SUMMARY:

• Over 4 Years of professional IT Experience in Application Security Testing particularly focused on performing technical activities such as Code review, Vulnerability Analysis, Penetration testing, Secure Application Testing based on OWASP and well versed NIST 800 - Special Publications.
• Conducted vulnerability scan using Nessus Tenable, Eye Retina, NMAP, Web Inspect, MacAfee, IBM Appscan, reviewed scan results based CVE (XSS, CSRF, SQL Injection, DDOS, DOS), CWE and following OWASP.
• Provide network metric recommendations for detection and response to security events.
• Information System hardening, Possess a very good understanding networking, TCP/IP, encryption, SSL and communication protection.
• Threat Analysis and Insider Threat Program, Advised numerous clients on new technology, threats and vulnerabilities.
• Security risk assessment methodology application to system development, including threat model development, vulnerability assessments, validation & verification, and resulting security risk analysis.
• System penetration via selective security scan tools and ethical hacking to identify potential of exploitation.
• Broad knowledge of hardware, software, and networking technologies to provide a powerful combination of analysis, implementation, and support.
• Excellent understanding in mmis (Medicaid management information system).
• Experience with Firewalls, and LAN/WAN, UDP, IPSEC and routing protocols.
• Have strong practical knowledge on findings in OWASP Top 10 and SANS 25 top vulnerabilities, exploitation and mitigation of the risk.
• Experienced in Security Assessment tools: Nessus, BurpSuite, NMap, Netcat, Cain & Abel, John the Ripper, Wireshark etc.
• Experience in collaborating with various product management and development teams to ensure alignment between security and development practices.
• Experience in Technical Operations to mitigate vulnerability incidents and implement security measures without missing Service Level Agreement.
• Have strong conceptual and practical understanding of IT Infrastructure designs, technologies, products, and services which include knowledge of networking protocols, firewalls, host and network intrusion detection/prevention systems, operating systems, scripting, databases, encryption, load balancing, and other security related technologies.
• Experience in organizing various security awareness events and sessions to help employees with security awareness in and around and to promote secure practices of accessing the endpoints.
• Strong ability to document processes, procedures and security designs clearly and accurately for distribution to internal teams and customers.
• Excellent communication skills on both technical and non-technical issues.

TECHNICAL SKILLS:

Application Security: Wireshark, IBM Rational AppScan, Burp Suite, w3af, Paros, HPWeb Inspect, SQLmap, Nikto, Metasploit, HTTrack, Acunetix

Network Tools: Tenable Nessus, NMAP, Qualys Guard

Databases: ORACLE, MYSQL

Programming Languages: C, C++, HTML, PL/SQL, Python, JAVA

Scripting languages: JavaScript, Shell Scripting, XML

Protocols: Cisco Protocols; TCP/IP, HTTP, FTP, SMTP, DNS, SSH, SSL, Telnet, TFTP, ARP, SNMP, ICMP, SMB, NAT

Operating Systems: Windows XP Professional/95/98/2000/XP/2010/Windows 7,8, 10 & Linux/ Kali-Linux

Cloud Technologies: AWS (Amazon Web Services)

PROFESSIONAL EXPERIENCE:

Confidential, MO

Penetration Tester

Responsibilities:

• Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS 25 prioritizing them based on the criticality.
• Security assessment of online applications to identify the vulnerabilities in different categories like Input and data Validation, Authentication, Authorization, Auditing & logging.
• Vulnerability Assessment of various web applications used in the organization using Paros Proxy, Burp Suite, Foca, Metasploit framework, Kali Linux, WebScarab, & Nessus.
• Security testing of APIs using SOAP UI.
• Experience in using Kali Linux to do web application assessment with tools like DirBuster, Nikto, Nmap, OpenVAS-scanner, w3af, & WebScanner.
• Update with the new hackings and latest vulnerabilities to ensure no such loopholes are present in the existing system by performing Vulnerability assessment and pen testing for our clients.
• Perform security reviews of application designs, source code and deployments as required, covering all types of applications (web application, web services, mobile applications)
• Played vital role in Vulnerability Management/Security position.
• Threat modeling of the Project by involving before development and improving the security at the initial phase.
• Training the development team on the most common vulnerabilities and common code review issues and explaining the remediation.
• Follow up and ensure the closure of the raised vulnerabilities by revalidating and ensuring 100% Closure.
• Collaborate with business units to determine continuity requirements.
• Conduct business impact analysis for vital functions, document recovery priorities of the key process, applications and data.
• Establish disaster recovery testing methodology.
• Plan and coordinating the testing of recovery support and business resumption procedures while ensuring the recovery and restoration of key IT resources and data and the resumption of critical system within the desired timeframe.
• Regularly performed research to identify potential vulnerabilities in and threats to existing technologies, and provided timely, clear, technically accurate notification to management of the risk potential and options for remediation.
• Developed, implemented, and documented formal security programs and policies.
• Involved in report writing using standardized method for rating IT vulnerabilities and determining the urgency of response. (CVSS Calculator.)

Confidential, MN

Security Engineer

Responsibilities:

• Support and provide Security Architecture and Security Engineering guidance and expertise to the Cabinet for Health and Family Services (CHFS) Medicaid program under MMIS system architecture and follow-on implementation of Medicaid Enterprise Management System (MEMS).
• Conduct manual and/or automated security code review to identify security related flaws in the application source code.
• Work with network architecture staff, application development staff and end users to review, document and monitor information security architecture through the application development process for MEMS
• Providing security architecture analysis and consulting for the MEMS project and other related shared services
• Act as the liaison between the business units, application development and the COT Enterprise Security services compliance branch for the purposes of the upcoming releases of the MMIS system
• Write, coordinate, and update Privacy Impact Assessments (PIAs) for CHFS applications with CHFS Senior Management and developers
• Facilitate requirement review processes; attend CCB boards for MMIS and Partner Portal applications and provide application security guidance and recommendations
• Work with Enterprise Security Services to create and maintain System Security Plan for all MEMS information systems and related shared services
• Strong security project analysis skills and experience overseeing security architecture and implementation through the requirements definition, application development and upgrade processes
• Utilized Firewall and Proxy logs, geo location of asset, VirusTotal, etc. for data gathering and deep­dive analysis of malicious network activity on AutoZone's networks.
• Analyzed feeds from firewalls, IDS/IPS, web appliance, sys logs, etc and performed investigations and incident management tasks.
• Experienced in identifying and investigating incidents using networking protocols and applications associated with them such as TCP/IP, DNS, HTTP, HTTPS, Telnet, SSH, SSL, FTP, SMTP etc.

Confidential

Security Engineer

Responsibilities:

• Performed manual security testing on critical client applications.
• Uncovered high vulnerabilities at the infrastructure level for internet facing websites.
• Prioritizing the issues found, considering different factors like Impact and Likelihood.
• Strong Hands-on Experience in Web Application penetration testing, Network Infrastructure Penetration Testing.
• Brute force assessment to insure strong passwords and encryption.
• Involved in Firewall implementation, firewall management, network management and troubleshooting connectivity, routing, and configuration issues with routers, switches, firewalls.
• Performed as an Information Security Analyst and involved in OWASP Top 10 Vulnerability Assessment of various internet facing point of sale web applications and Web services.
• Conducted Dynamic and Static Application Security Testing (SAST & DAST).
• Provide remediation validation for clients in compliance with PCI Data Security Standards to provide a passing vulnerability scan.
• Acquainted with various approaches to Grey & Black box security testing.
• Update with the new hackings and latest vulnerabilities to ensure no such loopholes are present in the existing system.
• Experience in using Kali Linux to do web application assessment with tools like Dir-buster and NMAP.
• Using various Firefox add-ons like Flag fox, Live HTTP Header, Tamper data to perform the pen test.
• Perform threat modelling of the applications to identify the threats.
• Execute and craft different payloads to attack the system for finding vulnerabilities with respect to input validation, authorization checks, etc.
• Training the development team on vulnerabilities, review issues, ease of exploitation, impact, security requirements and remedies for individual issues.
• Providing details of the issues identified and the remediation plan to the stake holders.
• Communicating and coordinating day-to-day project activities within the project team and assure that priorities are developed and known.
• Create Vulnerability Assessment report detailing exposures that were identified, rate the severity of the system, and suggestions to mitigate any exposures and testing known vulnerabilities

Confidential

Jr Security Engineer

Responsibilities:

• Manual penetration testing of the applications and APIs to identify the OWASP Top 10 vulnerabilities and SANS 25.
• Black box pen testing on internet and intranet facing applications
• OWASP Top 10 Issues identifications like SQLi, CSRF, and XSS.
• Providing details of the issues identified and the remediation plan to the stake holders.
• Identification of different vulnerabilities of applications by using proxies like Burp suite to validate the server side validations.
• Identified issues on sessions management, input validations, output encoding, Logging, Exceptions, Cookie attributes, encryption, Privilege escalations.
• Execute and craft different payloads to attack he system to execute XSS and different attacks and SQLmap to dump the database data to the local folder
• Identify issues in the web applications in various categories like Cryptography, Exception Management.
• Explanation of the security requirements to the design team in initial stages of SDLC to minimize the efforts to rework on issues identified during penetration tests.
• Risk assessment on the application by identifying the issues and prioritizing the issues based on risk level.