SUMMARY:

• Hands on experience with SAST and DAST using tools like HP Fortify, HP Webinspect, Checkmarx, Veracode and IBM Appscan.
• Participated in Bug - Bounty program and have successfully found SQL injection flaws, Remote Code Execution and Broken Access Control
• Having good experience in Secure SDLC and Source Code Analysis (Manual & Tools).
• Experience with compliance frameworks and requirements like PCI and HIPAA.
• Capable of identifying flaws like SQL Injection, XSS, Insecure direct object, Security Misconfiguration, Sensitive data exposure, Functional level access control, CSRF, Invalidated redirects
• Experience in Mobile and Web Application Security Testing, API Security Testing.
• Strong Experience on Dynamic and Static Application Security Testing.
• Having experience in Penetration testing, Vulnerabilities scanning and assessment, secure code review.
• Strong Experience in OWASP Top 10, SANS 25, STIG security Guidelines.
• Performing Continuous monitoring of IT Security threats and vulnerabilities.
• Capable of identifying flaws like SQL Injection, XSS, Insecure direct object, Security Misconfiguration, Sensitive data exposure, Functional level access control, CSRF, Invalidated redirects
• Involved in implementing and validating the security principles of minimum attack surface area, least privilege, secure defaults, Defence in depth, avoiding security by obscurity, Keep security simple, Fixing security issues correctly.
• Experience with security monitoring tools and SIEMS such as AlienVault USM (Unified security management) and Splunk Enterprise.
• Subject matter expertise (SME) in integrating various Security controls, policies & procedures, Enforcement of workflow, Access permissions, Reverse engineering business process to facilitate enterprise compliance and efficiencies.
• Experience in analysis of systems, firewall and IDS/IPS logs to identify indications of security events.
• Involved in vulnerability assessment, Patch management and penetration testing using various tools like Qualys-guard, Burp Suite, DirBuster, IBM App scan, NMAP, Nessus, SQL Map, Acunetix, Web inspect, Wireshark and NETCAT.
• Knowledge of FISMA, NIST standards and guidelines, general Information Security and Privacy requirements.
• Inquisitive, good in basic concepts and an excellent team player.

TECHNICAL EXPERTISE

Vulnerability Assessment: Burp Suite, IBM Appscan, Acunetix, HP Fortify, Webinspect, Dir-Buster, Custom scripts, Veracode, Checkmarx, OWASP ZAP proxy,Metasploit, Charles Proxy, YASCA

Network Auditing/Assessment: NMap, Nessus, Qualysguard, Nexpose, Wireshark

Other Tools: Haviji, SQLmap, Snort, Black Duck, Splunk, AlienVault USm.

Operating System: Kali Linux, GNU/Linux, Windows

Programming Languages: C, C++, JAVA, C#, Python, PHP

Scripting Languages: HTML5, CSS, XML, JavaScript

RDBMS: MySQL, Oracle 10g/11g, PL/SQL.

PROFESSIONAL EXPERIENCE:

Information Security Engineer

Confidential, Florham Park, NJ

Responsibilities:

• Perform security reviews of application designs, source code and deployments as required, covering all types of applications (web application, web services, mobile applications, SaaS)
• Uncovered high vulnerabilities at the infrastructure level for internet facing websites.
• Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS 25 prioritizing them based on the criticality.
• Maintains network performance by performing network monitoring and analysis, performance tuning, troubleshooting network problems. Skilled using Burp Suite, Acunetix Automatic Scanner, NMAP, Dir-Buster, HP Fortify, Qualys-guard, IBM Appscan, Webinspect, Nessus, SQL Map for web application penetration tests and infrastructure testing.
• Detects the full spectrum of known cyber-attacks (e.g., DDoS, malware, phishing, ransomware & others) along with any security and compliance violations.
• Provide software security support related to Fortify, Webinspect and remediation guidance to dev teams.
• Security assessment of online applications to identify the vulnerabilities in different categories like Input and data Validation, Authentication, Authorization, Auditing & logging.
• Involved in Software Development Life cycle (SDLC) to ensure security controls are in place.
• Conducted Dynamic and Static Application Security Testing (SAST & DAST).
• Update with the new hackings and latest vulnerabilities to ensure no such loopholes are present in the existing system by performing Vulnerability assessment and pen testing for our clients.
• Experience in using Kali Linux to do web application assessment with tools like Dir-buster and NMAP.
• Proficient in understanding application level vulnerabilities like XSS, SQL Injection, authentication bypass, authentication flaws and exception management etc.
• Using various Firefox add-ons like Flag fox, Live HTTP Header to perform the pen test.

Security Analyst

Confidential, New York, NY

Responsibilities:

• Established vulnerability assessment practice, proactively ensuring safety of client-facing applications and minimizing client audit findings.
• Performed semi-automated and manual Web Application and Network Penetration Testing utilizing multiple tools to include, but not be limited by: Burp Suite, Net Sparker, Tenable Nessus, SQL Map, Web Inspect, Custom Scripts, HP Fortify, NMAP, NETCAT, and other tools within the Kali Linux toolset
• Having real time experience in DOS, DDOS, SQL Injection protection, XSS protection, script injection and major hacking protection techniques.
• Conducted vulnerability assessments and penetration testing using Nessus, web Inspect.
• Perform Static and Dynamic application security testing and report issues to concerned application teams.
• Created written reports, detailing assessment findings and recommendations.
• Assisting in preparation of plans to review software components through source code review or application security review
• Assist developers in remediating issues with Security Assessments with respect to OWASP standards.
• Perform Static code analysis using Veracode and coordinate with Application teams and source code review team to remediate the vulnerabilities.
• Classify the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and prioritizing them based on the criticality.

Confidential, NY

Graduate Assistant

Responsibilities:

• Maintained and analyzed student's data profile for the Confidential (school of electrical and computer science) department.
• Organized admission applications for incoming students and forwarded to the concerned departments or faculty
• Processed student course registration for the current and upcoming semester.
• Offered guidance and support to new international students about U.S. culture and life at NYIT.
• Assisted with on-campus events run by central departments and academic schools.

System Engineer

Confidential

Responsibilities:

• Extensive Interaction with the customer in understanding the business issues, requirements, doing exhaustive analysis and providing end-to-end solutions.
• Conducting Web Application Vulnerability Assessment & Threat Modelling, Gap Analysis, secure code review on applications.
• Acquainted with various approaches to Grey & Black box security testing.
• Doing multiple level of testing before production to ensure smooth deployment cycle.
• Performed vulnerability testing using tools such as Nessus and Qualys-guard.
• Maintains network performance by performing network monitoring and analysis, performance tuning, troubleshooting network problems. Skilled using Burp Suite, Acunetix Automatic Scanner, NMAP, Dir-Buster, Qualys-guard, Nessus, SQL Map for web application penetration tests and infrastructure testing.
• Created custom rules in the WAF and SIEM, based on the events logged and hence minimized false positives.
• Incorporated information security requirements into other IT processes (change management, quality assurance, SDLC, log and SIEM monitoring etc.).
• Application Security Review of all the impacted and non-impacted issues.
• Assisting customer in understanding risk and threat level associated with vulnerability so that customer may or mayn't accept risk with respect to business criticality.
• Identifying the Critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS 25 and prioritizing them based on the criticality.
• Ensuring compliance with legal and regulatory requirements.
• Security monitoring to identify any possible intrusions.
• Guiding the developers in fixing the issues by simulating the attack.