SUMMARY:

• An Information Security Professional with experience of over9+ years in Application Security, Security Architecture & Design, Regulatory Compliance and Secure Software Development Life Cycle (secureSDLC) and Continuous Integration (CI) and Continuous Delivery (CD) of security scanning, Identity and Access Management (IAM), AWS Cloud Security, API Security, Penetration Testing, Network Security, Splunk),DevSecOps, Cloud Security, Threat Modeling, SSO, Secure Coding, Mobile Security, Cryptography, PKI, Security Information Event Management (SIEM), Security Controls and Validation, Security Architecture & Design, Mobile Application Security, IT Risk Assessments, Regulatory Compliance.
• Analyze the results of penetrations tests, security design reviews, source code reviews and other securitytest.
• Decide on what to remediate and what to risk accept based on security requirements.
• Highly analytical computer security analyst with success both defending and attacking large - scale enterprise networks.
• Knowledge of Penetration Testing, DAST, SAST and manual ethical hacking.
• Working knowledge of Cloud Access Security Broker (CASB).
• Hands on with HP ArcSight ESM, Logger and Express installation, configuration and content development.
• Working knowledge of OWASP Top 10 and SANS Top 25 software guidelines, Federal Financial Institutions Examination Council's (FFIEC) regulations, including Payment Card Industry (PCI-DSS), HIPAA, Center for Information Security (CIS benchmarks) and Sarbanes-Oxley Section404 (SOX).
• Implementation of cloud (AWS and MS Azure) security controls for IaaS, PaaS and SaaS based applications and infrastructure.
• Performed security design and architecture reviews for web and mobile applications.
• Working knowledge of IAM implementation, OAuth2.0, SAML frameworks.
• Experience using a wide variety of security tools to include Kali-Linux, Metasploit, HP WebInspect, HP Fortify, BurpSuite Pro, Wireshark, L0phtcrack, Snort, Nmap, Nmap-NSE, Cain and Abel, Nitko, Dirbuster, IBM App Scan, HP WebInspect, OWASP ZAProxy, Nessus, Open Vas, W3AF, BeEF, Etthercap, Maltego, Wifi-Security, SIFT, SOAP UI, Havij, Aircrack-ng suite.
• Hands-on with network penetration testing and ethical hacking.
• Involved in implementing and validating the security principles of minimum attack surface area, least privilege, secure defaults, avoiding security by obscurity, keep security simple, Fixing security issues correctly.
• Experience in conducting IT Security Risk Assessments in accordance to NIST and FFIEC framework.
• Worked on Web Application Firewalls (WAF) and database security / Vulnerability scanners.
• Strong knowledge in Manual and Automated Security testing for Web and Mobile Applications.
• Analyze the results of penetrations tests, design reviews, source code reviews and other security tests.
• Decide on what to remediate and what to risk accept based on security requirements.
• Automated security scanning process using various DevOps tools such as Git, Artifactory, Jenkins etc.

SECURITY TOOLS AND TECHNOLOGIES:

Security Tools: HP WebInspect, QualysGuard, RSAArcher, FireEye Retina, Onapsis, IBM AppScan Enterprise (ASE), Standard & Source editions, BurpSuite Pro, Acunetix, Fortify SCA, WAS, SQLMAP. CHEKMARX (Code Analysis), Cigital SecureAssist, AppDetect, BeyondTrust PAM, Oracle Identity Manager, Oracle Access Manager,JHijack, Metasploit Pro, ZED attack proxy, Firemon, SQLMAP, Wireshark, WebScarab, BlueCoat Proxy, Nmap, BMC BladeLogic, Nessus, Rapid7 Nexpose, Tripwire, DBProtect, ArcSight SIEM, e-DMZ Password Auto Repository (PAR), Varonis, Amazon Web Services (AWS) Cloud security.

Programming Languages: Java, C# .NET, C, C++,Perl, UML.

Identity & Data Protection Tools: Gemalto KeySecure HSM, ProtectDB, ProtectFile, RSA Single Sign-On (SSO), Two-Factor (2F) authentication.

Networking: Symantec Endpoint Protection, DL, Palo Alto Firewalls, Cisco IronPort, Check Point, Cisco ASA, IDS/IPS, Anti-virus, BMC BladeLogic, Remedy.

Scripting Languages: Python, Powershell, shell Scripting

Web Technologies: HTML 4.0/5, XHTML, DHTML, CSS2/CSS3, JAVASCRIPT, JQUERY, Angular JS, NodeJS, AJAX, JSON and XML

Web Services: RESTFul/SOAP, SOA, UDDI, WSDL

Operating System: Linux/Unix (Red Hat Enterprise Linux, Debian, Ubuntu, Kali Linux), Windows.

Databases: MySQL, Oracle, MS SQL Server

PROFESSIONAL EXPERIENCE:

Confidential, New York city, NY

Sr. Information Security Engineer

Responsibilities:

• Conducted Vulnerability Assessment (DAST and SAST) of Web and Mobile (iOS and Android Applications, including third party applications. The tools IBM AppScan, ZAProxy, BurpSuite Pro, Checkmarx, HP Fortify have been utilized for scanning the applications.
• Conducted IT security risk assessments including, threat analysis and threat modeling (STRIDE).
• Performed code analysis with CHECKMARX.
• Conducted application penetration testing of 85+ business applications.
• Triaged security vulnerabilities to eliminate false positives and worked with the developers for remediation.
• Conducted security testing of Internet of Things (IoT) and provided recommendations to resolve the security vulnerabilities.
• Interacted with third party vendors in conducting security assessments and security compliance audits (Type 1 and Type II).
• Implemented Security Group Policies for Elastic Compute Cloud (EC2), Simple Storage Service (S3), Docker Containers, ECS, ECRs within AWS. Developed AWS Service Roles to protect Identity Provider access.
• Implemented security controls for AWS Virtual Private Clouds (VPCs), EC2 instances, RDS and Route53.
• Participated in the implementation of Cloud Access Security Broker (CASB) for applications being deployed in the Cloud. Developed WACLS and configured to rules and conditions to detect security vulnerabilities in the Cloud Front.
• Participated in the development of IT security risk assessments for enterprise applications. The NIST framework has been utilized for IT risk assessments. This included leading the data discovery meetings, identification of existing controls and validates them against the expected controls. The control gaps or non-compliance to security policies were presented to the stake holders for remediation.
• Working knowledge of Splunk in developing search queries including, knowledge objects such as Event Types, Tags, Database Queries etc.,
• Good configuration Knowledge with SSO, Fortify, Checkmarx, AppScan, Cenzic for Web and Mobile Applications and remediation of issues.
• Strong knowledge of web application security, web-related protocols (HTTP, HTTP/2, SSL, WebSockets, etc.)
• Implemented authentication for applications using web application vulnerability scanning tools ( IBM AppScan, IBM AppScan Source, HP Fortify, HP WebInspect, BurpSuite, ZAP, Kali Linux, etc.)
• Acquainted with various approaches to Grey & Black box security testing.
• Hands-on with database security / Vulnerability scanner using Imperva Scuba and IBM Guardium.
• Implemented Secure Software Development Life Cycle processes; developed secure coding practices for web, mobile applications, including database and middleware systems.
• Developed Security API and deployed to development teams which helps them write lower risk applications in a secure manner.
• Worked on LDAP with IBM Tivoli on large scale infrastructures as a Senior LDAP (IBM Tivoli/Security Directory Server v6.x)
• Participated in the implementation of Public Key Infrastructure (PKI) for securing data at rest and data in transit. Involved in the implementation of encryption and decryption of confidential data and supported the key life cycle.
• Developed security policies and standards and made sure the business applications are in compliance with the standards.
• Conducted architectural reviews of OAuth2.0, SAML and Single Sign-on (SSO) for corporate applications.
• Implemented IAM for various applications deployed in the AWS Cloud. Developed IAM policies, roles controlled access to the users. Created AWS Bucket policies. Also, participated in CyberArk PAM.
• Detailed knowledge of international regulations and best practices covering ITIL, COBIT, ISO 27000, SOX, PCI, HIPAA, NIST 800, FedRAMP, FISMA.
• Performed the API security testing of web services including SOAP, REST, and JSON/XML.
• Administered cryptography, public and private key management and implemented dual keys to address segregation of duties issue between DBAs and security admins.
• Analyzed security incidents originated from various network/application monitoring devices (e.g., Symantec Vontu DLP) and coordinated with Engineering teams for tracking and problem escalation, root cause analysis, including remediation.
• Worked with DevOps teams to automate security scanning into the build process.
• Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS 25 and prioritizing them based on the criticality.
• Proficient in understanding application level vulnerabilities like XSS, SQL Injection, ClickJacking, CSRF, authentication bypass, cryptographic attacks, authentication flaws etc.
• Conducted security assessment of PKI Enabled Applications
• Skilled using Burp Suite Pro, HP Web Inspect, IBM AppScan Standard, Source and Enterprise, NMAP, Dirbuster, Qualysguard, Nessus, SQLMap, RSAArcher, FireEye Retina, Onapsis for web application penetration tests and infrastructure testing. Performing onsite & remote security consulting including penetration testing, application testing, web application security assessment, onsite internet security assessment, social engineering, wireless assessment, and IDS/IPS hardware deployment.
• Capturing and analyzing network traffic at all layers of the OSI model.
• Monitor the Security of Critical System (e.g. e-mail servers, database servers, Web Servers, Application Servers, etc.).
• Performed pen testing of both internal and external networks. The pen testing scope included O/S SQL, Oracle Database.
• Performed the configuration of security solutions like RSA two factor authentication, Single Sign on (SSO), Symantec DLP and log aggregation and analysis using HP ArcSight SIEM.
• Change Management to highly sensitive Computer Security Controls to ensure appropriate system administrative actions, investigate and report on noted irregularities.
• Conduct network vulnerability assessments using tools to evaluate attack vectors, Identify System Vulnerabilities and develop remediation plans including, security policies, standards and procedures.
• The experience has enabled me to find and address security issues effectively, implement new technologies and efficiently resolve security problems. With having strong Network Communications, Systems & Application Security (software) background looking forward for implementing, creating, managing and maintaining information security frameworks for large scale challenging environments.

Confidential, Charlotte, NC

Sr. Security Engineer

Responsibilities:

• Conducted Vulnerability Assessment for various applications.
• Managed security assessments to ensure compliance to firm’s security standards (i.e., OWASP Top 10, SANS25). Specifically, security testing has been performed to identify XML External Entity (XXE), Cross-Site Scripting and SQL Injection related attacks within the code.
• Conducted security assessment of Cryptography applications including the apps that use Hardware Security Model (HSM).
• Installed and configured ArcSight ESM console. Developed search filters, rules and lists.
• Configuration and troubleshooting of build tools such as CruiseControl, Jenkins, Ant, Maven.
• Created Active Channels and Field Sets.
• Generated ad-hoc reports as well as scheduled on the calendars for automatic generation.
• Administered ArcSight users and groups.
• Configured ArcSight Smart and Flex Connectors and new data feed ingestion.
• Performed the maintenance, monitoring, troubleshooting and restoration of the ArcSight platform
• Performed pen testing of both internal and external networks as per PCI-DSS standards. The pen testing scope included O/S (Windows and Linux) and external facing web apps and database servers that store credit card information.
• Implemented IBM AppScan standard, source editions, HP WebInspect and QualysGuard web application scanners. In addition, the security tools Metasploit and BurpSuite were utilized for manual penetration testing.
• Performed security assessments for the client-facing apps. The associated IT infrastructure such as database management systems, middleware systems, web services (SOA) were also included in the security assessments.
• Implemented IBM AppScan standard, source editions, HP WebInspect and QualysGuard web application scanners. In addition, the security tools Metasploit and BurpSuite were utilized for manual penetration testing.
• Participated in the implementation of SafeNet product for encrypting customer credit card information using Public Key Infrastructure (PKI).
• Developed correlation rules for Security Incident and Event Management (SIEM) system. Reviewed the solution implemented for “log forwarding” from various network devices to ArcSight central logging for alerting and security monitoring.
• Performed the penetration testing of mobile (Android and iOS) applications, specifically, APK reverse engineering, traffic analysis and manipulation, dynamic runtime analysis was performed.
• Implemented HP ArcSight ESM including, correlation rules, data-monitors, reports, event annotation stages, case customization, active lists, and pattern discovery.
• Performed pen testing of both internal and external networks. The pen testing scope included O/S (Windows and Linux) and external facing web apps and database servers that store customer confidential information.
• Participated in Web Application Security Testing including the areas covering Mobile, Network, security, WIFI.
• Conducted pen testing for the Web Services (SOA) used by various travel agency partners to connect to Wyndham for booking and reservations.
• Skilled using Burp Suite, Checkmarx, HP Fortify, SecureAssist, WAS, NMAP, Havij, DirBuster for web application penetration tests.
• Generated and presented reports on Security Vulnerabilities to both internal and external customers.
• Security assessment of online applications to identify the vulnerabilities in different categories like Input and data Validation, Authentication, Authorization, Auditing & logging.
• Vulnerability Assessment of various web applications used in the organization using Burp Suite, and Web Scarab, HP Web Inspect.
• Experience with Identity and Access Management (IAM) and development of user roles and policies for user access management.
• Analyzed correlation rules developed for Security Incident and Event Management (SIEM) system. Reviewed the solution implemented for “log forwarding” from various network devices to ArcSight central logging for alerting and security monitoring. the development team on the most common vulnerabilities and common code review issues and explaining the remediation.
• Follow up and ensure the closure of the raised vulnerabilities by revalidating and ensuring 100% Closure.
• Update with the new hackings and latest vulnerabilities to ensure no such loopholes are present in the existing System

Confidential, Chicago, IL

Security Engineer

Responsibilities:

• Extensive Interaction with Onsite Coordinator in understanding the business issues, requirements, doing exhaustive analysis and providing end-to-end solutions.
• Conducting Web Application Vulnerability Assessment & Threat Modeling, Gap Analysis, secure code review on the applications.
• Conducted security assessments of firewalls, routers, VPNs, BlueCoat Proxy, IDS/IPS and verified its compliance to internal and external security standards.
• Experienced with ISO 27001/27002 for ISMS, Sarbanes Oxley (SOX) Compliance
• Doing multiple level of testing before production to ensure smooth deployment cycle.
• Creation of Generic Scripts for testing and reusability.
• Performed security hardening for Linux, Windows, Web servers, App Servers and Database servers in accordance with both internal and external standards (CIS benchmarks, PCI-DSS, NIST, FFIEC etc.,)
• Conducted security assessments for various applications supporting various businesses. The web application infrastructure such as IBM WebSphere, Apache Tomcat, and IIS web/application servers were reviewed for compliance to firm’s security baselines.
• Managed security assessments for various types of Operating Systems (O/S) used by the firm. The security audits of RedHat Linux, SharePoint, Oracle Solaris, Windows (including Active Directory) and IBM AIX were conducted. Several control enhancements, specifically, on the patch management process, were recommended.
• Executed database management system assessments across all business lines and entities in North America hub. Database servers such as, Oracle, SQL Server and Sybase were reviewed for compliance to global and local security standards.
• Participated in the integrated security design reviews. Mainly responsible for the review of input/output security, data completeness and accuracy of data reconciliations and timely processing of security batch jobs.
• Proficient in excellent communication, relationship building & interfacing skills, systematic approach and ability to work effectively with stakeholders in fast paced environments.
• Application Security Review of all the impacted and non-impacted issues.
• Providing guidance to Development team for better understanding of Vulnerabilities.
• Assisting customer in understanding risk and threat level associated with vulnerability so that customer may or may not accept risk with respect to business criticality
• Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS 25 and prioritizing them based on the criticality for remediation.
• Assisting in review of solution architectures from security point of view which helps avoiding security related issues/threats at the early stage of project
• Ensuring compliance with legal and regulatory requirements.

Confidential

Java Developer

Responsibilities:

• Designed and developed a suite of applications used by the internal cyber security operations group.
• Design and implementation of SOAP, RESTful Web services.
• Developed application presentation layer, which is based on Spring MVC framework involving JSP, Servlets, RESTFul Web Services, and HTML, CSS
• Developed this web application to store all system information in a central location. This was developed using Spring MVC, Struts, jQuery, JSP, Servlet, Oracle 10g, HTML and CSS
• Developed Servlets and Utilized JQuery to create a fast and efficient chat server.
• Implemented the Scrum Agile methodology for iterative development of the application.
• Developed server side business components using Java Servlets, JSPs, and Enterprise Java Beans (EJBs)
• Designed and developed a suite of applications used by the internal audit department, including BPlanner, OATS, and Time tracking systems.
• Developed server side business components using Java Servlets, JSPs, and Enterprise Java Beans (EJBs)
• Developed stored procedures, views and triggers using Oracle PL/SQL.
• Automated code deployment to production environment by creating tasks using ANT, Maven deployment tools.
• Involved in system design, enterprise application development using object-oriented analysis in Java/JEE6.
• Used Spring Framework for Dependency injection and integrated with the Hibernate framework for interacting with the Oracle database.
• Developed stored procedures, views and triggers using Oracle PL/SQL.
• Analyzed performance issues in the application, related system configuration and developed solutions for improvement.
• Involved in WebLogic and Tomcat application server installation and configuration in production, development and QA environments.
• Conducted sessions to the rest of the development team on advanced technologies, code reviews and discussion sessions to ensure that coding standards are followed.