SUMMARY

• A CCNA, ISTQB and CEH Professional.
• Experience in implementing security in every phase of SDLC.
• Hands - on experience in Application security, Penetration testing, vulnerability assessments and OWASP Top 10 along with different security testing tools
• 9+ years of experience in IT industry specialized in Information Security.
• Experience as an Information Security Analyst involved in OWASP Top 10 based Vulnerability Assessment of various internet facing point of sale web applications and Web services.
• Capable of identifying flaws like Injection, XSS, Insecure direct object, Security Misconfiguration, Sensitive data exposure, Functional level access control, CSRF, Unvalidated redirects etc.
• Experience in multiple web application security testing tools like Confidential App Scan, Fortify, Web inspect, Burp Suite, SQLMAP, NMAP, Check Marx, Veracode and OWASP ZAP Proxy.
• Experience in Mobile Security testing using tool MOBSF and ZAP for IOS and Android.
• Involved in REST API and SOAP Web Services Testing
• As a Security Consultant involved in enhancing the security stature of the projects by initiatives like PSB Gap Analysis, Threat Modeling, Secure Coding practices and Security awareness sessions.
• Reporting the identified issues to the POCs.
• Simulate how an attacker would exploit the vulnerabilities identified during the dynamic analysis phase.
• Performed Manual Security Assessments (DAST) of API and Web Applications using Burp Suite and Web Inspect.
• Assisting teams to perform SAST scans using Fortify and assisting them with remediating the issues.
• Good experience in Web technologies like HTTP, HTML, CSS, Forms, Database Connectivity.
• Experience in Triaging the bugs, Bug chasing and creating Metric reports.
• Experience in filing 3PP bugs reported by tools such as Snyk and sonatype.
• Excellent team player, enthusiastic initiator, and ability to learn the fundamental concepts effectively and efficiently.
• Created videos and small skits in educating the organization on the importance of security.
• Experience in creating virtual boxes and VMs for the security needs.
• Hands on knowledge in programming and scripting in Core Java, JavaScript and knowledge on python.
• Performed threat modelling of applications and suggested improvements for the same.
• Lead the team of security engineers and mentoring the team members.
• Participated in boot camp sessions, Security conferences and Hackathon challenges.

PROFESSIONAL EXPERIENCE

Confidential, Bellevue, WA

Security Engineer

Responsibilities:

• Team member of Security Advocacy Quality Control Team (SAQC)
• Triaging the Bugs. Triaged more than 1000+ bugs.
• Assigning the bugs to the right teams and bringing them to closure.
• Chasing the bug owners across the organization for the Over SLA and Over Half-life bugs.
• Assisting the bug owners in filing the GRC extension /Exception if the bug is anticipated to cross Over SLA.
• Auditing the Security assessments.
• Helping the teams across the business unit to help increase their productivity.
• Improving the security posture in the organization by creating a new process or Improving on existing process.
• Filing the bugs on commerce cloud and assisting the team with improving the process
• Following up on the SA’s which are stuck in the same status and bringing them to closure.
• Filing Critical and High 3PP bugs which are reported on Snyk and Sonatype. Also, Assigning them to the right resources for a quick closure of bugs.
• Triaging the Security Assessments.
• Manual Risk scoring of Security Assessments
• Weekly reports on Metrics across the Security organization for the Leadership team’s visibility.

Confidential, Bellevue WA

Application Security Engineer

Responsibilities:

• Gathering all requirements from application owners to perform Security Assessments. Perform web application, REST/ SOAP API and mobile application Security Assessments.
• Performing Manual Security Assessments on Web Applications and REST/SOAP API endpoints using Burp Suite and Fortify Web Inspect.
• Performing SAST scans (Source code scans) using Fortify using CI/CD pipeline and also assisting teams in configuring and running Check Marx plugin in eclipse.
• Testing the Android and IOS applications using MobSF and Burp Suite.
• Conducted testing over the applications every quarter to comply with PCI Standards.
• Identifying vulnerabilities and creating reports according to the industry standards, share it with the application owners.
• Following up with the application owners on the remediation efforts on the vulnerabilities found.
• Analyzing the issues and remediation efforts taken by our vendors in Veracode.
• Perform application penetration tests across public and private networks.
• Evaluate, deploy, and manage application security tools (DAST & SAST).
• Performed vulnerability scanning using Burp Suite and maintained clear documentation for every report that is generated.
• Communicate technical vulnerabilities and remediation steps to developers and management.
• Work on improvements for security services, including the continuous enhancement of existing methodology material and supporting assets.
• Work with application developers to validate, assess, understand root cause and mitigate vulnerabilities.
• Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS 25 and prioritizing them based on the criticality.
• Scheduled a penetration testing plan throughout the organization and completed all the tasks in the given time frame.
• Proactively conducted research, analyze, and report on trends in certain activities, vulnerabilities, reported attack methods and known exploits that could impact network and information assets.
• Creating the virtual box and VMs for the security needs.
• Working continuously on the improvement of Security processes
• Monumental in creating a Wiki page for all the security related stuff in the organization
• Also, created a process in tracking our efforts with Jira.

Confidential, Framingham

Senior Security Consultant / Penetration Tester

Responsibilities:

• Working in Collaboration of both networking and security teams.
• Scheduled a penetration testing plan throughout the organization and completed all the tasks in the given time frame
• Performed pen tests over different business applications of the organization.
• Created a detailed written report on the assessment findings and recommendations.
• Conduct penetration tests on systems and applications using automated and manual techniques with tools such as Core Impact, Metasploit, Burp suite, Kali Linux, Checkmarks, NetStumbler and many other open source tools as needed.
• Performed vulnerability scanning using Nessus Security Center and maintained clear documentation for every report that is generated.
• Performed vulnerability analysis over wired and wireless networks.
• Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and prioritizing them based on the criticality.
• Update with the new hackings and latest vulnerabilities to ensure no such loopholes are present in the existing system.
• Promoted a new and cost-effective Plan against Phishing Attacks and successfully reduced the volume of phishing mails up to 60%.
• Proactively conducted research, analyze, and report on trends in certain activities, vulnerabilities, reported attack methods and known exploits that could impact network and information assets.
• Conducted attack analysis on the IDS reports to detect the attacks and reported the analysis.
• Conducted security assessment of PKI Enabled Applications.
• Performed penetration testing over the enterprise systems to audit the standards to comply with ISO Standards.
• Conducted Pre-IAM Assessments and created detailed reports displaying prioritized findings, demonstration of exploits, and explanation of compromise impacts, and recommendations for mitigation.
• Executed live packet data capture using Wireshark to examine security flaws in the network devices.
• Given presentations to client over their security issues and potential solutions for those problems.
• Used CVSS Scores to create reports demonstrating the severity of the existing vulnerabilities and was helpful to prioritize the course of implementation depending on the severity of the vulnerabilities.
• Documented a Closure Document detailing my findings and recommendations for security improvement and patch management.

Confidential, Sanjose, CA

Senior Penetration Test Engineer

Responsibilities:

• Have worked with a team of individuals dedicated for conducting research, attack detection and build mitigation techniques for threats posed in network and application layers.
• Conducted application penetration testing over various business applications.
• Responsible for assessing the controls to identify gaps and to design and analyze segregation of duties, least privilege for that application.
• Performed functional testing of security solutions like RSA two factor authentication, single sign on, DLP, etc.
• Enforced Password Cracking tests over the administrator and user accounts to evaluate the strength of passwords used.
• Used John the Ripper, Rainbow crack, Hydra, Ophcrack for Password cracking tests.
• Conducted testing over the applications to comply with PCI DSS Standards.
• Capturing and analyzing network traffic at all layers of OSI model.
• Built a Management Evaluation Environment utilized to address the business requirements and risks involved to mitigate or decrease the intensity of threat exploitation.
• Monitoring and analyzed the security logs and applications data logs from NIDS and Application Firewall using SPLUNK.
• Logging security incidents and conducting Root Cause Analysis.
• Performed Vulnerability Assessments using Paros Proxy, Burp Suite, Confidential APP SCAN and HP Fortify Web Inspect.
• Created videos in educating the organization on the importance of security.
• I have evaluated the requirements using various Scanning Tools both on-site and remote locations.
• Assisting in review of business solution architectures from security point of view which helps avoiding security related issues/threats at the early stage of project.
• Effectively communicated the security issues with the security engineers and non-technical personnel from different domains.
• Re-evaluated the issues to ensure the closure of vulnerabilities addressed during analysis phase.
• Conducted analysis using Kali Linux environment and effectively neutralized DoS, DDoS, XSS and SQL Injection Attacks.
• Involved in security testing and analyzed vulnerability scan reports generated by Confidential Appscan and HP Fortify Webinspect.
• Active member of Cisco CSTG White hats Confidential .
• Performed threat modelling of the applications and suggesting Improvements on their approach.

Confidential

Penetration Tester

Responsibilities:

• Have been a part of team that designed and configured the security infrastructure.
• Performed pen testing on the internet facing and intranet facing applications and on the network infrastructure of the client.
• Executed different Crafted Payload Attacks to infiltrate the network infrastructure and application layer that is built using NMAP.
• Identification of different vulnerabilities of applications by using proxies like Burp suite to validate the server-side validations.
• Created basic rules in Snort to identify the activities going on in the network.
• Configured server, network devices and security systems according to NIST Standard Best Practices.
• Conducted basic penetration testing on the security systems to evaluate the security policies implemented.
• Verified the existing access-control lists for least privilege, separation of duties and job rotation.
• Identified issues on sessions management, input validations, output encoding, Logging, Exceptions, Cookie attributes, encryption, Privilege escalations.
• Responsible for giving the Security .
• Have given several presentations to the end-client about the progress of work on a regular basis.
• Maintained documentation and prepared reports on issues raised, vulnerabilities, evaluations and recommendations.