SUMMARY:

• An accomplished “IT Security Engineer” with 6 years of experience, specialized in managing security projects from concepts to completion with remarkable deadline sensitivity; Skilled in penetration testing and securing network security systems
• Comprehensive knowledge in executing Network penetration tests, (Internal and External Networks), Application Security tests (Black box, Grey box) including Mobile applications and thick clients, API testing, Wireless Penetration Test, Citrix Breakout and Configuration Audit
• Skilled in performing grey box and black box testing of the web applications.
• Proficient in performing Static and Dynamic Analysis and Security Testing (SAST and DAST) for applications as per industry standards.
• Hands on experience in the usage of pentest tools like Burp Suite professional, sqlmap, SWF scanner, Cenzic Hailstorm, Echo Mirage, ITR, Qualys, Nessus, nmap, nikto, Kali Linux, Metasploit, password cracking using JTR, mimikatz and psexec
• Adept in the testing and analysis of benchmarking the application against industry standards such as PCI DSS, OWASP and SANS
• Supported the development team in addressing and integrate Security in SDLC by following techniques like Threat Modeling, Risk Management, PenetrationTesting, etc.
• Strong problem solving and analytical skills combined with experience in network security
• Dedicated, hardworking individual with the intercommunication skills to work at all levels of the organization
• Outstanding motivator and builder of teams; Work well in both team environments and individual assignments
• Performed Application Penetration Tests for 150+ web applications in the areas of core - banking, finance, healthcare, e-commerce, marketing and stock trading systems
• Performed numerous Network Penetration Tests and Server Configuration Audits
• Conducted penetration testing for 15+ Thick Client applications, which include banking, HRMS, CRM, Online Exam portal and document management Systems
• Handled pre-sales support, scoping, resourcing and effort estimation other aspects of business development
• Successfully managed multiple engagements offshore and at client's premises
• Delivered various projects for clients across the globe by acting as a single point of contact for different security projects
• Prepared comprehensive reports of the issues identified including impact, proof of concept and recommendations.
• Discussed the issues and its impact with the client & developers by giving presentation and guided them in resolving the issues successfully.
• Captured the flags in CTFs hosted internally at 7Safe
• Documented testing methodology and checklists for new service in a step by step operational procedures
• Provided to the new employees on the process and latest technology relevant to information security
• Created threat profile and test plan by checking the resilience of the application against identified threats
• Generated reports of the issues identified including impact, proof of concept and recommendations
• Studied the firewall policies and performed rule base analysis
• Analyzed the network diagram and provided recommendations in hardening the devices from network point of view

FUNCTIONAL SKILLS:

Web Application Security Testing

Infrastructure Testing

Citrix XenApp Testing

Configuration Audit

Web service Testing

Team Management

Mobile Application Testing

Secure Network Architecture

Wireless Penetration Testing

GLOBAL EXPOSURE:

Gained international working experience by working at client premises in Malaysia and UK and executed various projects for clients across the globe including USA and UAE

TECHNICAL SKILLS:

Programming Skills: Basic C/C++ and Shell Scripting, JavaScript, Html, Python

Web Application testing tools: Burp Professional, Paros, Hp Swf Scanner, Cenzic Hailstorm, Zap Proxy, Webscarab, Owasp CSRF Tester, Clickjacking Tool, XSS Me (Firefox Add-On), Sqlmap (Python Script), Nikto/Wikto, Tamper Data, Echo Mirage, W3af, Fortify, IBM Appscan

Network-Level Scanners/Tools: Nessus Professional, Qualys, Nmap, OpenSSL, SSLScan, Firewalk, Dirbuster, Wireshark, Putty, Ntpq, Getif, Ike-Scan, Cadaver, Cain & Abel, ZAP Proxy, Hydra

Thick Client tools: Echo Mirage, ITR

Web service testing tools: SOAPUI, REST Client and POSTMAN (browser add-ons)

Debugging Tools: Immunity, Windbg, Ida Pro

Operating Systems: Microsoft Windows Server 2008/2003/Xp/Vista/Windows7

Unix/Linux-Based: Backtrack5/Redhat Linux/Kali/Ubuntu

PROFESSIONAL EXPERIENCE:

Mobile Application Tester

Confidential, MI

Responsibilities:

• Understood the working of the application and prepared a threat profile
• Performed automated scanning on the application using Confidential tool
• Verified the vulnerabilities identified by the tool by performing manual testing on the mobile application
• Tested for Content provider leakage and use of Implicit Intents
• Prepared report about the findings and action items to fix the identified vulnerabilities
• Volunteered and helped in the courses delivered by NotSoSecure
• Participated in the bug bounty programs hosted by HackerOne and Bugcrowd
• Captured the Flags on the Vulnerable machines hosted online like Vulnhub, Pentestit
• Self-trained on Buffer overflow attacks and its variations like Egg hunting and Structured Exception Handler (SEH) bypass.

Confidential

Lead Security Analyst

Responsibilities:

• Responsibly divided and assigned the tasks to the team
• Provided project updates, report delivery and solved the technical issues faced during the project
• Performed automated scanning and manual penetration tests for various internet facing and internal servers
• Performed Port Scanning and Network assessment using Nmap and Tenable Nessus and a variety of tools in Kali Linux.
• Tested and verified the possibility to break out of Citrix lock-down environment and launched other applications like powershell and command prompt
• Used tools like IKE-Scan and IKE-crack to test the security of IPSEC protocol
• Delivered security related consultancy to help the customer with their current Citrix security set-up
• Involved in the grey box testing of the applications in scope against OWASP top 10 testing methodology
• Prepared report about the findings and action items to fix the identified vulnerabilities
• Discussed the findings and the defense mechanism with the client.

Confidential

API and Web Application Tester

Responsibilities:

• Involved in the internet foot printing and reconnaissance on the web applications
• Tested the applications against OWASP top 10 testing methodology
• Exploited the vulnerabilities to gain maximum privilege on the system
• Performed automated and manual testing on the SOAP web services using SOAP UI and burp extensions
• In-depth testing of the XML request and responses and the XML parser against multiple XML attacks like XML Injection, XML External Entity (XXE) attacks
• Tested the security implementation of the REST API calls
• Created detailed risk assessment reports which explained the identified security weaknesses, potential business risks, prioritized recommendations, and estimated costs and effort levels for remediation

Confidential

Application Tester

Responsibilities:

• Understood the thick client functionality and its request-response mechanism using Burp, Echo mirage and Charles Proxy
• Tested the application for OWASP top 10 vulnerabilities like XSS, SQL Injection, CSRF, Privilege Escalation and all the other generic test-cases of web application security testing
• Performed extensive testing of the thick-client against most of the application related attacks and Buffer overflow vulnerabilities
• Tested the thick-client against Insecure data storage
• Attempted to decompile and reverse engineer the binary to extract the source code and also look for hardcoded and encrypted keys, if any
• Created consolidated report on all the issues identified during the test

Confidential

Penetration Tester

Responsibilities:

• Delivered configuration audit for servers used by the bank like Linux, Windows, Solaris and other servers
• Tested the database configurations files to ensure that it follows security best practices
• Studied various modules used by the bank, including the thick client and mobile applications.
• Prepared a Threat Profile and Test Plan and check the resilience of the application against identified threats.
• Actively tested Android and IPhone applications
• Performed penetrationtesting of mobile (Android and iOS) applications, including APK reverse engineering, traffic analysis and manipulation, dynamic runtime analysis.
• Examined the network diagram and recommended solutions to harden the devices as per the requirements from the network point of view
• Studied the firewall policies and performed rule base analysis
• Reviewed and validated the User Access Compliance on a quarterly basis.
• Provided comprehensive report on findings and action items to fix the identified vulnerabilities.
• Guided the developers in secure coding practices for web, mobile applications, including database and middleware systems.

PCI Auditor

Confidential

Responsibilities:

• Studied various modules which interact with database and with web services
• Arranged a Project Plan and requested for pre-requisites
• Tested the resilience of the application against identified threats
• Performed tests to identify issues regarding session management, input validations, output encoding, Logging, Exceptions, Cookie attributes, Encryption, Privilege escalations and business logic
• Assessed the security level of the payment gateway by connecting to the IVR
• Executed generic and business logic test cases
• Provided comprehensive report on findings and action items to fix the identified vulnerabilities
• Tested the application for the Payment Card Industry(PCI) Compliance Program and ensured card holder data security standards meets PCI DSS (Payment Card Industry Data Security Standards) requirements.
• Verified the identified vulnerabilities with a Qualified Security Assessor