- An accomplished Security Engineer with 5+ years of experience specialized in Web Application Security, Information Security, Penetration Testing, Secure Coding, Application Security Controls and Validation, Risk Assessments, Regulatory Compliance and Secure Software Development Life Cycle (secureSDLC) and Continuous Integration (CI) and Continuous Delivery (CD) of security scanning.
- Hands - on with Penetration Testing, DAST, SAST and manual ethical hacking.
- Worked with global security teams performing application and IT infrastructure security assessments.
- Determined, action-oriented and result-focused consultant. Driven by new challenges and desire to be successful in all endeavors.
- Good experience in performance tuning of SQL queries and identifying root cause of blocking queries with large number of records.
- Hands-on experience in developing security controls, creation of risk control matrices and risk mitigation strategies.
- Working knowledge of OWASP Top 10 and SANS Top 25 software guidelines, including Payment Card Industry (PCI-DSS), Sarbanes-Oxley Section404 (SOX), NIST (800-53).
- Ability to handle multiple tasks and work independently as well as in a team.
- An efficient team player in challenging and creative environment with excellent capacity to adapt new technologies and skills.
- Possess strong technical aptitude with strong analytical, work ethic, problem solving and communication skills.
- Worked on Security Engineering Assessments to address gaps and major findings and helped application teams to mitigate the gaps.
Security Tools: Metasploit Pro, ZED attack proxy, SQLMAP, Wireshark, Nmap, Symantec Endpoint Protection, DBProtect, Splunk SIEM, Palo Alto Traps, Tanium Amazon Web Services (AWS) Cloud security, VPN.
DAST and SAST tools: IBM AppScan Enterprise (ASE), Standard & Source editions, HP WebInspect, QualysGuard, BurpSuite Pro, Acunetix, SQLMAP
Operating Systems: Oracle Solaris UNIX, RedHat LINUX 4/5, Windows Server2003/2008. Kali Linux.
Java & J2EE Technology: Servlets, JavaServerPages (JSPs), JMS, Java Mail API, JNDI, LDAP, JDBC, Swing, Socket Programming.
Application Servers: Weblogic Server, iPlanet, Netscape Application Server and Microsoft IIS.
Languages: Java, Powershell, C/C++.
Databases: Oracle, MS SQL Server
Web Services: RESTFul/SOAP, SOA
Web Servers: Apache Tomcat, Netscape Enterprise Server3.5, Jboss and JRun.
Confidential, Middletown, NJ
IT Security Consultant
- Managed security assessment to ensure compliance to firm’s security standards (i.e., OWASP Top 10). Specifically, manual testing has been performed to identify Cross-Site Scripting and SQL Injection related attacks within the code.
- Performed Application Security program (DAST and SAST) Confidential the enterprise level to identify, report and remediate security vulnerabilities from applications deployed in DEV, PRE-PROD and PROD environments.
- Rolled out IBM AppScan products such as AppScan Enterprise (ASE), Standard, Source, Developer plug-ins to various development teams across the business lines.
- Worked extensively with software development teams to review the source code, triage the security vulnerabilities generated by IBM AppScan, BurpSuite, HP WebInspect and eliminated false positives.
- Generated executive summary reports showing the security assessments results, recommendations and risk mitigation plans and presented them to the respective business sponsors and senior management.
- Participated in monthly developer workshops to educate and train developers on secureSDLC, scan source code using IBM AppScan Source, triage and resolve the security vulnerabilities.
- Participated in the implementation of AWS Cloud security for applications being deployed in the Cloud.
- Created comprehensive security write-ups on Pulse Secure VPN tool which articulate security issues, analysis and remediation techniques.
- Worked with DevOps teams to automate security scanning into the build process.
- Worked with Build teams to automate the End-point Security tools on non-persistent VDI.
- Performed Security control assessments for the applications and suggested mitigation plans to reduce the risk.
Confidential, Newark, Delaware
Application Security Engineer
- Conducted Vulnerability Assessment of Web Applications using Nessus.
- Performed functional testing of security solutions like RSA two factor authentication, Novel single sign on, DLP and SIEM.
- Conducted security assessment of C, C++ & Python Web Applications
- Worked on various business development activities like drafting response to RFP's and preparing SOW's documents.
- Manage and maintain Firewall systems and IPS along with VPN access controls.
- Support in detecting, understanding and resolving information security incidents and remediation.
- Perform risk analysis to identify points of vulnerability and recommend disaster recovery strategies and business continuity planning.
- Manage and maintain an Active Directory forest infrastructure.
- Troubleshoot common Windows and Active Directory issues.
- Locate and assimilate new information to provide context for security events.
- Experience in using IAM software (IBM)
- Identifying and evaluating new marketing opportunities to increase the website traffic and online production
- Evaluate, deploy and manage information security system solutions such as strong authentication, key management, IPS, SIEM, antimalware, vulnerability scanners, MDM and others.
- Proficient in understanding application level vulnerabilities like XSS, SQL Injection, CSRF, authentication bypass, cryptographic attacks, authentication flaws etc
- Developed and delivered IT Services Management (ITSM) solutions based on ITIL best practices that focused on the people, process, and technology perspectives of providing business solutions.
- Skilled using Burp Suite, IBM APP Scan, Acunetix Automatic Scanner, NMAP, Havij, Dirbuster, Qualysguard, Nessus, SQLMap for web application penetration tests and infrastructure testing.
- Performing onsite & remote security consulting including penetration testing, application testing, web application security assessment, onsite internet security assessment, social engineering, wireless assessment, and IDS/IPS hardware deployment.
- Conduct network monitoring and intrusion detection analysis using various Computer Network Defense (CND) tools, such as Intrusion Detection/Prevention Systems (IDS/IPS), Firewalls, Host Based Security System (HBSS), etc.
- Capturing and analyzing network traffic Confidential all layers of the OSI model.
- Monitor the Security of Critical System (e.g. e-mail servers, database servers, Web Servers, Application Servers, etc.)
- Change Management to highly sensitive Computer Security Controls to ensure appropriate system administrative actions, investigate and report on noted irregularities.
- Conduct network Vulnerability Assessments using tools to evaluate attack vectors, Identify System Vulnerabilities and develop remediation plans and Security Procedures.
- Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS 25 and prioritizing them based on the criticality.
- The experience has enabled me to find and address security issues effectively, implement new technologies and efficiently resolve security problems. With having strong Network Communications, Systems & Application Security (software) background looking forward for implementing, creating, managing and maintaining information security frameworks for large scale challenging environments.
- Developed server side business components using Java Servlets, JSPs, and Enterprise Java Beans (EJBs)
- Developed application presentation layer, which is based on Spring MVC framework involving JSP, Servlets and HTML, CSS
- Developed this web application to store all system information in a central location. This was developed using Spring MVC, jQuery, JSP, Servlet, Oracle 10g, HTML and CSS
- Developed Servlets and Utilized Node.js to create a fast and efficient chat server.
- Analyzed performance issues in the application, related system configuration and developed solutions for improvement.
- Worked with development teams to run Vulnerability scans for their applications.
- Performed static and dynamic analysis of web applications for Internal teams.
- Generated reports with team containing findings & remediation suggestions.
- Identified new and current vulnerabilities that could impact resources by consistently checking vulnerability sites and feeds daily.