SUMMARY:

• Experience in implementing security in every phase of SDLC. Have hands - on experience in application security, vulnerability assessments and OWASP along with different security testing tools.
• 6+ years of experience in IT industry specialized in Information Security.
• Experience as an Information Security Analyst, involved in OWASP Top 10 based Vulnerability Assessment of various internet facing point of sale web applications and Web services.
• Capable of identifying flaws like Injection, XSS, Insecure direct object reference, Security Misconfiguration, Sensitive data exposure, Functional level access control, CSRF, Unvalidated redirects.
• Experience in different web application security testing tools like Acunetix, Metasploit, Burp Suite, Sqlmap, OWASPZAP Proxy and HP Fortify.
• I have good experience on AWS platform, Cloud and On - premises
• As a Security Consultant involved in enhancing the security stature of the project by initiatives like Threat Modeling, Security awareness sessions.
• Build, maintain and manage vulnerability scanning and compliance infrastructure.
• Automate tooling and process to eliminate as much manual work as possible, implementing the latest IT security technology.
• Compliance and Regulatory Affairs, including Sarbanes-Oxley (SOX), CobIT, SAS-70, SSAE-16, SOC-1, SOC-2, HIPAA, Basel III, Dodd-Frank, CCAR, Swaps, Liquidity, PIPA (APPI), GDPR
• Collaborate with the company's operations team, and develop IT security standards and advise on best practices.
• Reporting the identified issues in the industry standard framework.
• Simulate how an attacker would exploit the vulnerabilities identified during the dynamic analysis phase.
• Experience in software Licensing audit.
• Good experience in Web technologies like HTTP, HTML, CSS, Forms, Database Connectivity.
• Good knowledge in programming and scripting in asp, Java.
• Ability to work in large and small teams as well as independently.
• Used IBM App scan to enhance the web application security.
• Many web applications that would be traditionally scanned with DAST tools also use a significant amount of client-side code in the form of Javascript, Flash, Flex and Silverlight. This code must also be analyzed for security vulnerabilities, typically using static analysis.

TECHNICAL SKILLS:

• OWASP Top 10 and SANS Top 25
• Vulnerability Assessment
• IBM App Scan
• Burp Suite
• Paros Proxy
• Wappalyzer
• Checkmarx
• Veracode
• Live HTTP Header
• Tamper data
• Flagfox
• BurpSuite
• WebScarab
• SOAPUI
• DirBuster
• YASCA
• HPWeb Inspect
• Sqlmap
• Nikto
• Metasploit
• Kali Linux.

WORK EXPERIENCE:

Security Analyst

Confidential, WA

RESPONSIBILITIES:

• Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS 25and prioritizing them based on the criticality.
• Security assessment of online applications to identify the vulnerabilities in different categories like Input and data Validation, Authentication, Authorization, Auditing & logging.
• Vulnerability Assessment of various web applications used in the organization using Paros Proxy, Burp Suite, and Web Scarab, YASCA, HP Web Inspect.
• Coordinate with dev team to ensure closure of reported vulnerabilities by explaining the ease of exploitation and the impact of the issue.
• Negotiated an audit and compliance agreement between the client and international governing bodies
• Create firm compliance programs for newly formed registered investment advisers. Draft written supervisory
• Performed static code analysis for client using tools such as Veracode and Checkmarx
• Good Knowledge on BCP(Business Continuity Planning).
• Good knowledge on DR(Disaster Recovery).
• Security testing of APIs using SOAP UI.
• Experience in using Kali Linux to do web application assessment with tools like Dirbuster, Nikto, and Nmap.
• Configured NAT rules on checkpoint firewall.
• Provide security code reviews using Veracode and Checkmarx and evaluate results for security vulnerabilities for banking applications.
• Vulnerabilities can be found only with SAST testing, others with DAST.
• Threat modeling of the Project by involving before development and improving the security at the initial phase. • STRIDE assessment of the applications during the design phase, identifying the threats possible and providing security requirements.
• Training the development team on the most common vulnerabilities and common code review issues and explaining the remediation.
• Worked on Checkpoint firewall for creating various firewall rules and NAT rules.
• Good knowledge in programming and scripting in .net, Java.
• Follow up and ensure the closure of the raised vulnerabilities by revalidating and ensuring 100% Closure.
• Good experience in Web technologies like HTTP, HTML, CSS, Forms, Database Connectivity.
• Ensuring SDLC to be a Secure SDLC.

Environment: Java, MySQL, Asp, MSSql.

Security Analyst

Confidential - San Jose, CA

Responsibilities:

• Automated Scan of 5 different projects on weekly basis using Acunetix to ensure the changes does not reflect any new vulnerability.
• Static Code analysis using HP Fortify to identify the vulnerabilities in the applications.
• Manual penetration testing of the applications and APIs to identify the OWASP Top 10 vulnerabilities and SANS 25. • Access control check to identify the privilege escalation issues on various roles and ensuring the closure by overall framework implementation.
• Responsible for weekly, monthly, and quarterly compliance tracking and report generation using Excel, and proprietary software
• Burp suite to identify issues like sql injection, XSS, CSRF etc.
• Upgrade of Checkpoint firewalls and management servers
• Troubleshoot and Worked with Security issues related to Confidential ASA/PIX, Checkpoint, IDS/IPS and JuniperNetscreen firewalls.
• Produce and maintain compliance-related documents deposit account documents, client files, deceased client
• Penetration testing of various applications to identify issues in various categories likes Configuration Management,Session Management, Sensitive data handling.
• Provide the report and explain the issues to the development team
• Provide remediation steps to the team and follow up
• Retest the fixed issues and ensure the closure
• Perform secure code review of the code base.
• Train the development team on explaining the security vulnerabilities in the form of security awareness sessions byexplaining the security requirements prior to development.

Environment: Java, .Net, Oracle DBA.

JR. Security Analyst

Confidential

Responsibilities:

• In the team, focus of work was to audit the application prior moving to production.
• Explanation of the security requirements to the design team in initial stages of SDLC to minimize the efforts torework on issues identified during penetration tests.
• Perform threat modelling of the applications to identify the threats.
• Identify issues in the web applications in various categories like Cryptography, Exception Management.
• Verify if the application has implemented the basic security mechanisms like Job rotation, Privilege escalations,Lease Privilege and Defense in depth.
• Using various add on in Mozilla to assess the application like Wappalyzer, Flagfox, Live HTTP Header, Tamperdata.
• Risk assessment on the application by identifying the issues and prioritizing the issues based on risk level.
• Providing remediation to the developers based on the issues identified.
• Revalidate the issues to ensure the closure of the vulnerabilities.
• Environment: Java Script, Python, MySQL.