symantec Vontu DLP) and coordinated with Engineering teams for tracking and problem escalation, including remediation.
- Performed the penetration testing of mobile (Android and iOS) applications, specifically, APK reverse engineering, traffic analysis and manipulation, dynamic runtime analysis.
- Developed secureSDLC policies and standards for Web and Mobile apps.
Confidential, Durham, NC
Sr. Information Security Consultant
- Performed pen testing of both internal and external networks as per PCI-DSS standards. The pen testing scope included O/S (Windows and Linux) and external facing web apps and database servers that store credit card information.
- Reviewed security vulnerability reports for applications and databases, analyzed and worked extensively with the development teams for the implementation of mitigating controls.
- Implemented IBM AppScan standard, source editions, HP WebInspect, Nessus, and QualysGuard web application scanners. In addition, the security tools Metasploit and BurpSuite were utilized for manual penetration testing.
- Performed security assessments for the client-facing apps. The associated IT infrastructure such as database management systems, middleware systems, web services (SOA) were also included in the security assessments.
- Implemented Secure Software Development Life Cycle (S-SDLC) processes; developed secure coding practices for web, mobile applications, including database and middleware systems.
- Reviewed Architecture Design Documents (ADD) and Solution overview Documents (SODs) to identify security anomalies in the system architecture and design, and provided recommendations to address data security and privacy concerns.
- Involved in the implementation of RSA Single Sign On (SSO) for the applications deployed in the Cloud and on-premise.
- Configured authentication for applications using OAuth and SAML2.0 frameworks.
- Implemented HP ArcSight ESM including, correlation rules, data-monitors, reports, event annotation stages, case customization, active lists, and pattern discovery.
- Conducted manual source code reviews of the client-facing Wyndham brand web and mobile applications, including iOS and Android mobile apps. The key areas of confidential and sensitive data stored on the mobile devices were reviewed and made recommendations to secure customers’ PII and PCI data.
- Conducted pen testing for the Web Services (SOA) across the enterprise applications.
- Reported security findings, recommendations and presented to the business users, executive committee and Compliance departments.
- Experience with Identity and Access Management (IAM) and development of user roles and policies for user access management.
- Performed Static and Dynamic Analysis and Security Testing (SAST and DAST) for various applications as per firm’s security standards (i.e., OWASP, SANS 25).
- Conducted workshops and user awareness training on security policies, procedures and baselines.
- Worked with software development teams, DB/Unix administrators and solution architects as a subject matter expert related to security compliance with PCI DSS and industry standards.
- Worked with Internet Engineering team in the design and configuration of BlueCoat Internet proxy. Implemented WebFilter database for URL content Filtering.
- Developed security policies and baselines for mobile and web applications. Performed compliance audits to ensure security policies and baselines have been adequately implemented.
- Participated in the implementation of SafeNet product for encrypting customer credit card information using Public Key Infrastructure (PKI).
- Developed correlation rules for Security Incident and Event Management (SIEM) system. Reviewed the solution implemented for “log forwarding” from various network devices to ArcSight central logging for alerting and security monitoring. Experience with Splunk in investigating various logger events related to security incidents.
- Performed PCI pre-assessment audit for the entire network as well as the related applications in preparation for the annual external PCI compliance audit.
Confidential, New York, NY
Sr. Security Engineer
- Performed the review of a newly implemented Security Incident and Event Management (SIEM) system. Reviewed technical specifications for SIEM, logging and proposed recommendations to improve the overall deployment of the solution.
- Managed security assessments for various types of Operating Systems (O/S) used by the firm. The security audits of RedHat Linux, SharePoint, Oracle Solaris, Windows (including Active Directory) and IBM AIX were conducted. Several control enhancements, specifically, on the patch management process, were recommended.
- Developed security audit programs to facilitate end-to-end compliance with Global as well as Federal Financial Institutions Examination Council (FFIEC) guidelines and controls.
- Performed penetration testing for external facing web applications. Security areas covering DMZ architecture, threat modeling, secure coding practices (i.e., OWASP standards) and vulnerability analysis were assessed.
- Conducted security assessments for various applications. The web application infrastructure such as IBM WebSphere, Apache Tomcat, and IIS web/application servers were reviewed for compliance to firm’s security baselines.
- Executed database management system assessments across all business lines and entities in North America hub. Database servers such as, Oracle, SQL Server and Sybase were reviewed for compliance to global and local security standards.
- Participated in the integrated security design reviews. Mainly responsible for the review of input/output security, data completeness and accuracy of data reconciliations and timely processing of security batch jobs.
- Proficient in excellent communication, relationship building & interfacing skills, systematic approach and ability to work effectively with stakeholders in fast paced environments.
- Managed security assessments for various types of Operating Systems (O/S) used by the firm. The security audits of RedHat Linux, Oracle Solaris, Windows (including Active Directory) and IBM AIX were conducted. Several control enhancements, specifically, on the patch management process, were recommended.
- Executed database management system assessments across all business lines and entities. Database servers such as, Oracle, SQL Server and Sybase were reviewed for compliance to global and local security baselines.
- Developed server side business components using Java Servlets, JSPs, and Enterprise Java Beans (EJBs).
- Automated code deployment to production environment by creating tasks using ANT deployment tool.
- Developed stored procedures, views and triggers using Oracle PL/SQL.
- Used Spring Framework for Dependency injection and integrated with the Hibernate framework for interacting with the Oracle database.
- Developed SOAP and RESTful Web services using Spring Suite.
- Developed application presentation layer, which is based on Spring MVC framework involving JSP, Servlets and HTML, CSS, Stylesheets.
- Developed web applications to store all system information in a central location. This was developed using Spring MVC, jQuery, JSP, Servlet, Oracle 10g, HTML and CSS
- Developed Servlets and Utilized Node.js to create a fast and efficient chat server.
- Implemented the Scrum Agile methodology for iterative development of the application.
- Involved in system design, enterprise application development using object-oriented analysis in Java/JEE6.
- Analyzed performance issues in the application, related system configuration and developed solutions for improvement.
- Involved in Weblogic and Tomcat application server installation and configuration in production, development and QA environments.
- Conducted training sessions to the rest of the development team on advanced technologies, code reviews and discussion sessions to ensure that coding standards are followed.