SUMMARY

• Over 10+ years of experience in Web Application Security, Security Architecture & Design, Penetration Testing and Secure Coding.
• In - depth knowledge of Mobile Application Security, Application Security Controls and Validation, IT Risk Assessments, Regulatory Compliance and Secure Software Development Life Cycle (secureSDLC) and Continuous Integration (CI) and Continuous Delivery (CD) of security scanning.
• Hands-on with Penetration Testing, DAST, SAST and manual ethical hacking.
• Experience in conducting IT Security Risk Assessments in accordance to NIST and FFIEC framework.
• Working knowledge of AWS and MS Azure Cloud Security.
• Worked with global security teams performing application and IT infrastructure security assessments.
• In-depth knowledge of penetration testing for web and mobile (iOS and Android) applications.
• Performed security design and architecture reviews for web and mobile application.
• Hands-on experience in developing threat models, security controls, threat analysis, creation of risk control matrices and risk mitigation strategies.
• Working knowledge of OWASP Top 10 and SANS Top 25 software guidelines, Federal Financial Institutions Examination Council's (FFIEC) regulations, including Payment Card Industry (PCI-DSS 3.2), HIPAA, HITRUST and Sarbanes-Oxley Section404 (SOX).
• Experience in implementing Cyber Security Incident and Event Management System (SIEM) using HP ArcSight.
• Ability to handle multiple tasks and work independently as well as in a team.
• An efficient team player in challenging and creative environment with excellent capacity to adapt new technologies and skills.
• Possess strong technical aptitude with strong analytical, work ethic, problem solving and communication skills.

TECHNICAL SKILLS

Security Tools: ZED attack proxy, Oracle Identity Manager, Oracle Access Manager,JHijack, Metasploit Pro,, SQLMAP, Wireshark, WebScarab, Paros, Nmap, BMC BladeLogic, AppDetect, AppRador, Nessus, Rapid7 Nexpose, Tripwire, Symantec Vontu, DBProtect, ArcSight SIEM, e-DMZ Password Auto Repository (PAR), Varonis, Amazon Web Services (AWS) Cloud security.

Identity & Data Protection Tools: ProtectDB, ProtectFile, RSA Single Sign-On (SSO), Two-Factor (2F) autantication, SafeNet eToken 5110, SafeNet KeySecure.

Networking: Symantc Vontu DLP, Checkpoint, Palo Alto, Check Point, Cisco, IDS/IPS, Anti-virus, BMC BladeLogic, Remedy.

DAST and SAST tools: IBM AppScan Enterprise (ASE), Standard & Source editions, HP WebInspect, QualysGuard, BurpSuite Pro, Acunetix, Fortify SCA, SQLMAP.

Cloud Security: Amazon Web Services (AWS), MS Azure

Operating Systems: Oracle Solaris UNIX, RedHat LINUX 4/5, Windows Server2003/2008.

Java & J2EE Technology: Spring Framework, EJBs, Struts2, Servlets, JavaServerPages (JSPs), JMS, Java Mail API, JNDI, LDAP, JDBC, JTS, RMI, AWT, Swing, Socket Programming, IONA Orbix CORBA.

Application Servers: Weblogic Server, iPlanet, Netscape Application Server and Microsoft IIS.

Languages: Java, Python, C/C++, C#.NET, Perl, UML.

Scripting Languages: AngularJS, XML, XSLT, XPath, XQuery, HTML/JavaScript/JQuery, AJAX.

Middleware: TIBCO EMS, IBM WebSphere MQ, JMS

Databases: Oracle, MS SQL Server, Sybase.

Web Services: RESTFul/SOAP, SOA, UDDI, WSDL.

Web Servers: Apache Tomcat, Netscape Enterprise Server3.5, Jboss and JRun.

PROFESSIONAL EXPERIENCE

Confidential, Charlotte, NC

Sr. Security Engineer

Responsibilities:

• Conducted security assessments to ensure compliance to firm’s security standards (i.e., OWASP Top 10, SANS25). Specifically, security testing has been performed to identify XML External Entity (XXE), Cross-Site Scripting, ClickJacking, and SQL Injection related attacks within teh code.
• Developed Application Security program (DAST and SAST) at teh enterprise level to identify, report and remediate security vulnerabilities from applications deployed in DEV, PRE-PROD and PROD environments.
• Reviewed source code (Java/J2EE/.NET/C#/Spring/FTL/JavaScript) and developed security filters within IBM AppScan for critical applications.
• Configured SafeNet ProtectDB to enable column level encryption for securing confidential customer data.
• Designed security architecture for web and mobile apps. Reviewed Solution overview Documents (SODs) to identify security anomalies in teh system architecture and design, and provided recommendations to address data security and privacy concerns.
• Developed threat modeling framework (STRIDE) for critical applications to identify potential threats during teh design phase of applications.
• Implemented file system security by applying hashing techniques for protecting data stored in files on teh file servers.
• Administered cryptography, certificate management and implemented dual keys to address segregation of duties issue between DBAs and security admins.
• Participated in teh development of IT risk assessments for enterprise applications. Teh NIST framework has been utilized for IT risk assessments.
• Rolled out IBM AppScan products such as AppScan Enterprise (ASE), Standard, Source, Checkmarx, Developer plug-ins to various development teams across teh business lines.
• Generated executive summary reports showing teh security assessments results, recommendations (CWE, CVE) and risk mitigation plans and presented them to teh respective business sponsors and senior management.
• Conducted monthly developer workshops to educate and train developers on secureSDLC, scan source code using IBM AppScan Source, triage and resolve teh Cyber security vulnerabilities.
• Participated in teh implementation of AWS Cloud security for applications being deployed in teh Cloud. Developed WACLS and configured to rules and conditions to detect security vulnerabilities in teh Cloud Front.
• Implemented security controls for AWS Virtual Private Clouds (VPCs), EC2 instances, RDS and Route53.
• Experienced with SaaS applications in configuring and deploying to teh cloud platform.
• Worked with DevOps teams to automate security scanning into teh build process.
• Worked extensively with software development teams to review teh source code, triage teh security vulnerabilities generated by IBM AppScan, BurpSuite, HP WebInspect, HP Fortify, Checkmarx and eliminated false positives.
• Reviewed Android and iOS mobile source code manually and recommended code fixes.
• Participated in teh Proof of Concept (POC) in implementing Arxan application protection software for Mobile apps.
• Analyzed security incidents originated from various network/application monitoring devices (e.g., Symantec Vontu DLP) and coordinated with Engineering teams for tracking and problem escalation, including remediation.
• Performed teh penetration testing of mobile (Android and iOS) applications, specifically, APK reverse engineering, traffic analysis and manipulation, dynamic runtime analysis.
• Developed secureSDLC policies and standards for Web and Mobile apps.
• Working knowledge of SSO implementation for teh applications deployed in MS Azure cloud platform.
• Developed, implemented and migrated applications based on NIST Framework. Developed information assurance (IA) designs to meet specific operational needs and environmental factors

Confidential, New York, NY

Sr. Security Engineer

Responsibilities:

• Performed pen testing of both internal and external networks as per PCI-DSS standards. Teh pen testing scope included O/S (Windows and Linux) and external facing web apps and database servers that store credit card information.
• Reviewed security vulnerability reports for applications and databases, analyzed and worked extensively with teh development teams for teh implementation of mitigating controls.
• Implemented IBM AppScan standard, source editions, HP WebInspect, Nessus, and QualysGuard web application scanners. In addition, teh security tools Metasploit and BurpSuite were utilized for manual penetration testing.
• Performed security assessments for teh client-facing apps. Teh associated IT infrastructure such as database management systems, middleware systems, web services (SOA) were also included in teh security assessments.
• Implemented Secure Software Development Life Cycle (S-SDLC) processes; developed secure coding practices for web, mobile applications, including database and middleware systems.
• Reviewed Architecture Design Documents (ADD) and Solution overview Documents (SODs) to identify security anomalies in teh system architecture and design, and provided recommendations to address data security and privacy concerns.
• Implemented HP ArcSight ESM including, correlation rules, data-monitors, reports, event annotation stages, case customization, active lists, and pattern discovery.
• Conducted manual source code reviews of teh client-facing web and mobile applications, including iOS and Android mobile apps. Teh key areas of confidential and sensitive data stored on teh mobile devices were reviewed and made recommendations to secure customers’ PII and PCI data.
• Participated in teh implementation of AWS Cloud security for applications being deployed in teh Cloud. Developed WACLS for AWS Web Application Firewalls (WAF) and configured teh rules and conditions to detect security vulnerabilities in teh Cloud Front.
• Reported security findings, recommendations and presented to teh business users, executive committee and Compliance departments.
• Experience with Identity and Access Management (IAM) and development of user roles and policies for user access management.
• Performed Static and Dynamic Analysis and Security Testing (SAST and DAST) for various applications as per firm’s security standards (i.e., OWASP, SANS 25).
• Conducted workshops and user awareness training on security policies, procedures and baselines.
• Worked with software development teams, DB/Unix administrators and solution architects as a subject matter expert related to security compliance with PCI DSS 3.2 and industry standards.
• Worked with Internet Engineering team in teh design and configuration of BlueCoat Internet proxy. Implemented WebFilter database for URL content Filtering.
• Developed security policies and baselines for mobile and web applications. Performed compliance audits to ensure security policies and baselines have been adequately implemented.
• Participated in teh implementation of SafeNet product for encrypting customer credit card information using Public Key Infrastructure (PKI).
• Developed correlation rules for Security Incident and Event Management (SIEM) system. Reviewed teh solution implemented for “log forwarding” from various network devices to ArcSight central logging for alerting and security monitoring. Experience with Splunk in investigating various logger events related to security incidents.
• Performed PCI pre-assessment audit for teh entire network as well as teh related applications in preparation for teh annual external PCI compliance audit.

Confidential, New York, NY

Security Engineer

Responsibilities:

• Performed teh tasks of designing Advanced Security & Management Solutions for teh organization.
• Experience with Identity and Access Management (IAM) and development of user roles and policies for user access management.
• Well versed with various vulnerabilities and attacks at application - OWASP top 10, SQL Injection, XSS, CSS, LDAP injection, XPath injection etc.
• Conducts regularly review of Global Security Incidents as well as reports and update teh same to teh internal teams.
• Execute and craft different payloads to attack he system to execute XSS and different attacks
• Worked with Internet Engineering team in teh design and configuration of BlueCoat Internet proxy. Implemented WebFilter database for URL content Filtering.
• SQLMap to dump teh database data to teh local folder
• Performed IT Risk Assessment Services and provides Solutions to mitigate Risks identified and reported.
• Conducted security assessments for various applications supporting Corporate & Investment Banking, Loan, Treasury, Equities and FI businesses. Teh web application infrastructure such as IBM WebSphere, Apache Tomcat, and IIS web/application servers were reviewed for compliance to firm’s security baselines.
• Developed correlation rules for Security Incident and Event Management (SIEM) system. Reviewed teh solution implemented for “log forwarding” from various network devices to ArcSight central logging for alerting and security monitoring.
• Ensured that teh operation, design, and management of information systems are in according to teh standards of teh organization.
• Established and maintained a framework to ensure that information security policies, technologies and processes are aligned with teh business regulations of teh organization.
• Identifies as well as applies innovative practice in security to enhance teh global operations of teh organizations.
• Performed risk assessments and defines strategies to address teh identified risks.
• Ensured that risk identification, mitigation controls and analysis are integrated into application life cycle and change management processes.
• Performed PCI-DSS (3.2, 3.1) pre-assessment audit for teh entire network as well as teh related applications in preparation for teh annual external PCI compliance audit.

Confidential

Java Developer

Responsibilities:

• Implemented MVC architecture by making use of Java Struts, Spring framework.
• Developed Java Server Pages(JSPs) and Servlets in teh web-tier and EJB's in teh business tier
• Client side validation was done using JavaScript and CSS was used to define teh view of teh pages.
• Implemented business logic using Session Beans.
• Implemented data access objects using Entity Beans.
• Used JMS/TIBCO for synchronous/asynchronous communication and sending updates to various other applications.
• Developed user interface using JSPs and HTML, JavaScript, CSS, Stylesheets.
• Designed Tables, Indexes, Stored Procedures, Functions and Triggers for teh database.
• Involved in different phases of Software Development Lifecycle (Agile methodology) such as Requirement Analysis, Design and Development.
• Developed teh application using JBoss.
• Coded Ant build scripts to build and deploy teh application on JBoss on Unix.