- A Certified Ethical Hacker with 5+ years of experience in Information Security and Penetration Testing.
- Experience in penetration testing of web/mobile applications in different domains like Healthcare, BFSI and Telecom.
- Experience with compliance frameworks and requirements like PCI and HIPAA.
- Hands on experience with SAST and DAST using tools like HP Fortify, HP Web Inspect, Check Marx and IBM Appscan.
- Experience in vulnerability assessment using various tools like Burp Suite, OWASP ZAP Proxy, DirBuster, Kali Linux, Metasploit, Accunetix.
- Experience in implementing security in rapid software development methodologies (like agile).
- Experience with Network scanning using tools like NMap, Nessus and Wireshark.
- Experience in Threat Modelling during Requirement gathering and Design phases.
- Involved in implementing and validating the security principles of minimum attack surface area, least privilege, secure defaults, Defence in depth, Avoiding security by obscurity, Keep security simple, Fixing security issues correctly.
- Implemented Application Security program (DAST and SAST) at the enterprise level to identify, report and remediate security vulnerabilities from applications deployed in DEV, PRE - PROD and PROD environments.
- Involved in Software development Life cycle (SDLC) to ensure security controls are in place.
- SOX Compliance Audit experience on controls like User access management, Change Management, Incident Management.
- Knowledge on security threat and vulnerability management and security analytics.
- Inquisitive, good in basic concepts and an excellent team player.
Tools: HP Fortify, HP Webinspect, IBM Appscan, BurpSuite, DirBuster, OWASP ZAP Proxy, NMap, Nessus, Kali Linux, Metasploit, Accunetix.
Programming Languages: Python, SQL, PHP, JAVA
Operating Systems: Kali Linux, GNU/Linux, Windows 7/10
Confidential, Wa shington,DC
Information Security Engineer
- Perform Security assessments over 80+ internal and internet facing mobile/web applications based on OWASP Top 10 and CWE/SANS Top 25.
- Perform manual penetration testing of applications using Burp suite.
- Perform static code scan using HP Fortify, dynamic scans (DAST) using Webinspect and report issues to concerned application teams.
- Review and analyze vulnerabilities from SCA report to determine business impacts and eliminate false positives.
- Report the identified issues to development teams and follow up on the fixes.
- Manage and maintain Jenkins integration jobs to support application security automation.
- Audited applications written in Java/JSP, C#, C/C++. Utilized OWASP and Ounce Labs formal methodology to conduct code reviews and risk assessments.
- Provide software security support related to Fortify, Webinspect and remediation guidance to dev teams.
- As a security Focal point, Coordinated with multiple teams and reduced vulnerabilities by 90% in the first year of work and maintained a steady decrease.
- Identified issues on sessions management, Input validations, output encoding, Exceptions, Cookie attributes, Encryption.
- Involved in secured design and solution for newly proposed applications during designing phase of SDLC.
- Provide security consultancy on Cloud security initiatives and compliance of existing security standards interfacing with infrastructure and development teams.
- Provided security implementation for authorization, by controls like principle of lease privilege, Relinquishing privilege when not in use, Non Guessable tokens, forced browsing.
- Initiative to stream line the access control mechanism of various applications.
- Training the development team on the secure coding practices.
Environment: HP Fortify, HP Web inspect, Black duck, Burp suite, Charles Proxy, Eclipse, Nessus, Archer, Jenkins, GitHub, JAVA.Confidential, Portland,OR
Position Application Security Engineer
- Pen testing on various applications contacting PHI to ensure the company meets the compliance requirements.
- Burpsuite, Dirbuster, NMap tools on daily basis to complete the assessments.
- Identified issues on session management, Input validations, output encoding, Logging, Cookie attributes, Encryption, Privilege escalations.
- Classify the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and prioritizing them based on the criticality.
- Perform dynamic scans using IBM Appscan and provide the report of issues identified to development teams.
- Performed IDS/IPS mitigation/response and vulnerability scanning in support of internal and HIPAA requirements.
- Worked with software development teams to review the vulnerabilities generated by IBM Appscan and eliminated false positives.
- Responsible to assess the controls to identify gaps and to design and analyze segregation of duties, least privilege for that application.
- Validate sessions management, Input validations, protocol controls, cryptography, Logging, Information leakage.
- Provide remediation steps to application teams and retest the fixed issues to ensure the closure.
- Implementation of security into SDLC via application risk assessment, requirements gathering, design review, application vulnerability assessment.
- Perform validation on design of features like authentication, authorization, accountability.
- Involved actively in the release management process to ensure all the changes of the application had gone to security assessment.
- Initiated Reconciliation of exceptions and minimizing the count of Exceptions in the projects.
Environment: Burpsuite, Dirbuster, IBM Appscan, NMap, Wireshark, JAVA, Asp.net, MySQL, Microsoft Visual Studio.Confidential, WI
- OWASP Top 10 Issues identifications like SQL injection, XSS, CSRF, Information leakage, Broken Authentication etc., using OWASP ZAP Proxy.
- Network scanning using tools like NMap and Nessus.
- Validated the controls on logging like Authentication logging, profile modification logging, logging details, log location, HTTP logging.
- Preparation of risk registry for the various projects in the client and Ensure all the controls are covered in the checklist.
- Perform network traffic analysis with daily review of data from sources consisting of NIDS, proxy servers, ISA firewall, in-house Audit Collection.
- Execute and craft different payloads to attack the system to execute XSS and different attacks.
- Ensured accuracy in creating information security documents in compliance with NIST standards.
- Conducted backend-testing on database using SQL queries to ensure integrity and consistency of the data.
- Verified the existing controls for least privilege, separation of duties and job rotation.
- Identify malicious or anomalous activity based on event data from firewalls, WAF, IPS, and other sources.
- Updating of the checklist on weekly basis to ensure all the test cases are up to date as per the attacks happening in the market.
- Responsible for writing custom bash/Perl scripts to automate tasks.
- Coordinated and maintained the development of an application that integrates the mainframe and java
- Gray Box testing of the applications.
Environment: OWASP ZAP Proxy, Dirbuster, Wireshark, Nessus, NMap, Metasploit, JAVA,PHP, MY-SQL, Apache.Confidential
- Conducting penetration testing of web applications and networks
- Performing penetration testing on internal systems with the use of popular penetration testing tools like NESSUS, WireShark, and Metasploit
- Handled documentation and metrics reporting.
- Provided oral briefings to leadership and technical staff, as necessary.
- Executed daily vulnerability assessments, threat assessment, mitigation and reporting activities in order to safeguard information assets and ensure protection has been put in place on the systems.
- Found common web site security issues (XSS, CSRF, session fixation, SQL injection, information leakage, application logic etc.) across various platforms.
- Analyzed test data to verify results were in accordance with the requirements specification.
- Monitor Intrusion Detection System for compromised internal networks, and follow up with investigation.
- Assist in vulnerability remediation efforts across various projects by proposing remediation strategies and Plan of Actions.
- Solve security related issues in regards to: User profile and permissions in Active Directory, proxy functions, new systems/applications added to enterprise's network, physical access permissions and mobile security.
- Researched and analyzed known hacker methodology, system exploits and vulnerabilities to support Red Team Assessment activities.
- Works collaboratively with the engineering teams to drive architectural/design changes to improve security.
Environment: Paros Proxy, Dirbuster, Wireshark, Nessus, NMap, Metasploit, JAVA,PHP, MY-SQL, Apache.