SUMMARY:

• Accomplished IT Security professional with 5+ years of work experience assisting organizations in successfully completing enterprise - wide security projects. Experienced in performing risk assessments, penetration testing and network / application vulnerability assessments. Vulnerability assessment and penetration testing
• Domain expertise in Telecom, Banking and Financial Services, Health Care.
• Experience in vulnerability assessment and penetration testing using various tools like Metasploit, Burp Suite, DirBuster, OWASP ZAP proxy, NMap, OpenVAS, Nessus, Hp Fortify, IBM AppScan enterprise, Kali Linux.
• Good experience in Web technologies like HTTP, HTML, CSS, Forms, Database Connectivity.
• Good knowledge in programming and scripting in asp, Java.
• Simulate how an attacker would exploit the vulnerabilities identified during the dynamic analysis phase.
• Proven track record of streamlining security processes, designing and implementing efficient security solutions. Involved in implementing and validating the security principles of minimum attack surface area, least privilege and secure defaults, avoiding security by obscurity, keep security simple and fixing security issues correctly.
• Experience in Threat Modeling during Requirements gathering and Design phases. Performed software Licensing audit.
• Coordinate with dev team to ensure closure of reported vulnerabilities by explaining the ease of exploitation and the impact of the issue.
• Reporting the identified issues in the industry standard framework.
• Sound knowledge and industry experience in Vulnerability Assessment and Penetration.
• Testing on WEB based applications, Mobile based application and Infrastructure penetration testing.
• Ability to work in large and small teams as well as independently.
• Experience with Security Risk Management with TCP-based networking. Experience with TCP/IP, Firewalls, LAN/WAN. Static Code Analysis during development phase. Quick learner, committed team player with interpersonal skills and enjoys a challenging environment with scope to improve myself and contribute to the cause of the organization.
• Experience in establishing process for periodic reviews of privilege user groups at AD, database and application level.
• Implementation and review of security controls across SDLC.
• Ability to work in large and small teams as well as independently

TECHNICAL SKILLS:

Standards & Framework: OWASP, OSSTMM, PCI DSS

Application Scanners: IBM Appscan, HP Webinspect

Network Security Tools: Nessus, OpenVAS, NMap

Proxies/Sniffers/Tools: Burp Suite, Web scarab, Wireshark, DirBuster, Veracode

Operating Systems: Windows, RHEL, Kali Linux

Databases: MySQL, MS SQL, Oracle

Penetration Testing: Wireshark, Metasploit Framework

Programming Languages: C, C#, Java, Python, Javascripting, Swift,Obj-C, .Net

PROFESSIONAL EXPERIENCE:

Confidential, Charlotte, NC

SECURITY TEST ENGINEER

RESPONSIBILITIES:

• Performing web application security testing for Bank owned internal and external applications manually using the help of Proxy tools like BURP SUITE, SSLYZE, SOAP UI.
• Verifying the security posture of the applications with respect to OWASP TOP 10 vulnerabilities.
• Understanding the functionalities of the application to perform Business logic test and verifying all the sensitive information is properly protected.
• Identified High Severity issues like SQL INJECTION, XSS, CSRF, Missing Functional Level Access Control, and SSL/TLS related issues etc.
• Reporting the identified vulnerabilities with detailed description about the issues, step to reproduce the issues and its countermeasures.
• Scheduling the report out calls with application managers and helping them understanding the reported issues.
• Helping the application team in fixing the issues using the technology specific inbuilt security features if any.
• Interacting with the team and helping them if they come across any challenges during the assessment.
• Helps the application team in understanding the importance of implementing secure SDLC to avoid any disturbances during release.

Confidential

PENETRATION TESTER

RESPONSIBILITIES:

• Conducted security assessment of PKI Enabled Applications.
• Skilled using Burp Suite, Acunetix Automatic Scanner, NMAP for web and mobile application penetration tests.
• Acquainted with various approaches to Grey Black box security testing.
• Proficient in understanding application level vulnerabilities like XSS, SQL Injection, CSRF, authentication bypass, weak cryptography, authentication flaws etc.
• Actively search for potential security issues and security gaps that are beyond the ability of detection by any security scanner tool.
• Initiate and develop new mechanisms to addresses unidentified security holes and challenges.
• Performed Network scanning using tools Nessus, OpenVAS and NMap.
• Metasploit, Burp Suite, NMap tools were used as part of the penetration testing, on daily basis to complete the assessments.
• Automation scanning and analysis on the Networks and Applications on a daily basis.
• Uncovered critical vulnerabilities at the infrastructure level for enterprise networks
• Real-time Analysis and defense.
• Vulnerability assessment (VA), Security policy, and network and security audit.
• Configuration and management of Cisco IDS, Checkpoint firewall.
• Good knowledge of network and security technologies such as Firewalls, TCP/IP, LAN/WAN, IDS/IPS, Routing and Switching.
• Good knowledge of network and security technologies such as Firewalls, TCP/IP, LAN/WAN, IDS/IPS, Routing and Switching.
• Monitor, Analyse and respond to security incidents in the infrastructure. Investigate and resolve any security issues found in the infrastructure according to the security standards and procedures.
• Monitor, Analyze and respond to security incidents in the infrastructure. Investigate
• Make sure the mobile applications should follow the OWASP Mobile Application Security Verification Standard(MASVS).
• Good experience in Web technologies like HTTP, HTML, CSS, Forms, Database Connectivity.
• Training the development team on the most common vulnerabilities and common code review issues and explaining the remediation.
• Good knowledge in programming and scripting in .net, Java.
• Ensuring SDLC to be a Secure SDLC.

Confidential - San Jose, CA

PENETRATION TESTER

RESPONSIBILITIES:

• Black box pen testing on internet and intranet facing applications.
• Training the development team on the secure coding practices.
• OWASP Top 10 Issues identifications like SQLi, CSRF, and XSS.
• Preparation of risk registry for the various projects in the client.
• Providing details of the issues identified and the remediation plan to the stake holders.
• Grey Box testing of the applications.
• Verified the existing controls for least privilege, separation of duties and job rotation. penetration testing of the applications and APIs to identify the OWASP Top 10 vulnerabilities and SANS 25.
• Documented information security guidance in step by step operational procedures.
• Performed threat analysis on the new requirements and features.
• Assisting in preparation of plans to review software components through source code review or application security review.
• STRIDE assessment of the applications during the design phase, identifying the threats possible and providing security requirements.
• Involved in a major merger activity of the company and provided insights in separation of different client data and securing PII.
• Identification of different vulnerabilities of applications by using proxies like Burp suite to validate the server side validations
• Identified issues on sessions management, Input validations, output encoding, Logging, Exceptions, Cookie attributes, encryption, Privilege escalations.
• Execute and craft different payloads to attack he system to execute XSS and different attacks.
• Review and Validate the User Access Compliance on a quarterly basis.
• Review the requirements for privileged access on an everyday basis and provide recommendations.
• SQLmap to dump the database data to the local folder.
• Environment : NMap, Nessus, Burp Suite, DirBuster and Hp Fortify

Confidential, India

SECURITY TEST ENGINEER

RESPONSIBILITIES:

• Perform threat modelling of the applications to identify the threats.
• Identify issues in the web applications in various categories like Cryptography, Exception Management.
• Worked on installation, configuration, administration and troubleshooting of LAN/WAN infrastructure.
• Risk assessment on the application by identifying the issues and prioritizing the issues based on risk level.
• Collaborate with team members to audit the application prior moving to production.
• Provided detailed reports based on the findings obtained from the manual and automated testing methodologies, also provide the necessary remediation for individual findings.
• Attended meetings with Risk assessment team to discuss the previously submitted reports on the findings to ensure that the fixes are made to those applications.
• Provide explanation of the security requirements to the design team in initial stages of SDLC to minimize the efforts to rework on issues identified during penetration tests.
• Providing remediation to the developers based on the issues identified.
• Revalidate the issues to ensure the closure of the vulnerabilities.
• Verify if the application has implemented the basic security mechanisms like Job rotation, Privilege escalations, Lease Privilege and Defense in depth.
• Using various add on in Mozilla to assess the application like Wappalyzer, Flagfox, Live HTTP Header, Tamper data.