Penetration Tester/information Security Analyst Resume
Frisco, TX
SUMMARY:
- Over 5+ Years of professional IT Experience in Application Security Testing particularly focused on performing technical activities such as Penetration testing, Code review, Secure Application Testing, Vulnerability Analysis based on OWASP.
- Delivered training programs on "Tool Based Solutions for Quality Deliverables" giving demos on various tools for Application Static Analysis, Quality Analysis, Security Analysis, and Automation Build & Continuous Integration.
- Skilled and experienced in tools like Burp Suite, SQLMAP, Acunetix, Metasploit, QualysGuard, Nexpose, Nessus, Nmap, OWASP ZAP Proxy and HP Fortify.
- Experience in Open Web Application Security Project (OWASP TOP 10), WASC THREAT CLASSIFICATION2.0, and Web Application Security Project (WASP) methodologies.
- Worked on Application Security Analysis for some of the major Clients using IBM AppScan &HP Fortify.
- Have real time experience in SQL Injection protection, Script Injection, XSS Protection and major hacking protection techniques.
- Vulnerability Assessment includes analysis of bugs in various applications spread across N - tier on various domains by using both manual and Automation tools.
- Excellent programming skills on JavaScript, Ruby and Python Scripting.
- Expertise in working on Patch Management, Penetration Testing and Vulnerability Scanners.
- Having Good knowledge in gathering requirements from stakeholders, devising and planning and strong technical understanding of vulnerabilities, Constructing RFP/RFQs and how attackers can exploit vulnerabilities to compromise systems.
- Proficient in Windows/Linux, UNIX operating system configuration, utilities and programming.
- Strong knowledge in software, hardware, and networking technologies to provide a powerful combination of analysis, implementation, and support.
- Excellent knowledge and industry experience in Vulnerability Assessment and Penetration Testing on WEB based Applications, Infrastructure penetration testing and Mobile based applications.
- Having good experience in Secure SDLC and Source Code Analysis (Manual & Tools) on WEB based Applications.
- Security assessment based on OWASP framework and reporting the identified issues in the industry standard framework. Worked on exploiting the recognized vulnerabilities and Performed Software Licensing audit.
- Experience in Threat Modeling during Requirement gathering and Design phases.
- Strong analytical, problem solving and communication skills.
- Experience with Security Risk Management in TCP-based networking.
- Ability to work in large and small teams as well as independently.
- Ability to successfully manage multiple deadlines and multiple projects.
WORK EXPERIENCE:
Confidential, Frisco, TX
Penetration Tester/Information Security Analyst
Responsibilities:
- Conducted onsite penetration tests from an insider threat perspective.
- Analyzed malware behavior, network infection patterns and security incidents.
- Analyzed classified network security intelligence reports on a daily basis.
- Produced advisory reports regarding 0-day exploits, Confidential vulnerabilities, current network.
- Performed host, network, and web application penetration tests through Burp Suite
- Performed network security analysis and risk management for designated systems
- Performed source code security analysis using Fortify and App scan tools.
- Proposed remediation strategies for remediating system vulnerabilities.
- Developed Security Assessment Plan, Security Assessment Report, Security Assessment Questionnaire, Rules of Engagement, kick off Brief, and Exit Brief templates
- Performed dynamic and static source code review using Fortify source code scanner and through manual testing.
- Created OWASP web application test cases and mapped them to associated NIST Rev.4 security controls. Familiar with SOX, ISO 2700x, NIST.
- Performed peer reviews of Security Assessment Reports (SAR).
- Researched and analyzed known hacker methodology, system exploits and vulnerabilities to support Red Team Assessment activities.
- Created written reports, detailing assessment findings and recommendations.
- Provided oral briefings to leadership and technical staff, as necessary.
- Provided assistance with the development and maintenance of internal Red Team methodology, to include training program.
- Performed risk assessments to ensure corporate compliance.
- Developed agenda for quarterly audit program.
- Conducted security event monitoring for corporate wide in-scope applications. Performed application security and penetration testing using Rational AppScan.
Environment: Burp suite, AppScan, Fortify Source code analysis, Brakeman, IDA pro, SoapUI, Nessus, Seim tools, Kali Linux, Virus total, Cuckoo, Nmap, Zenmap, Wireshark, Acunetix, Aircrack, John the ripper, Metasploit, Zed, Cain & Abel, SQLmap, SQLNinja, BeEF, Nicto, NVD, Linux/Unix, IDS/IPS, Firewalls, IDS, IPS, Firewalls
Confidential, Austin, TX
Security Tester
Responsibilities:
- Performed Vulnerability Assessment of Web Applications.
- Conducted application penetration testing of 50+ business applications.
- Experience in several business development activities like preparing SOW's documents and drafting response to RFP's.
- Skilled using Burp Suite, Dirbuster, Acunetix Automatic Scanner, AppScan, Nessus, Nexpose, NMAP, SQLmap, Nessus for web application penetration tests and infrastructure testing.
- Familiar with various approaches to Grey & Black box security testing
- Well versed in understanding application level vulnerabilities like SQL Injection, XSS, CSRF, authentication bypass, authentication flaws, cryptographic attacks etc.
- Reviewed source code and developed security filters within AppScan for critical applications.
- Experience with onsite & remote security consulting including penetration testing, web application security assessment, application testing, and onsite internet security assessment.
- Worked extensively with software development teams to review the source code, triage the security vulnerabilities generated by IBM AppScan, Burp Suite, HP Web Inspect and eliminated false positives.
- Monitor the Security of Critical System (ex. e-mail servers, Application Servers, database servers, Web Servers, etc.).
- Utilize QualysGuard as primary tool to monitor tickets and vulnerabilities
- Performed network Vulnerability Assessments using tools to evaluate attack vectors, develop remediation plans, Identify System Vulnerabilities and Security Procedures.
- Capturing the critical, Low, Medium, High vulnerabilities in the applications based on OWASP Top 10 and SANS 25 and prioritizing them based on the criticality.
- The experience has allowed me to find and address security issues effectively, implement new technologies and efficiently resolve security problems with having strong Application Security (software) & Network Communications, Systems background looking forward for implementing, creating, managing and maintaining information security frameworks for large scale challenging environments.
Environment: Burp Suite, OWASP Top 10, and SANS Top 25, Kali Linux, AppScan, Wireshark, Metasploit, HP QC/ALM, Plan against Phishing Attacks, John the Ripper, Nmap, Nessus Security Center, QualysGuard and Network and Security.
Confidential
Security Engineer
Responsibilities:
- Have worked with a team of individuals dedicated for conducting research, attack detection and build mitigation techniques for threats posed in network and application layers.
- Conducted application penetration testing over various business applications.
- Responsible for assessing the controls to identify gaps and to design and analyze segregation of duties, least privilege for that application.
- Performed functional testing of security solutions like RSA 2-factor Authentication, Novell Single Sign-on, Data Loss Prevention (DLP), etc.
- Enforced Password Cracking tests over the administrator and user accounts to evaluate the strength of passwords used.
- Used John the Ripper, RainbowCrack, Hydra, Ophcrack for Password cracking tests.
- Conducted testing over the applications to comply with PCI DSS Standards.
- Capturing and analyzing network traffic at all layers of OSI model.
- Built a Management Evaluation Environment utilized to address the business requirements and risks involved to mitigate or decrease the intensity of threat exploitation.
- Monitoring and analyzed the security logs and applications data logs from NIDS and Application Firewall using SPLUNK.
- Logging security incidents and conducting Root Cause Analysis.
- Performed Vulnerability Assessments using Paros Proxy, Burp Suite, WebScarab, Yasca, Maltego.
- I have evaluated the requirements using various Scanning Tools both on-site and remote locations.
- Assisting in review of business solution architectures from security point of view which helps avoiding security related issues/threats at the early stage of project
- Effectively communicated the security issues with the security engineers and non-technical personnel from different domains.
- Re-evaluated the issues to ensure the closure of vulnerabilities addressed during analysis phase.
- Conducted analysis using Kali Linux environment and effectively neutralized DOS, DDOS, XSS and SQL Injection Attacks.
Environment: RSA 2-factor Authentication, Novell Single Sign-on, Data Loss Prevention (DLP), John the Ripper, RainbowCrack, Hydra, Ophcrack, network traffic at all layers of OSI model, NIDS, Application Firewall, SPLUNK, Paros Proxy, Burp Suite, WebScarab, Yasca, Maltego and Kali Linux.