- An Information Security Professional with 10+ years of Application Security, Security Architecture & Design, Cloud Security (AWS & MS Azure), Penetration Testing, CI/CD Pipeline, Network Security, Secure Coding, Mobile Security, Security Information Event Management (SIEM), Database Activity Monitoring (DAM), Security Controls and Validation, IT Risk Assessments, Regulatory Compliance and Secure Software Development Life Cycle (secureSDLC).
- Analyze the results of penetrations tests, design reviews, source code reviews and related security tests. Decide on what to remediate and what to risk accept based on security requirements.
- Highly analytical computer security analyst with success both defending and attacking large - scale enterprise networks.
- Experience using a wide variety of security tools to include Kali-Linux, Metasploit, HP WebInspect, HP Fortify, Burp Suite Pro, Wireshark, L0phtcrack, Snort, Nmap, Nmap-NSE, Cain and Abel, Nitko, Dirbuster, IBM App Scan, OWASP ZAProxy, Nessus, OpenVAS, W3AF, BeEF, Etthercap, Maltego, SOAP UI, FOCA, Havij, Recon-ng, Aircrack-ng suite,
- Involved in implementing and validating the security principles of minimum attack surface area, least privilege, secure defaults, avoiding security by obscurity, keep security simple, Fixing security issues correctly.
- Strong knowledge in Manual and Automated Security testing for Web Applications.
- Working knowledge of OWASP Top 10 and SANS Top 25 software guidelines, Federal Financial Institutions Examination Council's (FFIEC) regulations, including Payment Card Industry (PCI-DSS), HIPAA and Sarbanes-Oxley Section404 (SOX).
- MS Azure and Amazon Web Services (AWS) - Cloud
- Analyze the results of penetrations tests, design reviews, source code reviews and other security tests. Decide on what to remediate and what to risk accept based on security requirements.
- SOX Compliance Audit experience on controls like User access management, Change Management, Incident Management.
- Good Experience in exploiting the recognized vulnerabilities.
- Experience in Threat Modeling during Requirement gathering and Design phases.
- Experience with Security Risk Management with TCP-based networking.
- Experience with TCP/IP, Firewalls, LAN/WAN and network protocols.
- Experience in implementing Security Incident and Event Management System (SIEM) using HP ArcSight, Splunk.
- Quick Learner, Committed team player with interpersonal skills and enjoy challenging environment with scope to improve self and contribute to the cause of the organization.
- Excellent problem-solving and leadership abilities.
Security Tools: HP WebInspect, QualysGuard, BurpSuite Pro, Acunetix, Fortify SCA, SQLMAP. CHEKMARX ( Code Analysis) AppDetect, AppRador, IBM AppScan Enterprise (ASE), Standard & Source editions, Oracle Identity Manager, Oracle Access Manager,JHijack, Metasploit Pro, ZED attack proxy, Firemon, Wireshark, WebScarab, Paros, BlueCoat Proxy, Nmap, BMC BladeLogic, Nessus, Rapid7 Nexpose, Tripwire, Symantec Vontu, DBProtect, ArcSight SIEM, e-DMZ Password Auto Repository (PAR), BeyondTrust,Varonis, Amazon Web Services.
Programming Languages: Java, .NET, C#, C, C++
Scripting Languages: Python, Basic shell Scripting
Web Services: RESTFul/SOAP, SOA, UDDI, WSDL
Operating System: Linux/Unix (Red Hat Enterprise Linux, Debian, Ubuntu, Fedora, Santoku, Kali Linux), Windows.
Databases: MySQL, Oracle, MSSQL
Sr. Security Engineer/Consultant
Confidential, Seattle, WA
- Conducted application penetration testing of 56+ business applications.
- Conducted Vulnerability Assessment (DAST and SAST) of Web and Mobile (iOS and Android Applications, including third party applications. The tools IBM AppScan, ZAProxy, BurpSuite Pro have been utilized for scanning the applications.
- Conducted IT security risk assessments including, threat analysis and threat modeling (STRIDE, DREAD).
- Performed code analysis with CHECKMARX.
- Implemented Secure Software Development Life Cycle (S-SDLC) processes; developed secure coding practices for web, mobile applications, including database and middleware systems.
- Triaged security vulnerabilities to eliminate false positives and worked with the developers for remediation.
- Acquainted with various approaches to Grey & Black box security testing.
- Hands-on with Database Activity Monitoring (DAM) and vulnerability scanning using Imperva Scuba.
- Developed Security API and deployed to development teams which helps them write lower risk applications in a secure manner.
- Worked with DevSecOps teams to automate security scanning into the build process.
- Worked on security scanning process (DevSecOps) as part of Continuous Integration and Continuous Delivery (CI/CD) of security reports into the build cycle
- Condudcted third-party IT security risk assessments. Utilized NIST 800-53 and OpenSAMM frameworks.
- Developed security policies and standards and made sure the business applications are in compliance with the standards.
- Implemented Single Sign-on (SSO) deployments.
- Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS 25 and prioritizing them based on the criticality.
- Implemented API security using Apigee API management and AWS API Gateway services.
- Implementation of API Security projects including OAuth2.0 and SAML.
- Participated in the implementation of data tokenization in various environments to ensure compliance to regulations.
- Developed AWS Security Groups to control traffic to various instances in the Cloud.
- Multifactor Authentication (MFA) for AWS root accounts (Implementation), administered password rotation policies. Management of Access Keys and Secret Assess Keys for new users.
- Proficient in understanding application level vulnerabilities like XSS, SQL Injection, CSRF, authentication bypass, cryptographic attacks, authentication flaws etc.
- Involved is writing security libraries for data encryption and decryption using Java Cryptography Extension (JCE).
- Skilled using Burp Suite Pro, HP Web Inspect, IBM AppScan Standard, Source and Enterprise, NMAP, Dirbuster, Qualysguard, Nessus, SQLMap for web application penetration tests and infrastructure testing.
- Performing onsite & remote security consulting including penetration testing, application testing, web application security assessment, onsite internet security assessment, social engineering, wireless assessment, and IDS/IPS hardware deployment.
- Capturing and analyzing network traffic at all layers of the OSI model.
- Implemented Security Group Policies for Elastic Compute Cloud (EC2) instances within AWS. Developed AWS Service Roles to protect Identity Provider access.
- Participated in the implementation of Virtual Private Cloud (VPC). Implemented multiple layers of security, including security groups, network access control lists, to control access to Amazon EC2 instances in each subnet.
- Participated in the implementation of AWS Cloud security for applications being deployed in the Cloud. Developed WACLS for AWS Web Application Firewalls (WAF) and configured the rules and conditions to detect security vulnerabilities in the Cloud Front.
- Active Directory Federation Services Implementation ( ADFS- SSO) in Windows-Linux client server PKI environment.
- SSL certificate for intranet / internet / web applications using Active Directory Certificate Services (ADCS) in MS Windows Servers and MS Azure.
- Monitor the Security of Critical System (e.g. e-mail servers, database servers, Web Servers, Application Servers, etc.).
- Performed the configuration of security solutions like RSA two factor authentication, Single Sign on (SSO), Symantec DLP and log aggregation and analysis using HP ArcSight SIEM.
- Developed WACLS for AWS Web Application Firewalls (WAF) and configured the rules and conditions to detect security vulnerabilities in the Cloud Front.
- Developed security requirements for applications and infrastructure deployed in the Cloud.
- Configured AWS Simple Storage Service (S3) to securely store the organization’s critical file systems. Implemented Access Control Lists (ACLs) and Bucket Policies for controlling access to the data. Ensured that Cloud security best practices have been followed.
- Validated database security for SQL servers deployed in Azure Cloud environment. Implemented Integrated Windows authentication supported by Azure Active Directory.
- Enabled threat detection for databases in the Azure portal.
- The security alerts generated in the Azure Security Center have been reviewed and remediated.
- Performed network penetration testing and identified security vulnerabilies
- Automated security scanning operations and established CI/CD pipeline for continuous security monitoring.
- Change Management to highly sensitive Computer Security Controls to ensure appropriate system administrative actions, investigate and report on noted irregularities.
- Conduct network Vulnerability Assessments using tools to evaluate attack vectors, Identify System Vulnerabilities and develop remediation plans and Security Procedures.
- Implemented multiple layers of security, including security groups, network access control lists, to control access to Amazon EC2 instances in each subnet. Developed AWS Service Roles to protect Identity Provider access.
- Participated in the implementation of AWS Cloud security for applications being deployed in the Cloud.
- Security Group Policies for Elastic Compute Cloud (EC2) instances within AWS.
- The experience has enabled me to find and address security issues effectively, implement new technologies and efficiently resolve security problems. With having strong Network Communications, Systems & Application Security (software) background looking forward for implementing, creating, managing and maintaining information security frameworks for large scale challenging environments.
Confidential, New York, NY
Sr. Information Security Consultant
- Conducted Vulnerability Assessment for various applications.
- Performed security assessments to ensure compliance to firm’s security standards (i.e., OWASP Top 10, SANS 25). Specifically, security testing has been performed to identify XML External Entity (XXE), Cross-Site Scripting,ClickJacking and SQL Injection related attacks within the code.
- Skilled using BurpSuite, Checkmarx, HP Fortify, NMAP, Havij, DirBuster for web application penetration tests.
- Conducted security assessment of Cryptography applications including the apps that use Hardware Security Model (HSM).
- Performed the penetration testing of mobile (Android and iOS) applications, specifically, APK reverse engineering, traffic analysis and manipulation, dynamic runtime analysis was performed.
- Implemented HP ArcSight ESM including, correlation rules, data-monitors, reports, event annotation stages, case customization, active lists, and pattern discovery.
- Performed pen testing of both internal and external networks. The pen testing scope included O/S (Windows and Linux) and external facing web apps and database servers that store customer confidential information.
- Participated in Web Application Security Testing including the areas covering Mobile, Network, security, WIFI.
- Conducted pen testing for the Web Services (SOA).
- Configured users computers and organization units using Active Directory domains and users in MS Server Manager.
- Reviewed Azure network security architecture and implemented security controls. Specifically, Azure virtual networks, including on-premise connectivity, traffic filtering, secure communication, point-to-site VPN etc.,
- Implemented Network Security Groups (NSG) to control network traffic to various Azure network resources.
- Created NSG rules (inbound and outbound) and prioritized the rules based on the requirements.
- Associated NSGs to VMs, NICs, and subnets based on the deployment model.
- Generated and presented reports on Security Vulnerabilities to both internal and external customers.
- Security assessment of online applications to identify the vulnerabilities in different categories like Input and data Validation, Authentication, Authorization, Auditing & logging.
- Vulnerability Assessment of various web applications used in the organization using Burp Suite, and Web Scarab, HP Web Inspect.
- Experience with Identity and Access Management (IAM) and development of user roles and policies for user access management.
- Analyzed correlation rules developed for Security Incident and Event Management (SIEM) system. Reviewed the solution implemented for “log forwarding” from various network devices to ArcSight central logging for alerting and security monitoring.
- Implemented Azure Key Vault for storing secrets.
- Developed security controls for implementing Azure storage security. The RBAC with Azure AD has been implemented for securing the storage account.
- The data transmission between applications and Azure has been secured by client-side encryption, HTTPS, SMB3.0.
- Azure disk encryption has been implemented for encrypting OS and data disks.
- Training the development team on the most common vulnerabilities and common code review issues and explaining the remediation.
- Follow up and ensure the closure of the raised vulnerabilities by revalidating and ensuring 100% Closure.
- Developed security policies, procedures and standards and ensured that the respective teams within the organization comply with it.
- Update with the new hackings and latest vulnerabilities to ensure no such loopholes are present in the existing System
Confidential, Chevy Chase, MD
Sr. Security Engineer
- Extensive Interaction with Onsite Coordinator in understanding the business issues, requirements, doing exhaustive analysis and providing end-to-end solutions.
- Conducting Web Application Vulnerability Assessment & Threat Modeling, Gap Analysis, secure code review on the applications.
- Conducted security assessments of firewalls, routers, VPNs, BlueCoat Proxy, IDS/IPS and verified its compliance to internal and external security standards.
- Doing multiple level of testing before production to ensure smooth deployment cycle.
- Creation of Generic Scripts for testing and reusability.
- Application Security Review of all the impacted and non-impacted issues.
- Providing guidance to Development team for better understanding of Vulnerabilities.
- Performed database security assessments. Utilized IBM Guardiam, Imperva Scuba for scanning the servers.
- Assisting customer in understanding risk and threat level associated with vulnerability so that customer may or may not accept risk with respect to business criticality
- Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS 25 and prioritizing them based on the criticality for remediation.
- Assisting in review of solution architectures from security point of view which helps avoiding security related issues/threats at the early stage of project
- Ensuring compliance with legal and regulatory requirements.
- Developed stored procedures, views and triggers using Oracle PL/SQL.
- Design and implementation of RESTful Web services.
- Developed application presentation layer, which is based on Spring MVC framework involving JSP, Servlets and HTML, CSS
- Developed this web application to store all system information in a central location. This was developed using Spring MVC, jQuery, JSP, Servlet, Oracle 10g, HTML and CSS
- Developed Servlets and Utilized JQuery to create a fast and efficient chat server.
- Implemented the Scrum Agile methodology for iterative development of the application.
- Developed server side business components using Java Servlets, JSPs, and Enterprise Java Beans (EJBs)
- Automated code deployment to production environment by creating tasks using ANT, Maven deployment tool.
- Involved in system design, enterprise application development using object-oriented analysis in Java/JEE6.
- Used Spring Framework for Dependency injection and integrated with the Hibernate framework for interacting with the Oracle database.
- Analyzed performance issues in the application, related system configuration and developed solutions for improvement.
- Involved in Weblogic and Tomcat application server installation and configuration in production, development and QA environments.
- Conducted training sessions to the rest of the development team on advanced technologies, code reviews and discussion sessions to ensure that coding standards are followed.