SUMMARY:

• Over all 7+ years of professional IT Experience in Application Security Testing particularly focused on performing technical activities such as Vulnerability Analysis, Penetration testing, Secure Application Testing based on OWASP TOP 10.
• Professional with extensive experience in Information Security, Application Security, Software Security, Enterprise Vulnerability Management, penetration testing and generating reports using tools.
• Experience as an Information Security Analyst, involved in OWASP Top 10 based Vulnerability Assessment of various internet facing point of sale web applications and Web services. 
• Experience in penetration testing, DAST, SAST and manual ethical hacking on various applications in different domains based on OWASP Top 10.
• Extensive experience in Penetration   testing   - Expertise in detecting various vulnerabilities (including OWASP top 10) comprised over authentication, authorization, input validation, session management, server configuration, cryptography, information leakage areas 
• Experience on vulnerability assessment and penetration   testing   using various tools like Burp Suite, DirBuster, OWASP ZAP Proxy, NMap, Nessus, Kali Linux, Metasploit, HP Web inspect and IBM Appscan. 
• Involved in recommending security solutions of new applications incorporating secured SDLC, OWASP Top 10 based Vulnerability Assessment of various Internet facing Point of Sale web applications.
• Experience in Performing secure code review (SCR) of various applications using static code analyzer (SCA) like HP FORTIFY and CheckMarx.
• Experience in working with C and .Net , Java, JavaScript, J2EE, XML , Software teams and try to solve the errors in order to reduce Flaws.
• Experience with TCP/IP, Firewalls, LAN/WAN and Linux system administration.
• Experience with Security Risk Management with TCP-based networking.
• Good experience in Web technologies like HTTP, HTML, CSS, Forms, Database Connectivity.
• Responsible in web application vulnerabilities (OWASP TOP 10, SANS, NIST) to review application source code to find its security vulnerabilities (CSRF, XSS, SQL Injection, Privilege Escalation, etc.) and recommend remediation.
• Coordinate with dev team to ensure closure of reported vulnerabilities by explaining the ease of exploitation and the impact of the issue.
• In-depth knowledge of penetration testing for web and mobile Android applications.
• Developed remediation plans for various vulnerabilities and assisted development teams across the organization in remediating them. 
• Experience with Security Risk Management with TCP-based networking.
• Knowledge of SIEM ( Security  Information and Event Management) solution Splunk, able to perform searches, create reports, alerts and dashboards.  
• Manage Healthcare PCI (Payment Card Industry) Compliance Program and ensure card holder data  security  standards meet PCI DSS (Payment Card Industry Data  Security  Standards) requirements.
•   Ability to handle multiple tasks and work independently as well as in a team with excellent capacity to adapt new technologies and skills.
• Possess strong technical aptitude with strong analytical, work ethic, problem solving and communication skills.

TECHNICAL SKILLS:

Dynamic and Static Analysis Security Testing:  IBM AppScan Enterprise (ASE), Standard & Source editions, HP WebInspect, QualysGuard, BurpSuite Pro, Acunetix, CheckMarx, HP Fortify SCA, SQLMAP

Security Penetration Testing Tools:  Paros Proxy, Burp Suite, Web Scarab, SQLMap,Wireshark, DirBuster, HP WEBINSPECT, YASCA, Metasploit, Nmap, Nessus, Rapid7 Nexpose, Acunetix, Live HTTP Headers, Tamper Data

Operating Systems:  Windows OS, Mac OS, Red hat Linux, Kali Linux,Android

Regulations:  OWASP, PCI-DSS, HIPAA, GLBA

Languages:  Java, Python, C/C++, C#.NET, Perl, UML

Databases:  Oracle, MS SQL Server, Sybase

PROFESSIONAL EXPERIENCE:

Confidential, San Jose, CA

Penetration  Tester

Responsibilities:

• Have worked with a team of individuals dedicated for conducting research, attack detection and build mitigation techniques for threats posed in network and application layers.
• Conducted application penetration testing over various business applications.
• Understanding & implementation of security into SDLC via application risk assessment, requirements gathering, design review, application vulnerability assessment.
• Developed threat modeling framework (STRIDE, DREAD) for critical applications to identify potential threats during the design phase of applications.
• Performed manual and automated source code reviews using HP Fortify, CheckMarx.
• Rolled out IBM AppScan products such as AppScan Enterprise (ASE), Standard, Source, Developer plug-ins to various development teams across the business lines.
• Worked extensively with software development teams to review the source code, triage the security vulnerabilities generated by IBM AppScan, BurpSuite, HP WebInspect, HP Fortify and eliminated false positives.
• Ensure the issues identified are reported as per the reporting standards.
• Perform validation on design of features like authentication, authorization, accountability.
• Provide the report and explain the issues to the development team.
• Performing source code review and running scans using CheckMarx .
• Updating the checklist on weekly basis to ensure all the test cases are up to date as per the attacks happening in the market
• Using Nmap for Network scans and port issues and also using Zenmap (Gui of Nmap)
• Actively manage the security activities associated with Secure Software Development to address existing and evolving risks and threats appropriately.  
• Scheduled a Penetration Testing Plan throughout the organization and completed all the tasks in the given time frame.
• Performed vulnerability scanning using Nessus Security Center and maintained clear documentation for every report that is generated.
• Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS Top 25 and prioritizing them based on the criticality.

Confidential,MN 

Application Security Tester/ Penetration  Tester

• Conducted Vulnerability Assessment on various applications.
• Acquainted with various approaches to Grey & Black box security testing .
• Conducted application Penetration testing of 30+ business applications.
• Skilled using Burp Suite, Fortify SCA, IBM App Scan, SQLMAP,N-map, Havij, DirBuster for web application penetration tests.
• Generated and presented reports on Security vulnerabilities to both internal and external customers.
• Security assessment of online applications to identify the vulnerabilities in different categories like Input and data Validation, Authentication, Authorization, Auditing & logging .
• Using HP Fortify for identifying vulnerabilities like XSS, CSRF, SQL Injection at the early stages of Software Development Life Cycle hence reducing the major time and expenses.
• Generated and presented reports on Security Vulnerabilities to both internal and external customers.
• Explaining the development team on the most common vulnerabilities and common code review issues and explaining the remediation. 
• Conduct  penetration  tests on systems and applications using automated and manual techniques with tools such as Core Impact, Fortify, Metasploit, Burpsuite, WebInspect, Kali Linux, CheckMarx, NetSparker and many other open source tools as needed. Work with support teams to address findings as a result of the tests. 
• Monthly Automated Scans of the online applications in production using Web inspect and followed by report presentation.
• Reviewed Architecture Design Documents (ADD) and Solution Overview Documents (SODs) to identify security anomalies in the system architecture and design, and provided recommendations to address data security and privacy concerns.
• Creating documentation for the vulnerabilities identified and reporting it to the application development team. Ensuring timely delivery of issues reported and remediation.
• Network scanning using tools like Nmap and Nessus.
• Secured Code Review of the applications using open source utilities identifying flaws in the coding practices and encouraging secured coding among the developer community.
• To address and integrate Security in SDLC by following techniques like Threat Modeling, Risk Management, Logging, Penetration Testing, etc.

Confidential

IT Security Analyst

Responsibilities:

• Conducting Software Penetration Testing, Architecture Security Analysis, Secure Software Design, Architecture analysis, Network Security Analysis, Database Security Analysis and Source Code Analysis.
• Profile an application, identifying threats, and developing test cases to target identified threats.
• Identifying and exploiting vulnerabilities in applications and networks.
• Conducting application security vulnerability assessment and penetration testing using tools like Burp suite and IBM Appscan.
• Performing vulnerability assessments using Intercepting proxies i.e. Burp Proxy, Webscarab Proxy, Paros Proxy etc.
• Identifying OWASP Top 10 Issues identifications like SQL Injection, CSRF, Insecure Cryptographic Storage, XSS and Unvalidated redirects and forwards etc.
• Performed Static Application Security Testing using HP Fortify, Veracode and Dynamic Application Security Testing using Acunetix and IBM Appscan .
• Managing project timelines, deadlines and expectations which also includes customer interactions.
• Preparing Network Architecture Review and Firewall Rule-base Audit and Write tools and scripts to automate technical processes and make audits more efficient.
• Prepare reports documenting identified issues based on internal templates. Research emerging security topics and new attack vectors.
• Assisting customer in understanding risk and threat level associated with vulnerability so that customer may or may not accept risk with respect to business criticality
• Assisting in review of business solution architectures from security point of view which helps avoiding security related issues/threats at the early stage of project
• Training the development team on the most common vulnerabilities and common code review issues and explaining the remediation.
• Follow up and ensure the closure of the raised vulnerabilities by revalidating and ensuring 100% Closure.
• Update with the new hackings and latest vulnerabilities to ensure no such loopholes are present in the existing System. 

Confidential

System Analyst

• Responsible for configuring, supporting, and troubleshooting network devices such as Confidential routers, switches, firewalls, wireless access points and controllers, ACS, ISE; 
• Build site to site VPN for remote locations and partner connections using Confidential Next Generation Firewalls .
• Respond to network connectivity and regional data center outages; coordinate efforts with Service Desk, ISP provider; local tech and/or store personnel to restore network services 
• Provide network support for new application and device deployment; identify new connectivity requirements and develop solution 
• Monitor QRadar, a SIEM product, to identify any security violations 
• Planned, managed, and implemented a WiFi deployment project to upgrade more than 1000 Confidential wireless access points; certified wireless coverage using AirMagnet wireless tool. 
• Actively involved in new store openings, closings, renovations, relocations, and technology lifecycle initiatives.
• Analyze, log, track and complex software and hardware matters of significance pertaining to networking connectivity issues, printer, server, and application to meet business needs.
• Handled the tasks of designing and planning LAN network expansion of the organization.
• Responsible for upgrading and configuring Microsoft Window servers.
• Handled the tasks of monitoring database and ensures security of stored data monitored the access of stored information in company databases.
• Installed network routers, firewall and cabling .
• Responsible for preparing, loading, documenting and  testing desktop and network developed applications for deployment, staff training, and inventory 
• Managed computer/user accounts in Active Directory .
• Supported users in multiple branches with computer, network and desktop application software; image new PCs for new employees or reimage current; install printers to user profiles; map network drives ; assist in user login and connectivity issues.