SUMMARY

• Around 10 years of professional IT Experience in Security Testing particularly focused on performing technical activities such as Source Code review, Vulnerability Analysis, Security Architecture, Penetration testing, Network Security, IT Risk Assessments, Secure Application Testing based on tools.
• Experience in Threat Modeling during Requirement gathering and Design phases.
• Excellent knowledge in OWASP Top 10, SANS 25, and WASC Threat Classification 2.0 methodologies.
• Working knowledge of Cloud Security Access Broker (CASB).
• Experience on vulnerability assessment and penetration testing using various tools like BurpSuite, DirBuster, OWASP ZAP Proxy, Nmap, Wireshark, Nessus, Kali Linux, Metasploit, and Accunetix.
• Experience in different web application security testing tools like Metasploit, IBM AppScan, SQLMAP, Nessus, Nexpose, Nmap and HP Fortify SCA, Checkmarx.
• Good experience in Web technologies like HTTP, HTML, CSS, Forms, Database Connectivity.
• Interpreted least privilege for applications and segregation of duties.
• Working knowledge of AWS Cloud Security in implementing Web Application Firewalls (WAF).
• Experience as a privacy/security analyst, with applicable knowledge of regulatory compliance procedures related to HIPAA, NIST, FFIEC, SOX 404 and PCI - DSS.
• Proven experience in manual/automated securitytesting, secure code review of web and mobile applications
• Good Experience in exploiting the recognized vulnerabilities.
• Working knowledge of AWS and MS Azure Cloud Security.
• Sound knowledge and industry experience in Vulnerability Assessment andPenetrationTestingon WEB based Applications; Mobile based application and Infrastructurepenetrationtesting.
• Provide consultative support with implementation of remediation steps, standards, and best practices.
• Hands on Experience working with LAN and WAN topologies, TCP/IP protocol, routers, switches, and firewalls in Internet, Intranet and Extranet environments.
• Experienced in Web Application Firewall developing the signatures.
• Having good experience in Secure SDLC and Source Code Analysis (Manual &Tools) on WEB based Applications.
• Excellent team player, enthusiastic initiator, and ability to learn the fundamental concepts effectively and efficiently.

TECHNICAL SKILLS

Tools: CyberArk, BeyondTrust, Oracle Identity Manager, Oracle Access Manager,JHijack, Metasploit Pro, Whitehat Sentinel, ZED attack proxy, SQLMAP, WebScarab, Nmap, BMC BladeLogic, Nessus, Rapid7 Nexpose, Tripwire, Symantec DLP, DBProtect, ArcSight SIEM, e-DMZ Password Auto Repository (PAR), Varonis, Palo Alto, Cisco, Amazon Web Services (AWS) Cloud security.

DAST and SAST tools: IBM AppScan Enterprise (ASE), Standard & Source editions, HP WebInspect, QualysGuard, BurpSuite Pro, Acunetix, Fortify SCA, SQLMAP.

Languages: Java, Python, C/C++, C#.NET, Perl, UML.

Web Technologies: AngularJS, XML, XSLT, XPath, XQuery, HTML/JavaScript/JQuery, AJAX.

Platforms: Windows7, Windows Server 2008/2012

Web Server: Apache, IIS 6.0/7.0 Database My SQL 5.0, MS Access, MS SQL 2000

Network Enumeration: Maltego, Google Hacking, DNS, SMB, LDAP.

Port/Vulnerability Scanning: Nmap/Nmap Scripting Engine (NSE), Netcat, Nessus, Openvas

Sniffing/Man-in-the-Middle: Wireshark, Ettercap, Cain

Server/Client-Side Exploitation: Metasploit, Social Engineering Toolkit (SET).

Password Cracking: Hydra, Rainbow Crack, 0phcrack, John the Ripper, Pyrit.

PROFESSIONAL EXPERIENCE

Confidential, Chicago

Lead Security Engineer

Responsibilities:

• Conducted white or gray box penetration testing on the financial systems using Kali Linux, Metasploit for OWASP top 10 Vulnerabilities like XSS, SQL Injection, CSRF, Privilege Escalation and all the test-case of a web application security testing.
• Utilized SAST tools (IBM AppScan Source, HP Fortify, Checkmarx, Whitehat Sentinel) to test source code, byte code to expose weaknesses in the software before it is deployed.
• Test the applications & infrastructure using Kali Linux & other security tools and Brute force assessment to insure strong passwords and encryption.
• Expertise in using the DAST tools (Like IBM AppScan and BurpSuite Pro) while the application is running to penetrate the application in various ways to identify potential vulnerabilities outside the code and in third party interfaces.
• Analyze systems for potential vulnerabilities with the help of Qualys VM that may result from improper system configuration, hardware or software flaws.
• Analyzing the enterprise's information security environment and recommending security measures to safeguard applications and information assets using threat modeling, OWASP, CWE.
• Performed dynamic and static analysis of web and mobile applications (iOS and Android) using IBM AppScan Enterprise, Standard and Source editions.
• Conducted manual source code reviews of the client-facing web and mobile applications, including iOS and Android mobile apps. The key areas of confidential and sensitive data stored on the mobile devices were reviewed and made recommendations to secure customers’ PII and PCI data.
• Enabled File System level encryption using Gemalto ProtectFile product for the data stored on the file servers. Developed encryption and decryption solutions using Java Cryptography Extension (JCP).
• Good understanding of encryption or data security solutions at various OSI layers.
• Extensive experience in creating requirements, functional specifications and design documents for encryption and key management.
• Ability to create use cases and test cases for selection of encryption and key management technologies.
• Worked with Enterprise Information Security Architecture in researching and setting cryptographic standards. Reverse engineering and penetration testing mobile applications (iOS and Android).
• Implemented AWS Cloud security for applications being deployed in the Cloud. Developed WACLS for AWS Web Application Firewalls (WAF) and configured the rules and conditions to detect security vulnerabilities in the Cloud Front.
• Implemented Cloud Security Access Broker (CASB) for Cloud applications in AWS.
• Port scanned servers using NMAP and closed all unnecessary ports to reduce the attack surface.
• Developed threat modeling framework (STRIDE) for critical applications to identify potential threats during the design phase of applications.
• Implemented file system security by applying hashing techniques for protecting data stored in files on the file servers.
• Working knowledge of OWASP Top 10 and SANS Top 25 software guidelines including HIPAA, FIPS 201 and Sarbanes-Oxley Section404 (SOX).
• Experience with RSA Identity and Access Management (IAM) and Single Sign on (SSO) and created user roles and policies for user access management.
• Particiapted in the implementation of SSO using OAuth2.0 and SAML.
• Performed live packet data capture with Wireshark to examine security flaws.
• Used LDAP injections techniques of exploiting Web applications that use client supplied data.
• Used BlueCoat proxy to protect the company's network from, malware and data theft, as well as prevent users from viewing inappropriate content.
• Participated in the implementation of Gemalto product for encrypting customer credit card (data at rest and data in transit) information using Public Key Infrastructure (PKI).
• Ensure compliance with policies, procedures, and regulations (i.e. PCI DSS)
• Participated in the development of IT risk assessments for enterprise applications. The NIST framework has been utilized for IT risk assessments.
• Providing fixes & filtering false findings for the vulnerabilities reported in the scan reports. Adding new vulnerabilities to the Vulnerability Database for various platforms with proper exploits.
• Performed vulnerability testing using tools such as Nessus and Nexpose.

Sr. Security Engineer

Responsibilities:

• Performed security assessments to ensure compliance to firm’s security standards (i.e., OWASP Top 10, SANS25). Specifically, security testing has been performed to identify XML External Entity (XXE), Cross-Site Scripting and SQL Injection related attacks within the code.
• Used SAST tools (Like HP Fortify and SonarQube) to test source code, byte code to expose weaknesses in the software before it is deployed.
• Expertise in using the DAST tools (Like IBM Appscan and Burpsuite Pro) while the application is running to penetrate the application in various ways to identify potential vulnerabilities outside the code and in third party interfaces.
• Extensive Interaction with Onsite Coordinator in understanding the business issues, requirements, doing exhaustive analysis and providing end-to-end solutions.
• Conducting Web Application Vulnerability Assessment & Threat Modeling, Gap Analysis, secure code review on the applications.
• Performed dynamic and static analysis of web application using IBM AppScan.
• Doing multiple level of testing before production to ensure smooth deployment cycle.
• Performed vulnerability testing using tools such as Nessus and Qualysguard.
• Maintains network performance by performing network monitoring and analysis, and performance tuning, troubleshooting network problems. Skilled using Burp Suite, Acunetix Automatic Scanner, NMAP, Dirbuster, Qualysguard, Nessus, SQLMap for web application penetration tests and infrastructure testing.
• Application Security Review of all the impacted and non-impacted issues.
• Other Adhoc Activities like monthly and weekly report creations. Scheduling meeting with different application teams for understanding future pipelines for applications.
• Assisting customer in understanding risk and threat level associated with vulnerability so that customer may or may not accept risk with respect to business criticality.
• Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS 25 and prioritizing them based on the criticality.
• Scanned web and mobile applications prior to deployment using AppScan to identify security vulnerabilities and generated reports and fix recommendations.
• Assisting in review of business solution architectures from security point of view which helps avoiding security related issues/threats at the early stage of project
• Providing KT to Development team for better understanding of Vulnerabilities.
• Security monitoring to identify any possible intrusions.

Confidential, New Jersey

Security Engineer

Responsibilities:

• Conducted Vulnerability Assessments for Firewalls, IDS and IPS, OS (Windows, Linux), Database servers.
• Proficient in understanding application level vulnerabilities like XSS, SQL Injection, CSRF, authentication bypass, cryptographic attacks, authentication flaws etc.
• Expertise in using the DAST tools (Like IBM Appscan and Burpsuite Pro) while the application is running to penetrate the application in various ways to identify potential vulnerabilities outside the code and in third party interfaces.
• Application Security Review of all the impacted and non-impacted issues.
• Conducted security assessment of PKI Enabled Applications.
• Skilled using BurpSuite, Acunetix Automatic Scanner, NMAP, Havij, Dirbuster, Qualysguard, Nessus, SQLMap for web application penetration tests and infrastructure testing.
• Performing onsite & remote security consulting including penetration testing, application testing, web application security assessment, onsite internet security assessment, social engineering, wireless assessment, and IDS/IPS hardware deployment.
• Conducted application penetration testing of 50+ business applications
• Capturing and analyzing network traffic at all layers of the OSI model.
• Monitor the Security of Critical System (e.g. e-mail servers, database servers, Web Servers, Application Servers, etc.).
• Acquainted with various approaches to Grey & Black box security testing.
• Change Management to highly sensitive Computer Security Controls to ensure appropriate system administrative actions, investigate and report on noted irregularities.
• Conduct network Vulnerability Assessments using tools to evaluate attack vectors, Identify System Vulnerabilities and develop remediation plans and Security Procedures.
• Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS 25 and prioritizing they based on the criticality.
• The experience has enabled me to find and address security issues effectively, implement new technologies and efficiently resolve security problems. With having strong Network Communications, Systems & Application Security (software) background looking forward for implementing, creating, managing and maintaining information security frameworks for large scale challenging environments.

Confidential, Portland

Security Engineer

Responsibilities:

• Acquainted with various approaches to Grey & Black box security testing
• Identify issues in the web applications in various categories like Cryptography, Exception Management.
• Performed threat modeling of the applications to identify the threats.
• Proficient in understanding application level vulnerabilities like XSS, SQL Injection, CSRF, authentication bypass, weak cryptography, authentication flaws etc.
• Skilled using Burp Suite, Acunetix Automatic Scanner, NMAP for web application penetration tests.
• Explanation of the security requirements to the design team in initial stages of SDLC to minimize the efforts to rework on issues identified during penetration tests.
• Monitor, Analyze and respond to security incidents in the infrastructure. Investigate and resolve any security issues found in the infrastructure according to the security standards and procedures.
• Actively search for potential security issues and security gaps that are beyond the ability of detection by any security scanner tool. Initiate and develop new mechanisms to addresses unidentified security holes & challenges.
• Verify if the application has implemented the basic security mechanisms like Job rotation, Privilege escalations, Lease Privilege and Defense in depth.
• Real-time Analysis and defense.
• Configuration and management of Cisco IDS, Checkpoint firewall, Snort.

Confidential

Software Developer

Responsibilities:

• Developed this web application to store all system information in a central location. This was developed using Spring MVC, jQuery, JSP, Servlet, Oracle 10g, HTML and CSS.
• Developed server side business components using Java Servlets, JSPs, and Enterprise Java Beans (EJBs).
• Automated code deployment to production environment by creating tasks using ANT deployment tool.
• Developed stored procedures, views and triggers using Oracle PL/SQL.
• Design and implementation of RESTful Web services.
• Developed application presentation layer, which is based on Spring MVC framework involving JSP, Servlets and HTML, CSS.
• Designed and developed a suite of applications used by Information Security department, including BPlanner, OATS, and Defect Tracking systems.
• Developed Servlets and JQuery to create a fast and efficient chat server.
• Implemented the Scrum Agile methodology for iterative development of the application.
• Used Spring Framework for Dependency injection and integrated with the Hibernate framework for interacting with the Oracle database.
• Involved in system design, enterprise application development using object-oriented analysis in Java/JEE6.