SUMMARY:

• Accomplished IT Security professional with 8 years of work experience assisting organizations successfully complete enterprise - wide security projects.
• Proven track record of streamlining security processes, design and implement efficient security solutions, lead and assist multi-disciplined, multi-national teams in achieving security efficiency.
• Experienced in performing risk assessments, penetration testing, and performing network / application vulnerability assessments.
• Experience on vulnerability assessment and penetration testing using various tools like Burp Suite, DirBuster, OWASP ZAP Proxy, NMap, Nessus, Kali Linux, and Metasploit.
• Interpreted least privilege for applications and segregation of duties.
• Simulate how an attacker would exploit the vulnerabilities identified during the dynamic analysis phase.
• Experienced in performing risk assessments, penetration testing, and performing network / application vulnerability assessments.
• Experience on vulnerability assessment and penetration testing using various tools like Burp Suite, DirBuster, OWASP ZAP Proxy, NMap, Nessus, Kali Linux, and Metasploit.
• Broad knowledge of hardware, software, and networking technologies to provide a powerful combination of analysis, implementation, and support.
• Proven track record of streamlining security processes, design and implement efficient security solutions, lead and assist multi-disciplined, multi-national teams in achieving security efficiency.
• Experienced in performing risk assessments, penetration testing, and performing network / application vulnerability assessments.
• Worked in a team & individually on Projects successfully.
• A good team player, Inquisitive, good in basic concepts and an excellent team player.
• Performed software Licensing audit.
• Vulnerability Assessment of various web applications used in the organization using Paros Proxy, Burp Suite, and Web Scarab, YASCA, HP Web Inspect, Nikto, DirBuster, Flagfox, Wappalyzer, Live HTTP Header.
• Coordinate with dev team to ensure closure of reported vulnerabilities by explaining the ease of exploitation and the impact of the issue.
• Capable of identifying flaws like Injection, XSS, Insecure direct object reference, Security Misconfiguration, Sensitive data exposure, Functional level access control, CSRF, Unvalidated redirects.

TECHNICAL SKILLS:

Tools: IBM AppScan Standard Edition,HP Web Inspect, Acunetix, Burp proxy, Parosproxy, Wire shark,OWASP, Web Scarab, map, Metasploit, Burp Suite, SQLmap, OWASP ZAP Proxy and HP Fortify,DIR-Buster, Acunetix Web Scanner, SQL Injection Tools, Havij, CSRFTester AND Kali Linux, Fortify, veracoad,Webgoat SSL implementation, RSA implementation, PKI (Public key infrastructure)Encryption algorithms

Web Technologies: HTML, JavaScript

Platforms: Windows 98/2000/XP/Vista/Windows 7, Windows Server 2000/2003

Database: My SQL 5.0

Packages: MSOffice

Network Tools: NMap, Wire Shark, Nessus

PROFESSIONAL EXPERIENCE:

Confidential, Seattle, WA

Security Engineer

Responsibilities:

• Conducted security assessment of PKI Enabled Applications.
• Skilled using Burp Suite, Acunetix Automatic Scanner, NMAP for web application penetration tests.
• Conducted application penetration testing of 90+ business applications
• Conducted Compliance Audits
• Acquainted with various approaches to Grey & Black box security testing
• Proficient in understanding application level vulnerabilities like XSS, SQL Injection, CSRF,authentication bypass, weak cryptography, authentication flaws etc.
• Actively search for potential security issues and security gaps that are beyond the ability of detection by any security scanner tool. Initiate and develop new mechanisms to addresses unidentified security holes & challenges.
• Real-time Analysis and defense.
• Vulnerability assessment (VA), Security policy, and network and security audit.
• Configuration and management of Cisco IDS, Checkpoint firewall, Snort.
• Good knowledge of network and security technologies such as Firewalls, TCP/IP, LAN/WAN, IDS/IPS, Routing and Switching.
• Monitor, Analyze and respond to security incidents in the infrastructure. Investigate and resolve any security issues found in the infrastructure according to the security standards and procedures.

Confidential, MD

Security Engineer

Responsibilities:

• Manual penetration testing of the applications and APIs to identify the OWASP Top 10 vulnerabilities and SANS 25.
• Training the development team on the secure coding practices.
• Black box pen testing on internet and intranet facing applications.
• OWASP Top 10 Issues identifications like SQLi, CSRF, and XSS.
• Preparation of risk registry for the various projects in the client.
• Providing details of the issues identified and the remediation plan to the stake holders.
• Grey Box testing of the applications.
• Verified the existing controls for least privilege, separation of duties and job rotation.
• Involved in a major merger activity of the company and provided insights in separation of different client data and securing PII.
• Identification of different vulnerabilities of applications by using proxies like Burp suite to validate the server side validations.
• Identified issues on sessions management, Input validations, output encoding, Logging, Exceptions, Cookie attributes, encryption, Privilege escalations.
• Execute and craft different payloads to attack he system to execute XSS and different attacks.
• SQLmap to dump the database data to the local folder.

Confidential, Columbia, MD

Security Engineer

Responsibilities:

• Vulnerability Assessment of various web applications used in the organization using Paros Proxy, Burp Suite, and Web Scarab, YASCA, HP Web Inspect.
• Coordinate with dev team to ensure closure of reported vulnerabilities by explaining the ease of exploitation and the impact of the issue.
• Security testing of APIs using SOAP UI.
• Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS 25 and prioritizing them based on the criticality.
• Security assessment of online applications to identify the vulnerabilities in different categories like Input and data Validation, Authentication, Authorization, Auditing & logging.
• Experience in using Kali Linux to do web application assessment with tools like DirBuster, Nikto, and NMap.
• User ID reconciliation on quarterly basis.
• Update with the new hackings and latest vulnerabilities to ensure no such loopholes are present in the existing system.
• Threat modeling of the Project by involving before development and improving the security at the initial phase.
• Follow up and ensure the closure of the raised vulnerabilities by revalidating and ensuring 100% Closure.
• Good experience in Web technologies like HTTP, HTML, CSS, Forms, Database Connectivity.
• Ensuring SDLC to be a Secure SDLC.
• STRIDE assessment of the applications during the design phase, identifying the threats possible and providing security requirements.
• Training the development team on the most common vulnerabilities and common code review issues and explaining the remediations.
• Good knowledge in programming and scripting in .net, Java.

Confidential

Jr. Security Engineer

Responsibilities:

• In the team, main focus of work was to audit the application prior moving to production.
• Explanation of the security requirements to the design team in initial stages of SDLC to minimize the efforts to rework on issues identified during penetration tests.
• Perform threat modelling of the applications to identify the threats.
• Identify issues in the web applications in various categories like Cryptography, Exception Management.
• In the team, main focus of work was to audit the application prior moving to production.
• Explanation of the security requirements to the design team in initial stages of SDLC to minimize the efforts to rework on issues identified during penetration tests.
• Risk assessment on the application by identifying the issues and prioritizing the issues based on risk level.
• Providing remediation to the developers based on the issues identified.
• Revalidate the issues to ensure the closure of the vulnerabilities.
• Verify if the application has implemented the basic security mechanisms like Job rotation, Privilege escalations, Lease Privilege and Defense in depth.
• Using various add on in Mozilla to assess the application like Wappalyzer, Flagfox, Live HTTP Header, Tamper data.