Information Technology Security Consultant
Gaurav Kumar, CISSP has over 7 years of diverse experience in Information Security field. He has performed IT risk assessments (security code reviews, threat modeling, penetration testing etc) forvarious large and complex IT systemswhile being employed as Security Consultant with Microsoft and Senior Security Engineer with Honeywell Labs. He is innovator at heart and loves to solve complex problem with innovative approaches. Most recently, he is providing security consulting services to a large multinational bank in New York City.
- Finding security bugs such as SQL Injection, XSS, CSRF etc,
- Black box security testing- penetration testing, Reverse Engineering, Fuzzing, Threat Modeling/Design Review
- White box review- code review in C/C++/C# (.net)/PhP
- Well versed with tools such as interceptor proxies - Paros, Burp, Spike and Fiddler.
- Commercial tools such as Watchfire\'sAppScan and SPI Dynamics\' WebInspect etc.
- Network security tools such as Nessus, nmap, iptables, metasploit, netcat, openssh, openssl, sqlmap, tcpdump, cain,etc.
- Mod-Security web application firewall- writing custom rules, tuning RegEx for performance, custom logging etc
- Well versed with various vulnerabilities and attacks at application - OWASP top 10, SQL Injection, XSS, CSS, LDAP injection, XPath injection etc
- IT Security Project management
Chief Security Consultant June 2010- Current
- Provide security consulting services to a large multinational bank in New York
- Extensively evaluate various types of enterprise security products (like vulnerability scanning, wireless IDS, compliance monitoring etc)
- Design and architect security solutions end-to-end
- Update senior management on critical security issues
Confidential, Nov 2008 - May 2010
IT Audit Manager
- Supervise the execution of audit procedures to meet project objectives
- Plan and manage audits in accordance with risk assessment plan
- Conduct reviews of data centers, extranets, telecommunications, and intranets to assess controls and ensure availability, accuracy, and security under all conditions.
- Identify and evaluate IT related risks during review and analysis of System Development Life Cycle (SDLC), including design, testing/QA, and implementation of systems and upgrades.
- Assistmanagementin understanding various IT risks and issues uncovered during IT Audits
- Conducted reviews of data centers, extranets, telecommunications, and intranets to assess controls and ensure availability, accuracy, and security under all conditions.
Confidential, Dec 2006- Nov 2008
Security Consultant full time employee
- Develop detailed threat models for complex mission critical applications, providing design/architecture guidance
- Conduct security code review for business critical applications
- Help formulate security best practices and processes
- Contribute in the design and implement the methodology, tools, techniques and code libraries used by the Microsoft teams and its customers to secure the next generation of applications
- Work closely with US based security team, client teams and with partners to help clients derive maximum value building secure solutions using Microsoft technologies and platforms
Confidential, October 2004-December 2006
Senior Security Engineer
- Develop in house software tools e.g. fuzzersand use source code reviews for finding vulnerabilities.
- Provide consultancy to various development teams to ensure secure software development using Six Sigma approach
- Integrate security framework in existing software development process
- Technical evaluation of tools (like Fortify source code scanner, Web Inspect, AppScanetc) for improving security of application
- Train development teams and conduct knowledge sharing sessions
Independent Network Security Consultant Dec 2003- October 2004
- Configure and optimize firewall rule set (iptables)
- Perform network penetration testing using manual as well as automated tools (e.g. Nessus)
- Create custom Snort IDS rule for the vulnerabilities identified in penetration testing
- Use Ethereal (now called WireShark) to debug network traffic and perform protocol analysis
Awards and Recognition
- Services Rock Star award at Microsoft
- Honeywell certified GreenBelt in implementing Six Sigma processes
- Technical Excellence and Team Excellence awards at Honeywell
- Security+ certification
- CISSP certification
- Trainer at OWASP New Delhi Chapter
- Co-author of a patent related to Wireless Intrusion Detection and Prevention System
Professional Training and Certifications
CISSP - Certified Systems Security Professional