TECHNICAL SKILLS

DAST, SAST, IAST tools: IBM AppScan Enterprise (ASE), Standard & Source editions, MicrofocusWebInspect, QualysGuard, BurpSuite Pro, Contrast Security, Acunetix, Fortify SCA, SQLMAP.

Port/Vulnerability Scanning: Nmap/Nmap Scripting Engine (NSE), Netcat, Nessus.

Network Security Testing: Symantec DLP, End - point Protection, Checkpoint, Palo Alto, Cisco, IDS/IPS, Anti-virus, and BMC.

Password Cracking: Hydra, Rainbow Crack, Blade Logic, Remedy.0phcrack, John the Ripper, Pyrit.

Security Tools: AppDetect, AppRador, Oracle IdentityManager, Oracle Access Manager, JHijack, Metasploit Pro, ZED attack proxy, SQLMAP, Wireshark, WebScarab, Paros, Nmap, BMC BladeLogic, Nessus, Rapid7 Nexpose, Tripwire, Symantec DLP, DBProtect, ArcSight SIEM, e-DMZ Password Auto DBProtect, ArcSight SIEM, e-DMZ Password Auto Repository (PAR), Varonis, IDA Pro, WinDbg.

Cloud Providers & Security: Amazon Web Services (AWS) and MS Azure, Apigee API Management, Cloud Security Alliance (CSA), Cloud Security Access Broker (CASB). Aqua Container Security, Kubernetes, Terraform.

DevSecOps: AWS CodePipeline, CI/CD, Jenkins, GitHub, IBM AppScan automation.

Middleware: TIBCO EMS, IBM WebSphere MQ, JMS.

Databases: Oracle, MS SQL MySQL, Server, Sybase.

Operating Systems: Oracle Solaris UNIX, RedHat LINUX 4/5, Windows Server2003/2008.

Application Servers: Weblogic Server, iPlanet, Netscape Application Server and Microsoft IIS.

Programming Languages: Spring Framework, EJBs, Java, J2EE, Python, C/C++, C#.NET, Perl, Struts2, Servlets, JavaServerPages (JSPs), JMS, JavaUML. Mail API, JNDI, LDAP, JDBC, JTS, RMI, AWT, Swing, Socket Programming, IONA Orbix CORBA.

Web Technologies: XML, HTML, HTML5, XHTML, CSS3, JavaScript/ES6

PROFESSIONAL EXPERIENCE

Confidential, Houston, Texas

Sr. Security Engineer

Responsibilities:

• Automation of security scanning process (DevSecOps) into the build environment with CI/CD pipeline using Jenkins, Maven, Gradle, GitHub tools.
• Implemented OAuth2.0, SAML and Single Sign-on (SSO) for AWS& Mobile applications for corporate applications Working knowledge of OSSTMM,OWASP Top 10 and SANS Top 25
• Conducted Vulnerability Assessment (DAST, SAST, IAST) of Web and Mobile (iOS and Android Applications, including third party applications. The tools IBM AppScan, ZAProxy, BurpSuite Pro, Checkmarx, HP Fortify have been utilized for scanning the application.
• Conducted security assessments to ensure compliance to firm’s security standards (i.e., OWASP Top 10, SANS25). Specifically, security testing has been performed to identify XML External Entity (XXE), Cross-Site Scripting, ClickJacking, and SQL Injection related attacks within the code.
• Reviewed source code (Java/J2EE/Spring/FTL/JavaScript) and developed security filters within IBMAppScan for critical applications.
• Analyzed security incidents using Splunk Enterprise Security originated from various network/application monitoring devices (e.g., Symantec DLP) and coordinated with engineering teams for tracking and problem escalation, including remediation.
• Administered maintained, and deployed Imperva web application firewall (WAF).
• Experience with ISO 27001/27002 Certification for ISMS, GRC solutions like Sarbanes Oxley (SOX) Compliance, HIPPA, PCI.
• Participated in the implementation of developing security policies and security groups for AWS Cloud infrastructure including, EC2, Security Groups, Route 53 and Virtual Private Cloud (VPC).
• Implemented API security using Apigee API management and AWS API Gateway services.
• Installed, configured and deployed CyberArk Enterprise Security Vault to administer privileged passwords and also set up policies for accessing passwords within the acceptable timeframes.
• Conducted security assessment of Cryptography applications including the apps that use Hardware Security Model (HSM).
• Managed a team of analysts and service providers who support the various Identity Access Management (IAM) and Data Loss Prevention (DLP) functions.
• Developed and maintained IAM policies, standards, and practices. Helped to establish a formal review process that promoted strong collaboration among a wide range of policy, standard, and practice leaders and groups..
• Configured SafeNet ProtectDB to enable column level encryption for securing confidential customer data.
• Designed security architecture for web and mobile apps. Reviewed Solution overview Documents (SODs) to identify security anomalies in the system architecture and design, and provided recommendations to address data security and privacy concerns.
• Developed threat modeling framework (STRIDE, DREAD) for critical applications to identify potential threats during the design phase of applications.
• Implemented file system security by applying hashing techniques for protecting data stored in files on the file servers.
• Administered cryptography, certificate management and implemented dual keys to address segregation of duties issue between DBAs and security admins.
• Rolled out IBM AppScan products such as AppScan Enterprise (ASE), Standard, Source, Developer plug-ins to various development teams across the business lines.
• Worked extensively with software development teams to review the source code, triage the security vulnerabilities generated by IBM AppScan, BurpSuite, Whitehat Sentinel, HP WebInspect, HP Fortify, Checkmarx and eliminated false positives.
• Generated executive summary reports showing the security assessments results, recommendations (CWE, CVE) and risk mitigation plans and presented them to the respective business sponsors and senior management.
• Deployed AWS landing zones into AWS organization and supplied log archive, security account, shared services.
• Performed binary reverse engineering and Anti-debugging analysis using IDA Pro, WinDbg, OllyDbg.
• Conducted monthly developer workshops to educate and train developers on secure SDLC, scan source code using IBM AppScan Source, triage and resolve the security vulnerabilities.
• Participated in the implementation of AWS Cloud security for applications being deployed in the Cloud. Developed WACLS and configured to rules and conditions to detect security vulnerabilities in the Cloud Front.
• Implemented Security Group Policies for Elastic Compute Cloud (EC2) instances within AWS. Developed AWS Service Roles to protect Identity Provider access.
• Worked with DevSecOps teams to automate security scanning into the build process.
• Reviewed Android and iOS mobile source code manually and recommended code fixes.
• Participated in the Proof of Concept (POC) in implementing Arxan application protection software for Mobile apps.
• Performed the penetration testing of mobile (Android and iOS) applications, specifically, APK reverse engineering, traffic analysis and manipulation, dynamic runtime analysis.
• Developed secure SDLC policies and standards for Web and Mobile apps.

Confidential, Bellevue, WA

Sr. Security Engineer

Responsibilities:

• Incident and Event Management System (SIEM) using HP ArcSight, Splunk Enterprise Security
• IAM solutions developed with Azure and managed Enterprise Mobility and Security ( EMS)
• Hands-on with Penetration Testing, Source Code Review, DAST, SAST, IAST and manual ethical hacking.
• Configured CyberArk Password Session Manager (PSM) to control privilege sessions for UNIX and Windows based applications and DBs. Also, the audit logs have been enabled and utilized for forensics investigations.
• Particiapted in the implementation of API Security projects including OAuth2.0 and SAML.
• Involved in the implementation of RSA Single Sign On (SSO) for the applications deployed in the Cloud and on-premise.
• Configuring and creating Vulnerability Reports in Nexpose, SIEM -Log monitoring and user behavior Investigations in LogRythm.
• Designed and implemented Endpoint Security solutions in an enterprise environment. Endpoint security systems including intrusion protection solution.
• Working experience with identity management solutions and access governance to strong authentication and public key infrastructure (PKI) and made sure PKI enables the use of encryption and digital signature services for various of applications.
• Implemented and integrated a complete cloud services framework (Iaas, Paas, SaaS) and Cloud deployment.
• Deployed Azure IaaS virtual machines (VMs) and Cloud services (PaaS role instances) into secure VNets and subnets and designed Network Security Groups (NSGs) to control inbound and outbound access to network interfaces (NICs), VMs and subnets.
• Expertise in using the DAST tools (IBM AppScan and BurpSuite Pro) while the application is running to penetrate the application in various ways to identify potential vulnerabilities outside the code and in third party interfaces.
• Working knowledge of OWASP Top 10 and SANS Top 25 software guidelines, Federal Financial Institutions Examination Council's (FFIEC) regulations, including Payment Card Industry (PCI-DSS), HIPAA and Sarbanes-Oxley Section404 (SOX).
• Developed secure SDLC policies and standards for Web and Mobile apps. Various industry standards have been utilized such as NIST800-53, CIS Benchmarks, OpenSAMM, and FFIEC.
• Administered Maintained, and Deployed Imperva web application firewall, Checkpoint IPS & VPN systems, and McAfee network based Data Loss Prevention (DLP) device
• Developed Security requirements for Data Loss Prevention (DLP) specifically for Data at Endpoint, Data In-transit, and Data at rest.
• Administered cryptography, certificate management and implemented dual keys to address segregation of duties issue between DBAs and security admins.
• Automated security scanning process ( DevSecOps) as part of Continuous Integration and Continuous Delivery ( CI/CD) of security reports into the build cycle
• Implemented and managed SIEM - IBM Qradar suite of products, QRadar SIEM, Qradar Vulnerability Manager (QVM), Qradar Risk Manager (QRM), Qradar Incident Forensic (QIF), and Splunk.
• Participated in the implementation of AWS Cloud security for applications being deployed in the Cloud. Developed WACLS for AWS Web Application Firewalls (WAF) and configured the rules and conditions to detect security vulnerabilities in the Cloud Front.
• Participated in the implementation of AWS Cloud security for applications being deployed in the Cloud. Developed WACLS and configured rules and conditions to detect security vulnerabilities in the Cloud Front.
• Configured AWS Simple Storage Service (S3) to securely store the organization’s critical file systems. Implemented Access Control Lists (ACLs) and Bucket Policies for controlling access to the data.
• Decided on what to remediate and what to risk accept based on security requirements.
• Reviewed vulnerability reports for applications and databases security, monitored, analyzed and worked extensively with the development teams for the implementation of mitigating controls.
• Implemented IBM AppScan standard, source editions, HP WebInspect, Whitehat Sentinel, Nessus, and QualysGuard web application scanners. In addition, the security tools Metasploit and BurpSuite were utilized for manual penetration testing.
• Performed security assessments for the client-facing apps. The associated IT infrastructure such as database management systems, middleware systems, web services (SOA) were also included in the security assessments.
• Implemented Secure Software Development Life Cycle (S-SDLC) processes; developed secure coding practices for web, mobile applications, including database and middleware systems.
• Experience in Threat Modeling during Requirement gathering and Design phases.
• Security Risk Management with TCP-based networking.
• Experience with TCP/IP, Firewalls, LAN/WAN.