PROFESSIONAL SUMMARY:

• Overall Progressive 6 years of experience as Security Engineer/Penetration Tester on Penetration Testing, Vulnerability Assessment, Policy Compliance and Risk Assessment.
• Experience with VM identification, analysis, metrics, as well as processes enabling proper governance, risk and compliance (GRC) and have knowledge on vendor management.
• Experience on manual penetration testing, application security, patch and vulnerability management.
• Responsible for managing all aspects of the vulnerability risk management program including vulnerability identification, analysis, and remediation coordination and reporting.
• Progressive experience in penetration testing, generating reports, SQL Injection XSS and major OWASP Top 10 and Patch management, vulnerability management, compliance, risk management.
• Capable of identifying flaws like Security Misconfiguration, Insecure direct object, Sensitive data
• Have experience in Nexpose, Insight VM, Compliance, Risk Assessment (GRC modulo), Active Directory.
• Experience with Windows/Linux OS, Database Policy Compliance and configuration with CIS.
• Experience with IT - Governance (GRC) risk assessment tool Digital Manager 360 (Modulo) and RSA Archer.
• Experience in with various tools like BurpSuite, DirBuster, NMap, Nexpose, Nessus, HP Fortify, HP WebInspect, IBMAppScan, KaliLinux, SIEM, Splunk, Checkmarx, Jira and OWASP ZAP.
• Experience with Retail services and domain knowledge in Banking, Financial services.
• Experience with Identity and access management (IAM) enables the individuals to access the resources at the
• Experience with Powershell command-line includes a graphical user interface GUI and a scripting language.
• Experience with sandbox security mechanism for separating running programs, usually in an effort to mitigate system failures or software vulnerabilities from spreading.
• Experience in crafted automated software installation solutions via Powershell scripting.
• Good knowledge of Cloud security models and controls Amazon Web Services (AWS).
• Security information and event management (SIEM) capabilities of gathering, analyzing and presenting information from network and security devices vulnerability management and policy-compliance, operating-system, database and application logs, external threat data
• Experience with white box, grey box and black box testing.
• Involved in Security Development Life Cycle (SDLC) to ensure security controls are in place.
• Experience with development of written documents and presentations at various levels of the organization.
• Having good experience SAST and DAST applications using different tools HP Fortify and IBM AppScan.
• Ability to develop and maintain metrics and reports on vulnerability findings and remediation compliance.
• Knowledge on DISASTIG, CIS, CVSS, CVE and proactive vulnerability detection.
• Have Knowledge on Jira, Root Kit, IP Spoofing, Virtual Box, Kali Linux, Software Hardening concepts.
• Good Knowledge on HTTP, HTTPS, Web application firewalls, checking logs, SSL and TLS.
• Good knowledge on SQL and programming skills in Java. Experience with Windows and Linux environments.
• Knowledge on network security such as DNS, TCP/IP, IDS/IPS, Active Directory and IOS devices.
• Good team player and ability to learn the concepts effectively and efficiently.

TECHNICAL SKILLS:

Tools: BurpSuite, DirBuster, SQLMap, Kali Linux, HP WebInspect, HP Fortify, SCA, IBM AppScan, Jira, Splunk

Network Tools: NMap, Tenable Nessus, Rapid7 Nexpose, InsightVM

Policy and standards: NIST, PCI DSS, CIS, SOC, SOX

Risk Assessment Tools: SAI Digital Manager 360 (Modulo), RSA Archer

Language: C, C++, Java, C#

Web Technologies: HTML, CSS, JavaScript, Powershell

Platforms: Windows Linux

Database: SQL, Oracle, MySQL

Packages; MS: Office (Word, Excel, Pivot Tables), MS Visio

PROFESSIONAL EXPERIENCE:

Confidential, Dallas, TX

Cyber Security Engineer

Responsibilities:

• Experience with tools such as Rapid7 Nexpose vulnerability scanner and InsightVM.
• Generate the reports on daily basis and executing the daily tasks. Managing and adapting the scan schedule.
• Performed authenticated and unauthenticated vulnerability infrastructure scanning.
• Assist teams with tracking remediation approaches within InsightVM or Excel.
• Experience with vulnerability management metrics as per organization standards.
• Experience with Firewall Rule Requests (Ports, Protocols and Services)
• Handled Baseline Configurations, vulnerability exceptions and Compliance exceptions.
• Update, create and adjust custom policies based on CIS Benchmark, templates standards and procedures for SQL servers 2008, 2012, 2016, Oracle db 11g, 12c, windows, Linux systems, workstations, Desktops, Network devices and Apache servers.
• Assist compliance and audit functions for windows (xp, 7, 10), Linux (RHEL 6&7, SUSE 11&12, CentOS, Ubuntu) systems, Network devices (primary routers, switches, access points).
• Perform vulnerability, configuration, and compliance scan with Nexpose to detect deficiencies and validate compliance of information systems configuration with organization's policies and standards such as Center for Internet Security (CIS) Benchmarks
• Prepared SQL customized queries to generate reports in Nexpose based on requirement.
• Worked with Powershell scripting language to design for system administration and automation.
• Worked with Windows Powershell, for purposes of task automation and configuration management.
• Experience with policy documentation, risk assessment documentation of findings in the systems.
• Analyze vulnerabilities to determine remediation measures and rule out false positive using resources such as National Vulnerability Database (NVD), US-CERT and CIS
• Develop Vulnerability Assessment Report (VAR) to document findings and recommend remediation measures.
• Experience with SAI Digital Manager 360 (Modulo) to do the risk assessment of systems and applications.
• Performed risk assessments based on NIST (SP ) standards for Active Directory domain controllers, windows, Linux systems and network devices.
• Assist in the implementation of Risk Management Framework (RMF), through the required government policy and participate fully in documentation process.
• Performed security analyses to validate established risk on systems and applications.
• Develop Authorize to Operate(ATO) document to amend the deficiency is system operation as required
• Document Assessment result and Authorized technical activities and coordinate system security plan(SSP)
• Periodically conduct a complete review of each system audits and monitor for corrective action

Confidential, Bellevue, WA

Penetration Tester

Responsibilities:

• Performed Manual Penetration Testing and Vulnerability Assessment on web applications.
• Good understanding and experience for testingvulnerabilities based on OWASP Top 10.
• Experience with Intrusion detection system (IDS) system that performs the process of intrusion detection
• Performed Intrusion prevention system (IPS) system that has an ambition to detect intrusions.
• Experience with SQL Injection, XSS, Insecure direct object, Security Misconfiguration, Sensitive data exposure, Functional level access control, CSRF, Invalidated redirects.
• Familiar with BurpSuite, SQL map to dump the database data to the local folder.
• Identified issues on sessions management, Input validations, output encoding, Logging, Exceptions, Cookie attributes, encryption, Privilege escalations.
• Executed Network Penetration vulnerability assessment using Nessus on internal network to check out for the various vulnerabilities in the existing network and ensured to communicate the correct mitigation for the existing vulnerabilities to the client.
• Scan Networks, Servers to validate compliance and security issues using numerous tools NMap and Nessus.
• Experience with gray box testing to distinguish and find defects and bugs with incomplete information of the software product’s inner code structure or programming rationale.
• Experience with black box Testing approach to verify internal coding structure or rationale to test a product application for recognizing and finding bugs.
• Used SIEM as software, as appliances, as managed services; used to log security data and generate reports for compliance purposes.
• Experience with Security information and event management (SIEM) systems work to gather security-related events from end-user devices, servers, network equipment, firewalls, and antivirus or intrusion prevention systems.
• Performed Static Application Security Testing (SAST) with Automation tool HPFortify to identify the vulnerabilities in Java, C# source code.
• Performed software validation analysis using static code analysis tools HPFortify to identify security concerns caused by issues such as faulty input validation and generally poor coding practices.
• Created a report extraction utility to filter HP fortify XML reports and output those results into an MS Excel spreadsheet format. Provided the deep analysis of source code using HP Fortify.
• Utilizing various logs, rules, and indicators of compromise to correlate events for the purposes of exploit prevention and incident response.
• Suggested the security requirements to the development team in various stages of SDLC to minimize the efforts to rework on issues identifies during penetration tests.
• Managed the tracking and remediation of vulnerabilities by leveraging agreed-upon action plans and timelines with responsible technology teams.

Environment: Source code review, penetration testing, Burp Suite, OWASP Top 10, HPFortify

Confidential

Security Engineer

Responsibilities:

• Performed Manual Penetration Testing on projects in web applications.
• Conducted Vulnerability Assessment on various infrastructure applications.
• Experience in different web application security OWASP Top 10 testing tools like Burp Suite, Nessus.
• Performed web application penetration tests and infrastructure testing using Burp Suite pro.
• Performed the manual code review to remove the False Positives.
• Performed Dynamic Application Security Testing (DAST) using tool such as IBMAppScan.
• Assist infrastructure security teams with SEIM integration, network pen tests.
• Experience with white box testing techniques concentrates on testing a software product for defects and bugs with finish information of the product’s programming code.
• Worked with external security audit on applications and network penetration testing.
• Performed manual and automated dynamic grey-box security testing and remediation testing on a wide range of web applications hosted in environments using tools like IBMAppScan Standard.
• Responsible for giving remedies for security vulnerabilities, reported by IBMAppScan like Cross-Site Request Forgery (CSRF), Cross-Site Scripting (XSS), SQL Injection, Header Manipulation and Session Timeout.
• Supported access control security policies by using Security-Enhanced Linux (SELinux).
• SELinux cluster research and reporting and SELinux multilevel security policy modules and associated OS configuration.
• Worked on Software Hardening Reducing attacks which include changing default passwords, the removal of unnecessary software, unnecessary usernames and passwords.
• Conducted Web Application Vulnerability Assessment, secure code review on the applications.
• Conduct re-assessment after mitigating the vulnerabilities found in the assessment phase.
• Security test planning and security test execution on Web platform projects.
• Scan Networks, Servers, and other resources to validate compliance and security issues using numerous tools
• Assist developers in remediating issues with Security Assessments with respect to OSWASP standards.

Environment: SQL Injection, XSS, Application Security review, Security Assessments, Manual Pen Testing, OWASP Top 10