SUMMARY:

• Over 10+ years of experience in application security, mobile & data security, cloud security (AWS and MS Azure), vulnerability assessments, cryptography, secure coding, security architecture and design, and software development in diverse industries, including financial, healthcare and high - tech.
• Application/Software Security, Security Architecture, API Security,
• Vulnerability/Risk Management, Third Party/Vendor Security, Threat Modeling, Source Code Review, Secure Software Development Life Cycle (secure SDLC), Penetration Testing, Mobile Security (IOS and Android), Security Monitoring, Threat Intelligence, AWS/Azure Cloud Security, Single Sign On (OAuth2.0, SAML 2.0), Security Audits, Security Operations Center (SOC) and Incident Response.
• In-depth noledge of Mobile Application Security, Application Security Controls and Validation, IT Risk Assessments, Regulatory Compliance and Secure Software Development Life Cycle (secureSDLC).
• Automation of security processes including, DevSecOps, Continuous Integration (CI) and Continuous Delivery (CD) of security operations.
• Hands-on with Penetration Testing, DAST, SAST, IAST and manual ethical hacking.
• Experience in conducting IT Security Risk Assessments in accordance to NIST, HIPAA and FFIEC framework.
• Worked with global security teams performing application and IT infrastructure security assessments.
• In-depth noledge of penetration testing for web and applications.
• Performed security design and architecture reviews for mobile (iOS and Android) web and mobile applications
• Hands-on experience in developing threat models, security controls, threat analysis, creation of risk control matrices and risk mitigation strategies.
• Working noledge on cloud security engineering and administrating for SaaS,PaaS, and IaaS (including AWS and Azure)
• Working noledge of AWS and MS Azure Cloud Security controls.
• Working noledge of OWASP Top 10 and SANS Top 25 software guidelines, Federal FinancialInstitutions Examination Council's (FFIEC) regulations, including Payment Card Industry (PCI-DSS),
• Experience in implementing Security Incident and Event Management System (SIEM) using HP ArcSight.
• Ability to handle multiple tasks and work independently as well as in a team.
• In-depth noledge of Mobile Application Security, Application Security Controls and Validation, IT Risk
• Assessments, Regulatory Compliance and Secure Software Development Life Cycle (secureSDLC) and
• Continuous Integration (CI) and Continuous Delivery (CD) of security scanning.
• Hands-on with Penetration Testing, DAST, SAST and manual ethical hacking.

TECHNICAL SKILLS:

Security Tools: IBM AppScan Enterprise (ASE), Standard & Source editions, HP WebInspect, QualysGuard, BurpSuite Pro, Acunetix, Fortify SCA, SQLMAP. CHEKMARX ( Code Analysis) AppDetect, AppRador, SafeNet/Gemalto, Oracle Identity Manager, Oracle Access Manager,JHijack, Metasploit Pro, ZED attack proxy, Firemon, SQLMAP, Wireshark, WebScarab, Paros, BlueCoat Proxy, Nmap, BMC BladeLogic, Nessus, Rapid7 Nexpose, Tripwire, Symantec Vontu, DBProtect, ArcSight SIEM, e-DMZ Password Auto Repository (PAR), Varonis.

Programming Languages: Java, .NET, C#, C, C++

Scripting Languages: Python, Powershell, Shell Scripting

Cloud Technologies: Amazon Web Services (AWS), MS Azure

Web Technologies: Html 4.0/5, XHTML, DHTML, CSS2/CSS3, JavaScript, JQuery, Ajax, JSON and XML

Web Services: Restful/SOAP, SOA, UDDI, WSDL

Operating System: Linux/Unix (Red Hat Enterprise Linux, Debian, Ubuntu, Fedora, Santoku, Kali Linux), Windows.

Databases: MySQL, Oracle, MSSQL

PROFESSIONAL EXPERIENCE:

Confidential, Detroit, MI

Lead Security Engineer

Responsibilities:

• Participated in teh implementation of data tokenization in various environments to ensure compliance to regulations.
• Developed AWS Security Groups to control traffic to various instances in teh Cloud.
• Multifactor Autantication (MFA) for AWS root accounts (Implementation), administered password rotation policies. Management of Access Keys and Secret Assess Keys for new users.
• Completed proof-of-concept thin-client web framework for enterprise intelligence applications with web developer under extreme deadline.
• Developed Application Security program (DAST, SAST, IAST) at teh enterprise level to identify, report and remediate security vulnerabilities from applications deployed in DEV, PRE-PROD and PROD environments.
• Conducted penetration testing for infrastructure using Kali Linux toolset.
• Designed, documented and executed maintenance procedures, including system upgrades, patch management and system backups.
• Specifically, security testing has been performed to identify XML External Entity (XXE), Cross-Site Scripting, ClickJacking, and SQL Injection related attacks within teh code.
• Developed threat modeling framework (STRIDE, DREAD) for critical applications to identify potential threats during teh design phase of applications.
• Developed WACLS for AWS Web Application Firewalls (WAF) and configured teh rules and conditions to detect security vulnerabilities in teh Cloud Front.
• Developed security requirements for applications and infrastructure deployed in teh Cloud.
• Configured AWS Simple Storage Service (S3) to securely store teh organization’s critical file systems. Implemented Access Control Lists (ACLs) and Bucket Policies for controlling access to teh data. Ensured dat Cloud security best practices has been followed.
• Implemented file system security by applying hashing techniques for protecting data stored in files on teh file servers.
• Implemented Multifactor Autantication (MFA) for AWS root accounts, including password rotation policies.
• Set up Access Keys and Secret Assess Keys for newly created users.
• Participated in teh implementation of AWS Cloud security for applications being deployed in teh Cloud.
• Administered PKI, cryptography, management and implemented dual keys to address segregation of duties issue between DBAs and security admins.
• Participated in teh development of IT risk assessments for enterprise applications.
• Reviewed source code (Java/J2EE/C#/.NET/Spring/FTL/JavaScript) and identified security vulnerabilities.
• Reviewed Azure network security architecture and implemented security controls. Specifically, Azure virtual networks, including on-premise connectivity, traffic filtering, secure communication, point-to-site VPN etc.,
• Implemented Network Security Groups (NSG) to control network traffic to various Azure network resources. Created NSG rules (inbound and outbound) and prioritized teh rules based on teh requirements. Associated NSGs to VMs, NICs, and subnets based on teh deployment model.
• Enabled threat detection for databases in teh Azure portal. Teh security alerts generated in teh Azure Security Center has been reviewed and remediated.

Confidential, Columbus, OH

Lead Security Engineer

Responsibilities:

• Developed Application Security program (DAST and SAST) at teh enterprise level to identify, report and remediate security vulnerabilities from applications deployed in DEV, PRE-PROD and PROD environments.
• Performed teh security testing to identify XML External Entity (XXE), Cross-Site Scripting, ClickJacking, and SQL Injection related attacks within teh code.
• Developed threat modeling framework (STRIDE and DREAD) for critical applications to identify potential threats during teh design phase of applications. Implemented file system security by applying hashing techniques for protecting data stored in files on teh file servers.
• Administered cryptography, management and implemented dual keys to address segregation of duties issue between DBAs and security admins.
• Participated in teh development of IT risk assessments for enterprise applications.
• Reviewed source code (Java/J2EE/Spring/FTL/JavaScript/JQuery).
• Troubleshooted and resolved web application security issues escalated from customer support and other departments with a 100% success rate.
• Configured Gemalto ProtectDB to enable column level encryption for securing confidential customer data. Designed security architecture for web and mobile apps.
• Reviewed Solution overview Documents (SODs) to identify security anomalies in teh system architecture and design, and provided recommendations to address data security and privacy concerns.
• Conducted security assessments to ensure compliance to firm's security standards (i.e., OWASP Top 10, SANS25).
• Teh NIST framework has been utilized for IT risk assessments.
• Rolled out IBM AppScan products such as AppScan Enterprise (ASE), Standard, Source, Checkmarx, Developer plug-ins to various development teams across teh business lines. Installed and supported over 30.
• Documented executive summary reports showing teh security assessments results, recommendations, risk and impact.
• Conducted monthly developer workshops to educate and train developers on secureSDLC, scan source code using IBM AppScan Source, triage and resolve teh security vulnerabilities.
• Doing multiple level of testing before production to ensure smooth deployment cycle.
• Performed vulnerability testing using tools such as Nessus and QualysGuard.
• Maintains network performance by performing network monitoring and analysis, and performance tuning, troubleshooting network problems.
• Skilled using Burp Suite, Acunetix Automatic Scanner, NMAP, Dirbuster, QualysGuard, Nessus, SQLMap for web application and infrastructure penetration testing.
• Proficient in understanding application level vulnerabilities like XSS, SQL Injection, CSRF, autantication bypass, cryptographic attacks, autantication flaws etc.
• Expertise in using teh DAST tools (Like IBM Appscan and BurpSuite Pro) while teh application is running to penetrate teh application in various ways to identify potential vulnerabilities outside teh code and in third party interfaces.
• Analyzed security incidents originated from various network/application monitoring devices (e.g., Symantec DLP, IDS, IPS, WAF) and coordinated with Engineering teams for tracking and problem escalation, including remediation.
• Performed teh penetration testing of mobile (Android and iOS) applications, specifically, APK reverse engineering, traffic analysis and manipulation, dynamic runtime analysis.
• Developed secureSDLC policies and standards for applications.
• Researching, analyzing and understanding log sources from security and networking devices such as firewalls, routers, anti-virus products, and operating Web, Mobile and Cloud systems.
• Performed real-time proactive Security monitoring and reporting on various Security enforcement systems, Anti-virus, Internet content filtering/ IDS& IPS, Web Security, Anti-spam reporting, malware code prevention, Firewalls,, etc.
• Provided oversight of all changes to corporate firewalls, including pre-implementation analysis and approval, and post-implementation auditing. Identifying and remediating any threats and vulnerabilities as a Security Monitoring (SOC), Triage and Escalation to T2.
• Designed and developed Arc Sight architecture components and related upgrades.
• Prepared system plans and executed Arc Sight architecture modifications.

Confidential, Austin, TX

Sr. Security Engineer

Responsibilities:

• Teh pen testing scope included O/S (Windows and Linux) and external facing web apps and database servers dat store credit card information.
• Reviewed security vulnerability reports for applications and databases, analyzed and worked extensively with teh development teams for teh implementation of mitigating controls.
• Implemented HP ArcSight ESM including, correlation rules, data-monitors, reports, event annotation stages, case customization, active lists, and pattern discovery.
• Designed security policies, alarm response protocols and access card guidelines.
• Teh key areas of confidential and sensitive data stored on teh mobile devices were reviewed and made recommendations to secure customers' PII and PCI data.
• Reported security findings, recommendations and presented to teh business users, executive committee and Compliance departments.
• Experience with Identity and Access Management (IAM) and development of user roles and policies for user access management.
• Implemented IBM AppScan standard, source editions, HP WebInspect, Nessus, and QualysGuard web application scanners.
• Developed and updated security procedures, security system drawings and related documentation..
• Worked directly with outside vendors to implement/troubleshoot all SAML integrations for MFA. Multi-factor auth.
• Teh associated IT infrastructure such as database management systems, middleware systems, web services (SOA) were also included in teh security assessments.
• Implemented Secure Software Development Life Cycle (S-SDLC) processes; developed secure coding practices for web, mobile applications, including database and middleware systems.
• Reviewed Architecture Designs and Solution overview Documents (SODs) to identify security anomalies in teh system architecture and design, and provided recommendations to address data security and privacy concerns.
• Performed Static and Dynamic Analysis and Security Testing (SAST and DAST) for various applications as per firm's security standards (i.e.,
• Conducted workshops and user awareness on security policies, procedures and baselines. OWASP, SANS 25).
• Worked with software development teams, DB/Unix administrators and solution architects as a subject matter expert related to security compliance with PCI DSS 3.2 and industry standards.
• Worked with Internet Engineering team in teh design and configuration of BlueCoat Internet proxy.
• Implemented WebFilter database for URL content Filtering.
• Developed procedures for teh emergency response and crisis management, physical security, information protection, incident management and investigation units.
• Participated in teh implementation of SafeNet product for encrypting customer credit card information using Public Key Infrastructure (PKI).
• Created and documented reports, rules, trends and Dashboard. Analyzed Arc Sight and related tools and resolved IT security failures.
• Provided guidance for equipment checks and supported processing of security requests.
• Experience in Network Intrusion detection/Intrusion Prevention System and Firewalls.
• Utilize Security Information and Event Management (SIEM), Intrusion Detection & Prevention (IDS / IPS),
• Data Leakage Prevention f(DLP), forensics, sniffers and malware analysis tools.
• Security Incident handling, SIEM (ESEM) using RSA Envision/Arc Sight products.
• Good noledge and experience in Installation, Configuration and Administration of Windows Servers 2000/2003, Active Directory, FTP, DNS, DHCP, TFTP, Linux OS under LAN and WAN environments.
• Implementation of name resolution using WINS & DNS in TCP/IP environment.
• Developed correlation rules for Security Incident and Event Management (SIEM) system.

Confidential

Software Developer

Responsibilities:

• Involved in all stages of Software Development Life Cycle (SDLC) of teh project in agile methodology.
• Participated Daily Scrum meeting, sprint grooming/review and demo with management and other teams.
• Implemented functionality like searching, filtering, sorting, validating using Angular JS and Java Script.
• Front-end development using HTML, CSS, JSP and client-side validations performed using Java Script.
• Developed teh User Interface using JSP/HTML and used CSS for style setting of teh Web Pages
• Designed and Developed End to End customer self service module using annotation based Spring MVC, Hibernate.
• Worked directly with outside vendors to implement/troubleshoot all SAML integrations.
• Implemented Bean classes and configured in spring configuration file for Dependency Injection, Developed Controller Classes using Spring MVC, Spring AOP, Spring Boot, Spring Batch modules, handled security using Spring Security.
• Initiated mappings among teh relations and written named HQL queries using Hibernate.
• Involved in writing Spring Configuration XML file dat contains declarations and another dependent object declaration.
• Integrated REST API with Spring for consuming resources using Spring Rest Templates and developed RESTful web services interface to Java-based runtime engine and accounts
• Used SQL statements and procedures to fetch teh data from teh database. Created new views, added new columns to teh existing view in teh database using SQL.
• Wrote SQL commands and Stored Procedures to retrieve data from SQL server database
• Agile/SCRUM was used as teh project management methodology and JIRA & Confluence were teh tools used to keep things in check.
• Implemented complete Maven build life cycle to achieve organized application structure and conflict free dependencies in pom.xml file.
• Developed Git controls to track and maintain teh different version of teh project

Environment: Core Java, Java, J2EE, HTML5, CSS3, Java Script, AngularJS, Spring, Hibernate MVC, Spring Boot, Restful Web Services, Git, Agile, SQL