SUMMARY

• 9+ years of Information Security, design and development experience in information security architecture, cryptography, security assurance, threat modeling, IT risk assessments, SSO, and risk remediation activities.
• Hands - on with Penetration Testing, DAST, SAST and manual ethical hacking.
• Expertise in Application Security and identifying and fixing OWASP Top 10 and SANS 25 security vulnerabilities.
• Strong foundation and In-depth technical knowledge of security engineering, computer and network security, authentication and security protocols.
• Experience in conducting IT Security Risk Assessments in accordance to NIST and FFIEC framework.
• Worked with global security teams performing application and IT infrastructure security assessments.
• In-depth knowledge of penetration testing for web and mobile (iOS and Android) applications.
• Performed security design and architecture reviews for web and mobile applications
• Working knowledge of OWASP Top 10 and SANS Top 25 software guidelines, Federal Financial Institutions Examination Council's (FFIEC) regulations, including Payment Card Industry (PCI-DSS), HIPAA and Sarbanes-Oxley Section404 (SOX).
• Hands-on experience in developing threat models, security controls, threat analysis, creation of risk control matrices and risk mitigation strategies.
• Working knowledge of Imperva and AWS Cloud Security in implementing Web Application Firewalls (WAF).
• Experience in implementing Security Incident and Event Management System (SIEM) using HP ArcSight, Splunk.
• Ability to handle multiple tasks and work independently as well as in a team.
• An efficient team player in challenging and creative environment with excellent capacity to adapt new technologies and skills.
• Possess strong technical aptitude with strong analytical, work ethic, problem solving and communication skills.
• Proficiency with scripting languages such as Python, Perl, Java Script and Power Shell.

TECHNICALSKILLS

Information Security Tools: Paros, Nmap, BMC BladeLogic, Nessus, Rapid7 Nexpose, Tripwire, Symantec Vontu, BeyondTrust PAM, DBProtect, e-DMZ Password Auto Repository (PAR), Varonis, AppDetect, AppRador, JHijack, Metasploit Pro, ZED attack proxy, SQLMAP, Wireshark, WebScarab, Amazon Web Services (AWS) Cloud security.

DAST and SAST tools: Fortify SCA, IBM AppScan Enterprise (ASE), Standard & Source editions, HP WebInspect, QualysGuard, BurpSuite Pro, SQLMAP

Operating Systems: Oracle Solaris UNIX, RedHat LINUX 4/5, Windows Server2003/2008.

Java & J2EE Technology: Spring Framework, EJBs, Struts2, Servlets, JavaServerPages (JSPs), JMS, Java Mail API, JNDI, LDAP, JDBC, JTS, RMI, AWT, Swing, Socket Programming, IONA Orbix CORBA.

SIEM: HP ArcSight ESM, Logger, SmartConnectors, Express, Splunk

Networking: Symantc Vontu DLP, Checkpoint, Palo Alto, Check Point, Cisco, IDS/IPS, Anti-virus, Cisco IronPort, BMC BladeLogic, Remedy.

Application Servers: Weblogic Server, iPlanet, Netscape Application Server and Microsoft IIS.

Languages: Java, Python, C/C++, C#.NET, Perl, UML.

Scripting Languages: AngularJS, XML, XSLT, XPath, XQuery, HTML/JavaScript/JQuery, AJAX.

Middleware: TIBCO EMS, IBM WebSphere MQ, JMS

Databases: Oracle, MS SQL Server, Sybase.

Web Services: RESTFul/SOAP, SOA, UDDI, WSDL.

Web Servers: Apache Tomcat, Netscape Enterprise Server3.5, Jboss and JRun.

PROFESSIONAL EXPERIENCE

Confidential, Glen Allen VA

Lead Security Engineer

Responsibilities:

• Developed security requirements for both infrastructure and applications (web and mobile) and worked with Infrastructure engineering, application development, DBAs, SysAdmin teams and made sure teh requirements are incorporated into teh systems during teh design and architecture phase of teh delivery life cycle.
• Rolled out IBM AppScan products such as AppScan Enterprise (ASE), Standard, Source, Developer plug-ins to various development teams across teh business lines.
• Performed security assessments to ensure compliance to firm’s security standards (me.e., OWASP Top 10, SANS25). Specifically, security testing has been performed to identify XML External Entity (XXE), Cross-Site Scripting, ClickJacking, Session Management/Hijacking, and SQL Injection related attacks within teh code.
• Implemented Cloud Access Security Broker (CASB) for enterprise application infrastructure.
• Installed, configured and administered IBM AppScan Enterprise, including scan agent configuration, scan scheduling, troubleshooting of failed scans, user administration.
• Implemented authentication solutions for various types of applications using OAuth2.0, SAML and OpenID.
• Good understanding of web application attacks including SQLi, XSS, ClickJacking, CSRF, and other common security issues beyond teh OWASP Top 10.
• Implemented security controls for AWS Virtual Private Clouds (VPCs), EC2 instances, RDS and Route53.
• Designed security architecture for web and mobile apps. Reviewed Solution overview Documents (SODs) to identify security anomalies in teh system architecture and design, and provided recommendations to address data security and privacy concerns.
• Developed threat modeling framework (STRIDE, DREAD) for critical applications to identify potential threats during teh design phase of applications.
• Worked extensively with software development teams to review teh source code, triage teh security vulnerabilities generated by IBM AppScan, BurpSuite, Imperva WAF HP WebInspect, HP Fortify and eliminated false positives.
• Good configuration Knowledge with SSO, Fortify, Checkmarx, AppScan for Web and Mobile Applications and remediation of issues
• Strong knowledge of web application security, web-related protocols (HTTP, HTTP/2, SSL, WebSockets, etc.)
• Administered cryptography, public and private key management (PKI) and implemented dual keys to address segregation of duties issue between DBAs and security admins.
• Generated executive audit summary reports showing teh security assessments results, recommendations and risk mitigation plans and presented them to teh respective business sponsors and senior management.
• Worked with DevOps teams to automate security scanning into teh build process.
• Participated in teh development of IT security risk assessments for enterprise applications. Teh NIST, FFIEC frameworks have been utilized for IT risk assessments. This included leading teh data discovery meetings, identification of existing controls and validates them against teh expected controls. Teh control gaps or non-compliance to security policies were presented to teh stake holders for remediation.
• Working knowledge of Splunk in developing search queries including, knowledge objects such as Event Types, Tags, Database Queries etc.,
• Configured SafeNet/Gemalto ProtectDB to enable column level encryption for securing confidential customer data.
• Implemented file system security by applying hashing techniques for protecting data stored in files on teh file servers.
• Rolled out BeyondTrust Privileged Access Management (PAM) solutions for controlling privileged accounts and users.
• Performed teh API security testing of web services including SOAP, REST, and JSON/XML.
• Performed penetration testing for mobile applications.
• Implemented authentication for applications using web application vulnerability scanning tools ( IBM AppScan, IBM AppScan Source, HP Fortify, HP WebInspect, BurpSuite Pro, ZAP, Kali Linux, etc.)
• Implemented SSO for AzureAD & Mobile applications
• Participated in teh implementation of Imperva SecureSphere, Database Activity Monitoring (DAM) and AWS Cloud security for applications being deployed in teh Cloud. Developed WACLS and configured to rules and conditions to detect security vulnerabilities in teh Cloud Front.
• Developed security best practices for teh applications and infrastructure deployed in AWS.
• Analyzed security incidents originated from various network/application monitoring devices (e.g., HP ArcSight, Symantec Vontu DLP) and coordinated with Engineering teams for tracking and problem escalation, root cause analysis, including remediation.
• Performed teh penetration testing of mobile (Android and iOS) applications, specifically, APK reverse engineering, traffic analysis and manipulation, dynamic runtime analysis.

Confidential, Atlanta GA

Sr. Security Engineer

Responsibilities:

• Performed pen testing of both internal and external networks as per PCI-DSS standards. Teh pen testing scope included O/S (Windows and Linux) and external facing web apps and database servers dat store credit card information.
• Reviewed security vulnerability reports for applications and databases, analyzed and worked extensively with teh development teams for teh implementation of mitigating controls.
• Implemented IBM AppScan standard, source editions, HP WebInspect and QualysGuard web application scanners. In addition, teh security tools Metasploit and BurpSuite were utilized for manual penetration testing.
• Performed security assessments for teh client-facing apps. Teh associated IT infrastructure such as database management systems, middleware systems, web services (SOA) were also included in teh security assessments.
• Implemented Secure Software Development Life Cycle (S-SDLC) processes; developed secure coding practices for web, mobile applications, including database and middleware systems.
• Reviewed Architecture Design Documents (ADD) and Solution overview Documents (SODs) to identify security anomalies in teh system architecture and design, and provided recommendations to address data security and privacy concerns.
• Reported security findings, recommendations and presented to teh business users, executive committee and Compliance departments.
• Experience with Identity and Access Management (IAM) and development of user roles and policies for user access management.
• Performed Static and Dynamic Analysis and Security Testing (SAST and DAST) for various applications as per firm’s security standards (me.e., OWASP, SANS 25).
• Conducted workshops and user awareness training on security policies, procedures and baselines.
• Worked with software development teams, DB/Unix administrators and solution architects as a subject matter expert related to security compliance with PCI DSS and industry standards.
• Worked with Internet Engineering team in teh design and configuration of BlueCoat Internet proxy. Implemented WebFilter database for URL content Filtering.
• Developed security policies and baselines for mobile and web applications. Performed compliance audits to ensure security policies and baselines have been adequately implemented.
• Participated in teh implementation of SafeNet/Gemalto product for encrypting customer credit card information using Public Key Infrastructure (PKI).
• Implemented HP ArcSight ESM including, correlation rules, data-monitors, reports, event annotation stages, case customization, active lists, and pattern discovery.
• Conducted manual source code audits of teh client-facing Wyndham brand web and mobile applications, including iOS and Android mobile apps. Teh key areas of confidential and sensitive data stored on teh mobile devices were reviewed and made recommendations to secure customers’ PII and PCI data.
• Conducted pen testing for teh Web Services (SOA).
• Developed correlation rules for Security Incident and Event Management (SIEM) system. Reviewed teh solution implemented for “log forwarding” from various network devices to HP ArcSight central logging for alerting and security monitoring.
• Performed PCI pre-assessment audit for teh entire network as well as teh related applications in preparation for teh annual external PCI compliance audit.

Confidential, NY

Security Engineer

Responsibilities:

• Performed teh review of a newly implemented Security Incident and Event Management (SIEM) system. Reviewed technical specifications for SIEM, logging and proposed recommendations to improve teh overall deployment of teh solution.
• Developedsecurity audit programs for IT infrastructure supporting Corporate and Investment Banking (CIB) department to facilitate end-to-end compliance with Global as well as Federal Financial Institutions Examination Council (FFIEC) guidelines and controls.
• Performed penetration testing for external facing web applications. Security areas covering DMZ architecture, threat modeling, secure coding practices (me.e., OWASP standards) and vulnerability analysis were assessed.
• Conducted security assessments for various applications supporting Corporate & Investment Banking, Loan, Treasury, Equities and FI businesses. Teh web application infrastructure such as IBM WebSphere, Apache Tomcat, and IIS web/application servers were reviewed for compliance to firm’s security baselines.
• Managed security assessments for various types of Operating Systems (O/S) used by teh firm. Teh security audits of RedHat Linux, Oracle Solaris, Windows (including Active Directory) and IBM AIX were conducted. Several control enhancements, specifically, on teh patch management process, were recommended.
• Executed database management system security audits across all business lines and entities in North America hub. Database servers such as, Oracle, SQL Server and Sybase were reviewed for compliance to global and local security baselines.
• Participated in teh integrated security audits. Mainly responsible for teh review of input/output processing, data security.

Confidential

Programmer/Analyst (Java, J2EE, Oracle)

Responsibilities:

• Designed and developed a suite of applications used by teh security operations department.
• Developed server side business components using Java Servlets, JSPs, and Enterprise Java Beans (EJBs)
• Automated code deployment to production environment by creating tasks using ANT deployment tool.
• Developed stored procedures, views and triggers using Oracle PL/SQL.
• Design and implementation of RESTful Web services.
• Developed application presentation layer, which is based on Spring MVC framework involving JSP, Servlets and HTML, CSS
• Developed this web application to store all system information in a central location. This was developed using Spring MVC, jQuery, JSP, Servlet, Oracle 10g, HTML and CSS
• Developed Servlets and Utilized Node.js to create a fast and efficient chat server.
• Implemented teh Scrum Agile methodology for iterative development of teh application.
• Involved in system design, enterprise application development using object-oriented analysis in Java/JEE6.
• Used Spring Framework for Dependency injection and integrated with teh Hibernate framework for interacting with teh Oracle database.
• Analyzed performance issues in teh application, related system configuration and developed solutions for improvement.
• Involved in WebLogic and Tomcat application server installation and configuration in production, development and QA environments.