SUMMARY

• Professional with 7+ years of progressive experience in Information Technology with extensive experience in Information Security, Application Security, Software Security, Enterprise Vulnerability Management, penetration testing and generating reports using tools.
• Domain expertise in Insurance, Banking and Financial Services, Health Care.
• Expertise in performing Application Security risk assessments throughout the SDLC cycle Performed Application security which includes Application Security design, review, testing and remediation
• Experience in vulnerability assessment and penetration testing using various tools like Burp Suite, DirBuster, OWASP ZAP proxy, NMap, Nessus, Hp Fortify, IBM AppScan enterprise, Kali Linux, Metasploit.
• Experience in Web technologies like HTTP, HTML, CSS, Forms, Database Connectivity.
• Good knowledge in programming and scripting in asp, Java.
• Simulate how an attacker would exploit the vulnerabilities identified during the dynamic analysis phase.
• Coordinate with dev team to ensure closure of reported vulnerabilities by explaining the ease of exploitation and the impact of the issue.
• Reporting the identified issues in the industry standard framework.
• Sound knowledge and industry experience in Vulnerability Assessment and Penetration.
• Testing on WEB based applications, Mobile based application and Infrastructure penetration testing.
• Broad knowledge of hardware, software, and networking technologies to provide a powerful combination of analysis, implementation, and support.
• Proven experience in manual/automated security testing, secure code review of web and mobile applications
• Security assessment based on OSSTMM methodology and OWASP framework.
• Experience in establishing process for periodic reviews of privilege user groups at AD, database and application level.
• Implementation and review of security controls across SDLC.
• Ability to work in large and small teams as well as independently.
• As an ethical hacker uses port scanning tools like Nmap, Nessus to scan one’s own systems and find open ports. The vulnerabilities with each of the ports can be studied and remedial measures can be taken.
• Examine patch installations and make sure that they cannot be exploited.
• Ethically engage in social engineering concept like ‘Dumpster diving. to rummage through the trash bins for passwords, charts, any sticky notes with crucial information that can be used to generate an attack.
• Employ other social engineering techniques like ‘shoulder surfing’ to gain access to crucial information or play the “kindness card” to trick employees to part with their passwords.
• As an ethical hacker will see if he/she can evade IDS(Intrusion Detection systems), IPS (Intrusion Prevention systems), honeypots and firewalls.
• Employ other strategies like sniffing networks, bypassing and cracking wireless encryption, and hijacking web servers and web applications ethically.

TECHNICAL SKILLS

Languages/Scripts: Java, C, C++, Java Script, HTML, XML, CSS, and VB script.:

Web/App Servers: IBM Websphere 8.5, Weblogic 8.1/7.0, Tomcat, Apache 1.3/2.0, Oracle Application Server, JBoss Application Server.:

RDBMS: Oracle 11g/10g/9i/8i/7.x, MS SQL Server 7.0, DB2 and My SQL.:

Operating System: Windows 98/2000/XP/Vista/Windows 7, UNIX, LINUX, Windows 9x/NT/2000 .:

Network Tools: NMap, Wire Shark, Nessus:

Tools: /Frame Work: IBM AppScan Standard Edition,HP Web Inspect, Acunetix, Burp proxy, Parosproxy, Wire shark,OWASP, Web Scarab, map, Metasploit, Burp Suite, SQLmap, OWASP ZAP Proxy and HP Fortify,DIR - Buster, Acunetix Web Scanner, SQL Injection Tools, Havij, CSRFTester AND Kali Linux, Fortify, veracoad,Webgoat SSL implementation, RSA implementation, PKI (Public key infrastructure)Encryption algorithms:

Development Tools: RSA 7.0, RAD 8.5, WSAD, Eclipse 3.1, Jbuilder.:

PROFESSIONAL EXPERIENCE

Confidential, Milpitas, CA

Penetration Tester/SecurityAnalyst

Responsibilities:

• Manage and perform Nessus and Nmap scans before all production releases and analyze vulnerabilities and report to all stakeholders
• Acquainted with various approaches to Grey & Black box security testing
• Proficient in understanding application level vulnerabilities like XSS, SQL Injection, CSRF, authentication bypass, cryptographic attacks, authentication flaws etc.
• Skilled using Burp Suite, NMAP, DirBuster, Nessus, SQL map for web application penetration tests and infrastructure testing.
• Monitor the Security of Critical System (e.g. e-mail servers, database servers, Web Servers, Application Servers, etc.).
• Change Management to highly sensitive Computer Security Controls to ensure appropriate system administrative actions, investigate and report on noted irregularities.
• Conduct network Vulnerability Assessments using tools to evaluate attack vectors, Identify System Vulnerabilities and develop remediation plans and Security Procedures.
• Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and prioritizing them based on the criticality

Confidential, Alexandria, VA

Penetration Tester/SecurityAnalyst

Responsibilities:

• Performed grey box testing of the web applications.
• Execute and craft different payloads to attack the system for finding vulnerabilities with respect to input validation, authorization checks, etc.
• Review and Validate the User Access Compliance on a quarterly basis.
• Review the requirements for privileged access on an everyday basis and provide recommendations.
• Review and validate the privileged users and groups at Active Directory, Databases and application on a periodic basis.
• Documented information security guidance in step by step operational procedures.
• Performed static code reviews with the help of automation tools.
• Performed a threat analysis on the new requirements and features.
• Burp Suite, DirBuster, Hp Fortify, NMap tools were used as part of the penetration testing, on daily basis to complete the assessments.
• Establishing and improving the processes for privileged user access request.
• Review of firewall rules and policies in web proxy.
• Highlight the user access and privileged user access risks to the organization and providing the remediation plan.

Confidential, Ramsey, NJ

Penetration Tester/SecurityAnalyst

Responsibilities:

• Participated in the businees requirements meetings and provided inputs.
• Conducted security assessment of PKI Enabled Applications.
• Skilled using Burp Suite, Acunetix Automatic Scanner, NMAP for web application penetration tests.
• Conducted application penetration testing of 90+ business applications
• Conducted Compliance Audits
• Acquainted with various approaches to Grey & Black box security testing
• Proficient in understanding application level vulnerabilities like XSS, SQL Injection, CSRF,authentication bypass, weak cryptography, authentication flaws etc.
• Actively search for potential security issues and security gaps that are beyond the ability of detection by any security scanner tool. Initiate and develop new mechanisms to addresses unidentified security holes & challenges.
• Real-time Analysis and defence.
• Vulnerability assessment (VA), Security policy, and network and security audit.
• Configuration and management of Confidential IDS, Checkpoint firewall, Snort.
• Good knowledge of network and security technologies such as Firewalls, TCP/IP, LAN/WAN, IDS/IPS, Routing and Switching.
• Monitor, Analyse and respond to security incidents in the infrastructure. Investigate and resolve any security issues found in the infrastructure according to the security standards and procedures.

Confidential, Indianapolis, IN

Penetration Tester/SecurityAnalyst

Responsibilities:

• Worked with business analysts to gather business requirements.
• Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS 25 and prioritizing them based on the criticality.
• Coordinate with dev team to ensure closure of reported vulnerabilities by explaining the ease of exploitation and the impact of the issue.
• Security testing of APIs using SOAP UI.
• Experience in using Kali Linux to do web application assessment with tools like DirBuster, Nessus, and NMap.
• Performed static analysis with HP Fortify and dynamic analysis with NowSecure Labs.
• User ID reconciliation on quarterly basis.
• Update with the new hackings and latest vulnerabilities to ensure no such loopholes are present in the existing system.
• Threat modeling of the Project by involving before development and improving the security at the initial phase.
• STRIDE assessment of the applications during the design phase, identifying the threats possible and providing security requirements.
• Training the development team on the most common vulnerabilities and common code review issues and explaining the remediations.
• Good knowledge in programming and scripting in .net, Java.
• Follow up and ensure the closure of the raised vulnerabilities by revalidating and ensuring 100% Closure.
• Good experience in Web technologies like HTTP, HTML, CSS, Forms, Database Connectivity.
• Ensuring SDLC to be a Secure SDLC.

Confidential

SecurityEngineer / ApplicationSecurityAnalyst

Responsibilities:

• Review and implement security architecture controls for changes in various applications.
• Perform threat modeling for changes made in different categories like HRMS, workflow management, finance.
• Perform security code review of JAVA, .Net, PHP code using static code analysis tools e.g. HP Fortify and IBM AppScan. Help team to remediate security issues with sample code.
• Automated black box review using dynamic analysis tools for various web applications.
• Perform manual assessment for web applications using proxy and Browser Add-ons (SQL Inject ME, XSS ME, Session Manager, Cookie Manager, Firebug, User Agent Switcher, Rest Client, Postman, Tamper Data and Live HTTP Headers etc.).
• Guide development teams to close the reported application security vulnerability in static, dynamic or manual security assessment and provide sample code snippets if required.
• Approve security review of the web applications based on final reports and closure comments.
• Implemented 2way SSL on Apache2.