SUMMARY

• Experience in Vulnerability Assessment and Penetration Testing on WEB based Applications, mobile based applications & Infrastructure penetration testing.
• Experience in performing Black box, Grey box testing and white box testing. Developing secure coding standards based on industry - accepted best practices, such as OWASP Guide, SANS CWE Top 25, or CERT Secure Coding, to address common coding vulnerabilities.
• Respond and assist in information and cyber security assessment requests. Communicate and coordinate with business area stakeholders.
• Worked on Microsoft Azure technologies in SAAS, IAAS & PAAS technologies and tools.
• Experience in manual/automated security testing, secure code review & Dynamic scan analysis of web and mobile applications.
• Strong experience in designing and developing Service Oriented Architecture (SOA) using SOAP and REST Web Services.
• Experience in detecting - SQL injection, XSS, Session Managements, CSRF Attacks, XML injection, PDF exploits, HTTP response splitting attacks, web services vulnerabilities.
• Performing security analysis and identifying possible vulnerabilities in the key derivation function, create Vulnerability Assessment report detailing exposures that were identified, rate the severity of the system & suggestions to mitigate any exposures & testing known vulnerabilities.
• Experience in Penetration testing - Expertise in detecting various vulnerabilities (including OWASP top 10) comprised over authentication, authorization, input validation, session management, server configuration, cryptography, information leakage areas.
• Have a good understanding of Web Application based attacks to include Denial-of-service attacks, MITM attacks, Local file inclusion(LFI), Remote file inclusion(RFI) and Buffer overflow.
• Hands on experience with IBM QRadar, Security Intelligence Platform to collect, analyze, and archive security event logs and identify security threats and implement solutions.
• Knowledge on Security features like AAA (authentication, authorization, Auditing), Encryption & Decryption KEy Mechanisms, Digital Signatures, Secure Socket Layer (SSL) Profiles, Single Sign-On, html forms and OAuth & Multi factor authentication.
• Working knowledge of AWS Cloud Security in implementing Web Application Firewalls (WAF).
• Hands on Experience working with LAN and WAN topologies, TCP/IP protocol, routers, switches, and firewalls in Internet, Intranet and Extranet environments .
• OpenSSL, McAfee ePO, Nitro SIEM, Nexpose Rapid7, Vormetric, Wireshark, nmap, OWASP: Nikto, Burp
• Experience in working with Java, JavaScript, . J2EE, XML, html, C.Net. Linux and Unix platforms.
• Experience in scripting languages such as Python & Shell sripting. Automated security tools using shell scripting through Jenkins.
• Working knowledge of OWASP Top 10 and SANS Top 25 software guidelines, Federal Financial Institutions Examination Council's (FFIEC) regulations, including Payment Card Industry (PCI-DSS), HIPAA/HITECH and Sarbanes-Oxley Section404 (SOX).
• Experience in implementing Security Incident and Event Management System (SIEM) using HP ArcSight.
• Develop threat modeling framework (STRIDE, DREAD) for critical applications to identify potential threats during the design phase of applications.
• Managed Offshore resources leading the Onshore projects with Clients providing extensive support throughout SDL C.

TECHNICAL SKILLS

App Scanner tools: HP Webinspect, HP Fortify, IBM AppScan, Acunetix, Sonarqube, tcpdump, Metasploit, SQLmap, checkmarx, Web Scanner, SQL Injection Tools, Q Radar, CSRF Tester, Kali Linux, veracode, Webgoat SSL implementation, BackTrack 5 RSA implementation.

Proxies/Sniffers Tools: Burp Suite, Zap Proxy, Web scrab, Wireshark, DirBuster

Operating systems: Windows 98/2000/XP/Vista/Windows 7, Windows Server 2000/2003/2008 , Mac OS, Linux, Microsoft Azure

MicrosoftAzure Compute: Azure Data Factory/ Azure Data Catalog/ Azure Storage/ Azure Active Directory/ Cosmos DB

Database: My SQL 5.0, Cassandra, Cosmos, oracle

Packages: MSOffice

NetworkSecurity Tools: NMap, Wire Shark, Nessus, QualysGuard, Nexpose

Programming Languages: C, C#, Java, python, JavaScript,Ruby,Obj-C

Middleware Technologies: REST API, SOAP

CI and Build Tools: Jenkins, Bamboo, Chef, Maven, Gradle, Atlassian tools, Sonar

Web/ App Servers: Apache Tomcat, Wildfly

Log Monitor: ELK stack, Dynatrace, App Insight, Splunk

Other Tools: Junit, Putty, POSTMAN, Fiddler and JIRA

Frameworks: NIST SP 800-171, ISO 27001/31000 , HIPPA, HITRUST CSF, PCI DSS.

PROFESSIONAL EXPERIENCE

Confidential, Deerfield IL

Sr Application Security Engineer

Responsibilities:

• Performed security assessment on web applications, thick clients, API and web services.
• Walkthrough with application teams to collect the required information of the system such as Database, Test accounts, test URL’s, application technologies and other information in checklist to perform testing.
• Utilized application security proxy tools OWASP ZAP, Burp Suite Professional, Nmap and other open source tools.
• Perform grey box, black box testing of the web applications.
• Experienced in testing of Platform Applications API’s configuring through Postman and Burpsuite.
• Conducted Vulnerability Assessment on various applications using SAST (Veracode) and DAST (App scan) tools.
• Experience with Code reviews of Java, HTML, CSS, ASP, ASP.NET, SQL , other languages and identification of code logic flaws
• Used automated security tools to find SQL injection, XSS, privilege escalations, session & Cookie Management issues, error handling and password related etc.
• Experience in RESTFULL web service Testing using Rest Assured framework java. Validated JSON formatted data, different http status code like 200, 201, 400, 415, 500etc.
• Hands on experience with Qualys Guard vulnerability management tool. Scanning the network and provide the scan reports to operational teams.
• Automated the centralized detection of security vulnerabilities with scripts for Vulnerability assessment tools like Qualys guard and Splunk
• Hands on experience with Qualys Guard vulnerability management tool.
• Experience with fast paced environment like Agile Methodology.
• Controls on session management like Server-side session states, session termination, Session ID randomness, expiration, Unique tokens, concurrent logged in session, session fixation prevention.
• Automating the SAST tool Sonar Qube with Jira and guided developers to run scans for fixing the vulnerabilities.
• Implemented Keycloak an open source software to all allow single sign on with Identity management and Access Management and integrated with Azure.
• Troubleshooting the Authentication and Authorization issues if any discrepancies occurs regarding the access of applications, verifying the access tokens and Jwt tokens.
• Worked on Single sign on/SAML, OAuth, JWT tokens , troubleshooting the tokens if users have any access issue.
• Using Firefox add-ons like Flag fox, Live HTTP header, and Tamper data to perform the security test.
• Use Authentication APIs to access the Micro services in Azure environment include SQL queries to validate the data integrity in data bases.
• Supporting governance activities established within the enterprise to address compliance with SOX, PCI, HIPPA and internal corporate policy.
• Working with Devsec Ops for apps hosted on Cloud Infrastructure for the assessment of Infrastructure Preparing test strategies and test cases for the testing of each application following OWASP top10 & Sans25
• Analyze security test results, draw conclusions from results and develop targeted testing as deemed necessary
• Work with external vendors to perform penetration tests on operating systems, databases, and Applications as necessary
• Involved in Microsoft Adoption across the Enterprise multiple platforms.
• Involved in the migration of data from Cassandra to Cosmos DB(feature of Azure) in all the lower environments.
• Implemented Azure features of Service bus connector for streaming services replacing Kafka and App insights for the Security monitoring in the cloud.
• Deploying the new code into Various environments when once the code is fixed through CI/CD pipelines in various sprint cycles through Jenkins.
• Worked in automation of API’s and Performing Veracode scans Source code reviews and, tracking them for remediation’s within SLA
• Requesting application teams for the documents such as SSP (System Security Plan), latest vulnerability scans, Source code scans and Network scans as a part of application testing.
• Coordinate with red team and request for penetration testing reports to incorporate those results in final security assessments report

Confidential

Sr Application Security Engineer

Responsibilities:

• Working as Security Analyst Confidential &T involved in performing Dynamic and Static Application Security Testing (SAST & DAST) .
• Static code Scans on java and .net applications using HP Fortify tool a nd Analyzing vulnerabilities to identify false positives, providing remediation’s to the App teams.
• Performing Dynamic scans using HP Web inspect for finding the security vulnerabilities (Configured Web Inspect Scans for vulnerabilities and manual Pen-Tests).
• Performing Manual Penetration tests(Light) for the applications which are Internet Facing, PCI and SPI using Burp Proxy
• Automated Fortify tool with Jenkins plugin on Linux machines to perform Static scans by the App Team Developers as many times they need to make sure they are fixing the code while they are developing and make sure the app gets vulnerable free.
• Conducting Light Manual Pen tests includes Injection Attacks, Broken Authentication and Session Management, finding security Misconfigurations and to check any Sensitive Data Exposure.
• Performing Manual Pen test for gaining Unauthorized access to the systems to steal Confidential data like Client Information, Business logics, and the Server Versions
• Documented findings, observations, provide remediation recommendations and draft a comprehensive written Pen test report for end clients.
• Working with CSO Teams and App teams for the vulnerabilities which we can’t fix and recorded as Known Vulnerabilities and filing TSS Exceptions.
• Remediated security vulnerabilities which are reported by fortify like Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Broken Authentication and Session Management, SQL Injection, Session Timeout and Header Manipulation.
• Have worked with a team of individuals dedicated for conducting research, attack detection and build mitigation techniques for threats posed in network and application layers.
• Perform peer reviews of Security Assessment Reports and Involved in requirement gathering and outlining.
• Compiler warnings are triaged and fixed prior to code check-in for each development phase.
• Database Auditing encompasses Oracle, MS SQL, MySQL and LDAP. Web server configurations include IIS and Apache. Developed customized-built tools for auditing using perl, C and shell scripting.
• Utilized Identity Access Management ("IAM") software for audit reports, user requests for adding/removing access.
• Involved in testing the applications for the Functionality and Database Testing with manual testing and performed black box testing such as Functional, Integration, UAT and Regression.
• Reviews latest patch releases to identify the risks of delaying patch application and to identify possible alternative mitigations.
• Assist developers in remediating issues with Security Assessments with respect to OWASP standards and as per fortify recommendation.
• Perform security reviews of application designs, source code and deployments as required, covering all types of applications (web application, web services, mobile applications) and Performing Vulnerability assessments using Qualysguard and Nessus scanner.
• Report deliverables and security signoff on time to the Project teams before going into the Deployment.
• Providing the vulnerability metrics to the application team of each on the severity of Critical, High, Medium, Low, where the security test of application is based on Categorization of SEV1, SEV2, SEV3, SEV4 and SEV5.
• Communicated technical application security concepts to application teams once the fortify scan reports are generated.
• Regularly performed research to identify potential vulnerabilities in and threats to existing technologies, and provided timely, clear, technically accurate notification to management of the risk potential and options for remediation.

Confidential, Milwaukee, WI

Application Security Engineer

Responsibilities:

• Performed application and infrastructure penetration tests, as well as physical security review and social engineering tests for our global clients.
• Review and define requirements for information security solutions and performed vulnerability scans with Qualys vulnerability scanner.
• Skilled using Burp Suite, NMAP, WebInspect for web application penetration tests.
• NMAP is used to test the Open and closed ports, and need to enquire with developers which its been opened and for reasons.
• Used IBM AppScan to test websites for vulnerabilities and reviewed source code and developed security filters within AppScan for critical applications.
• Utilized Checkmarx tool for source code reviews for Java, .net, php applications.
• Using Checkmarx tested the critical applications which contains the PCI and PII sensitive information.
• Administered software applications by identification of security malfunctions using Sqlmap, Burpsuite and other tools.
• Scanned web and mobile applications prior to deployment using AppScan to identify security vulnerabilities and generated reports and fixed recommendations.
• Produced associated cloud risk assessment framework utilizing industry best practices and open sources tools from the Cloud Security Alliance, Microsoft and others. Framework allows control category comparisons, gap analyses and asset value based compensating controls.
• Perform peer reviews of Security Assessment Reports and Involved in requirement gathering and outlining.
• Worked closely with software developers and DevOps to debug software and system problems.
• Researches and stays abreast of tools, techniques, countermeasures, and trends in computer network vulnerabilities Assessments.
• Conduct network vulnerability assessments using tools to evaluate attack vectors, identify system vulnerabilities and develop remediation plans and security procedures
• Vulnerability scanning for offenses and incorporate Network behavior Anomaly Detection with QRadar & Generating reports from QRadar that list magnitude of offenses and track them to mitigate vulnerabilities.
• Use QRadar to map out entire network to collect configuration data across several devices as well as see what devices are connected to the network Confidential any given time. Configure QRadar to set rules manually or dynamically as well as trigger scans to detect further vulnerabilities.
• Produce vulnerability management reports based on current patch levels, vulnerability severity, PCI compliance standards, and malware risk levels Qualys.
• Proficient in understanding application level vulnerabilities like XSS, SQL Injection, CSRF, authentication bypass, cryptographic attacks, authentication flaws etc.
• DLP Profile deployment report for detecting servers and Update DLP policies - Incident Analysis
• Perform security reviews of application designs, source code and deployments as required, covering all types of applications (web application, web services, mobile applications, thick client applications, SaaS).
• Work on improvements for provided security services, including the continuous enhancement of existing methodology material and supporting assets.
• Responsible for performing static code analysis of application source code and ensure all the controls are covered in the checklist.
• Having review meetings on daily basis, Weekly & Monthly basis for software development i.e. relying on agile scrum development model.
• Generated and presented reports on Security Vulnerabilities to both internal and external customers.
• Security assessment of online applications to identify the vulnerabilities in different categories like Input and data Validation, Authentication, Authorization, Auditing & logging and providing fixes & filtering false findings for the vulnerabilities reported in the scan reports.
• Scan Networks, Servers, and other resources to validate compliance and security issues using numerous tools and conducted onsite penetration tests from an insider threat perspective
• Worked with Data Analysis team which is responsible for proactive monitoring of the STB's running on the RDK 2.X stack and find out the root cause of the defects identified with possible fix.
• To address and integrate Security in SDLC by following techniques like Threat Modeling, Risk Management, Logging, Penetration Testing, etc.
• Regularly performed research to identify potential vulnerabilities in and threats to existing technologies, and provided timely, clear, technically accurate notification to management of the risk potential and options for remediation.

Confidential

System Engineer

Responsibilities:

• Troubleshooting the L2 Network Issues and making sure the network traffic is stable 24/7 coordination with various teams all over the Client Locations.
• Explanation of the security requirements to the design team in initial stages of SDLC to minimize the efforts to rework on issues identified during Network Scans.
• Utilized Identity Access Management ("IAM") software for audit reports, user requests for adding/removing access.
• Created Functional Requirements and Use Cases for Identity management and Access Control projects in the Financial Services industry.
• Worked on troubleshooting for LDAP and SiteMinder issues with Support Teams for newer initiatives Confidential organization level
• Perform peer reviews of Security Assessment Reports and Involved in requirement gathering and outlining.
• Works with engineers and application developers' groups to implement solutions for the company's LDAP services.
• Experienced with facilitating RSA authentication manager and RSA secureID token-based authentication systems.
• Performed quarterly and Ad-hoc (risk assessment) internal, external and web site scans using Rapid 7 toolset; Nexpose, AppSpider.
• Using various add on in Mozilla to assess the application like Wappalyzer, Flagfox, Live HTTP Header, cookie manager, Tamper data.
• Involved in a major merger activity of the company and provided insights in separation of different client data and securing PII .
• Troubleshooting the network with the Packet capturing in Wireshark and resolving the issue using the filtering of the packet capture using TCP/IP filtering.
• Conducted an analytical analysis of client business processes and identified areas of risk to develop and implement comprehensive preventative strategies .
• Good knowledge on the Failing over of the Firewalls in the Active/ Standby Mode while configuring the Versions of Firewall's.
• SQLMap to dump the database data to the local folder
• Developed ontological and heuristic behavior frameworks for incident investigation and response. Many of my findings were implemented into a leading security platform.
• Updating of the checklist on weekly basis to ensure all the test cases are up to date as per the attacks happening in the market
• Creation of secure virtualized lab for exploit creation, malware distribution analysis and security product testing.

Confidential

System Analyst

Responsibilities:

• Analyze, log, track and complex software and hardware matters of significance pertaining to networking connectivity issues, printer, server, and application to meet business needs.
• Provide network support for new application and device deployment; identify new connectivity requirements and develop solution.
• Build site to site VPN for remote locations and partner connections using Cisco Next Generation Firewalls.
• Actively involved in new store openings, closings, renovations, relocations, and technology lifecycle initiatives.
• Helped design and document troubleshooting techniques for Kerberos with the QA department.
• Planned, managed, and implemented a Wi-Fi deployment project to upgrade more than 1000 Cisco wireless access points; certified wireless coverage using Air Magnet wireless tool.
• Led the implementation of RSA SecurID for two factor authentication, as well as the deployment and support of Windows 2007 computers.
• Respond to network connectivity and regional data center outages; coordinate efforts with Service Desk, ISP provider; local tech and/or store personnel to restore network services.
• Configure\Deploy\Maintain Symantec DLP. Worked with Symantec DLP upgrades and patches.
• Handled the tasks of designing and planning LAN network expansion of the organization.
• Responsible for upgrading and configuring Microsoft Window servers.
• Monitor QRadar, a SIEM product, to identify any security violations.
• Handled the tasks of monitoring database and ensures security of stored data monitored the access of stored information in company databases.
• Managed computer/user accounts in Active Directory.
• Installed network routers, firewall and cabling.
• Responsible for preparing, loading, documenting and testing desktop and network developed applications for deployment, staff training, and inventory
• Managed computer/user accounts in Active Directory.
• Supported users in multiple branches with computer, network and desktop application software; image new PCs for new employees or reimage current; install printers to user profiles; map network drives; assist in user login and connectivity issues.