- Information Security Analyst/ Engineer with over 5 years of experience in Risk Management Framework (RMF), Security control implementation and categorization in accordance with FIPS/NISTs guidelines, Assessment and Authorization (A&A), System Security Plans (SSP), Configuration Management Plans (CMP), Information System Contingency Plans (ISCP), Incident Report Plans (IRP), Business Impact Analysis (BIA), e - Authentication Risk Assessment, Plan of Action and Milestones (POA&M), Security Assessment Plans (SAP), Security Assessment Reports (SAR), Privacy artifacts in accordance with FedRAMP, NIST and applicable Federal regulations, guidelines, and the best practice for a variety Information Systems.
- POA&M, FedRAMP, OMB, ST&E, FISMA, Risk Management Framework, SSP, Risk Assessment, FIPS 199, IT Security Controls, DISA compliance, Contingency Planning, Change Management, Security Gap Analysis, Configuration Management, STIG’s, HIPAA, SDLC, System Monitoring & Regulatory Compliance, Sarbanes-Oxley Act, PCI-DSS, SSAE, ISO and COSO Frameworks.
- Involved in vulnerability assessment, Patch management and penetration testing using various tools like Veracode, Burp Suite, OWASP ZAP, NMAP, SQL Map, SANS-SIFT, IBM AppScan enterprise, Kali Linux.
- Working Knowledge of Windows and Linux (Kali Linux) operating system configuration, utilities and programming.
- Experienced in developing cryptographic and hashing algorithms.
- Proven ability and experience of SDLC and methodologies and experience in data quality management techniques, thus including data profiling, cleaning, integrity, mining, reference, and security.
- Experience in Security, Risk and Compliance Management and Risk Management methodologies.
- Strong Experience in Security Health Check, Patch and Vulnerability management for Open Systems and Middleware applications.
- Proficient with Security Information Event Management (SIEM) tools.
- Can conduct both internal and external tests based on the client’s specifications.Good experience in using different security tools to include Kali-Linux, IBM Scan App, Nessus, and Snort.
- Experience in various web application security testing tools like Burp Suite, Nmap, HP Fortify, OWASP ZAP Proxy.
- Good Experience to exploit the recognized vulnerabilities and forensics.
- Utilization of Intrusion Detection and Prevention (IDS/IPS) capabilities and Incident Response capabilities to maintain security.
- Analyzing the results of penetration testing, designing reviews, source code reviews and other security tests.
- Thorough knowledge of IS Design and Development, Information Security Auditing & Risk Management and IS controls withproficiency in keeping abreast of new technologies, methods and techniques to understand how they might be applied to the client's environment.
- Performed risk assessments, develop, update and review System Security Plans
- Update IT security policies, procedures, standards, and guidelines according to department and federal requirements; reducing client exposure to security breaches while minimizing risk.
- Experienced in performing analysis of the results from penetration test to identify the risks that need to be taken care of immediately.
- Excellent understanding of Network and security technologies such as Firewalls, Routing and Switching, IP Sub-netting, Routing protocols, Proxy services Encryption, Encoding, Hashing and SSL. Well Versed with technical report writing and Social engineering.
- Prepared reports to document processes, outcomes, and findings Provide basic security analysis and risk recommendations to decision makers and customers and FISMA compliance.
- Exceptional communication skills employed to collaborate effectively with peer engineers and customers. Comfortable working both independently and in team environments. Highly motivated and can adapt to work in any new environment.
- Familiarity with Agile/Scrum methodologies.
Operating Systems: Linux and Windows
Programming Languages: SQL, R, Python, Java
Business Intelligence Tools: SQL Server Integration Services (SSIS), SQL Server Reporting Services (SSRS), SQL Server Analysis Services (SSAS), Visio, Power BI, Tableau Desktop
Security Architecture/Threat Modeling: Microsoft Threat Modeling Tool (TMT), Poirot
Source Code Analysis Tools: HP Fortify, IBM App Scan Source, Veracode, Checkmarx
Dynamic Analysis Tools: IBM App Scan, HP WebInspect, Retina, Acunetix
Network Security Testing Tools: Nmap, Metasploit, Nessus, Qualysguard, SSLDigger, SSLSmart, SSLScan, Snort, Suricata, SANS-SIFT, Forensic ToolKit, Splunk, Wireshark
Proxy Tools: Burp Suite, ZAP, Paros
Qualys Guard: Vulnerability Management, Web Application Scanning, Threat Protect, Policy Compliance, Cloud Agents, Asset Management, Governance, Risk Management and Compliance, Contingency Planning, Continuity of Operations Plans
Confidential, Ashburn, VA
Sr. Security Engineer
- Uncovered high vulnerabilities at the infrastructure level for internet facing websites.
- Security assessment of online applications to identify the vulnerabilities in different categories like Input and data Validation, integration, Authentication, Authorization, Auditing and logging.
- Conducted Veracode Dynamic and Static Application Security Testing (SAST & DAST).
- Update with the new hackings and latest vulnerabilities to ensure no such loopholes are present in the existing system by performing Vulnerability assessment and pen testing for our clients.
- Manual Code review to find logic flaw which are not identify by Automated Tool.
- Experience in using Kali Linux to do web application assessment with tools like Dir-buster and NMAP.
- Using various Firefox add-ons like Flag fox, Live HTTP Header to perform the pen test.
- Training the development team on vulnerabilities, review issues, ease of exploitation, impact, security requirements and remedies for individual issues.
- Providing details of the issues identified and the remediation plan to the stakeholders.
- Communicating and coordinating day-to- day project activities within the project team and assure that priorities are developed and known.
- Create Vulnerability Assessment report detailing exposures that were identified, rate the severity of the system, and suggestions to mitigate any exposures and testing known vulnerabilities
- Conducted security control assessments to assess the adequacy of management, operational, privacy, and technical security controls implemented. A Security Assessment Reports (SAR) is developed detailing the results of the assessment along with plan of action and milestones (POA&M).
- Contingency Plans (CP), Incident Response Plans (IRP), and other tasks and specific security documentation in accordance with NIST SP rev 1 rev 4 and
- Reviewed security categorization of systems using FIPS 199 & NIST SP Vol 2 Rev 1 Updates technical, operational and management control families and controls with guidance from NIST Rev 4 and FIPS 200
Confidential, Reston, VA
Application Security Consultant
- Performed Vulnerability Assessment of various web applications used in the organization using, Burp Suite, HP Web Inspect.
- Identified, documented and communicated vulnerabilities to appropriate members of management team prioritizing remediation requirements and increasing focus on secure coding processes and configurations.Used security tools like Nessus, Nmap to identify malicious code.
- Monitored security logs from IDS - Intrusion Detection system software application that monitored network and IDS Logs: ( ISS, Dragon, and Snort).
- Verified event analysis from event log data, firewall and proxy log reviews for incident response purposes.
- Act as a point of escalation for other Engineers (SIEM Engineer) and provide guidance and mentoring
- Responsible for performing application scan using penetration testing tools such as OWASP top 10.
- Responsible for giving remedies for security vulnerabilities reported by fortify like Cross-Site Request Forgery (CSRF), Cross-Site Scripting (XSS), SQL injection, Header Manipulation and Session Timeout.
- Conducted security assessment by creating test cases and test scenarios against Session management, Cryptography, Sensitive data, Auditing and logging.
- Performed manual and automated testing and provided detail reports to the development team and provided necessary remediation for individual findings.
- Contingency plan to help organizations respond effectively to future event or situation that may or may not occur using NISP SP as a guideline.
- Performed risk assessments, developed and reviewed System Security Plans (SSP), Plans of Action and Milestones (POA&M), Security Control Assessments, Configuration Management Plan (CMP).
- Coordinated with development team to ensure closure of reported vulnerabilities by explaining the ease of exploitation and the impact of the issue.
- Updating the checklist on weekly basis to ensure all the test cases are up to date as per the attacks happening in the market.
- Collaborated with clients and company teams defining requirements for security and operations programs including vulnerability Management, patch management, disaster recovery and access control.
- Wrote and updated security plans to meet NIST 800.53 standards as team.
- Performed scoping engagements, vulnerability assessments, web application penetration testing, network penetration testing, and phishing campaigns to test security controls and policies.
- Performed Security Health Check and Patch Management on the assets of State Street Corporation on a frequency basis for Open Systems and Middleware.
- Conducted Web Application Vulnerability Assessment and Threat Modelling, secure code reviews on the applications.
- Captured and analyzed network traffic at all layers of the OSI model. Monitored the Security of Critical System (e.g. email servers, database servers, Web servers, Application Servers, etc.).
- Conduct network Vulnerability Assessments using tools to evaluate attack vectors, Identify System Vulnerabilities and develop remediation plans and Security Procedures.
- Access control check to identify the privilege escalation issues on various roles and ensuring the closure by overall framework implementation.
- Handle tasks of defining and reviewing technology implementations, information security policy, and guidelines for business operations.
- Assisted in daily security alert monitoring and reporting, security information and event management, annual risk assessment assistance, quarterly logical access reviews, audit response assistance, and security policy maintenance. guidance from NIST Rev 4 and FIPS 200
Application Security Consultant
- Performed Black/ Grey/ White box testing
- Worked with clients to review policies and recommend adjustments.
- Explored 700+ Third Party components updates, analyzing threat in context with various Products, Bug Analysis, security impacts and remediation.
- Prepared Security Test Area Coverage definition, Test Plan and Test Cases for new features/implementation.
- Experienced in Using penetration tools and methodologies such as OWASP Top 10, Veracode, HP Web inspect, IBM AppScan, Fortify, Nessus, Acunetix, Burp Suite, Firefox Add-ons XSS Me, SQL Inject Me, SoapUI and others, to determine the security of web application developed in different platforms like Microsoft .NET, Java, J2EE, AJAX, PHP.
- Mentored and guided new team members.
- Worked to enhance the Software Development Life Cycle (SDLC) by adding security to remove vulnerabilities and protect business logic. Established a security program for the SDLC, captureed the current application architecture, leaded the overall application review process, identified application vulnerabilities, proposed architectural changes, design, coordinated, and implemented these changes at procedural and technological levels.
- Performed detailed Quality Assurance (QA) review of web-based applications, identify and validate application vulnerabilities, and performed actual remediation at architectural and source code levels.
- Completed draft and final reports and other deliverables as specified in planning documentation.
- Ensured project documentation is complete and archived appropriately.
- Collaborated with the engagement team to plan the engagement and develop work programs, timelines, and planning documentation. Worked with the team to document the business processes dependent on IT. Ensured high-quality client service by directing the daily progress of fieldwork, informed supervisors of engagement status, and managed staff performance.
- Demonstrated and applied a thorough understanding of complex enterprise systems.
- Using knowledge of the current IT environment and industry trends to identify engagement and client service issues.
- Communicated appropriately with the engagement team and client management through written correspondence and verbal presentations guidance from NIST Rev 4 and FIPS 200
Application Security Consultant
- Performed manual exploitation and mitigation of OWASP Top 10 security threats in web applications.
- Designed Software Security Architecture and implementation of SABSA.
- Trained application developers in secure coding techniques and helping to integrate security into the ASDLC.
- Possessed an in-depth understanding of emerging technologies and their commercial applications.
- Prepared Test setup and Test Infrastructure for test execution.
- Performed End to End penetration testing and reported defects to the developers.
- Developed proof-of-concept exploits.
- Determined vulnerabilities exist in web applications or Network level using various Manual testing techniques & licensed automated tools.
- Assessed and rated the risk those vulnerabilities pose to the operations or business based on CVSS scores.
- Reported assessment findings in clear manner to ensure remediation requirements and risk posed are understood.
- Performed programming Coding language in java, .Net, HTML5 and Python for internal projects.
- Ensured the quality in carrying out regular application security assessment