Application Security Consultant Resume
San Antonio, TX
SUMMARY
- Overall 5+ years of experience as Information Security Analyst and Application Security Engineer.
- Experience with Patch Management, Dev App Sec, Source code analysis, dynamic analysis, risk assessment policy compliance, vulnerability management and Penetration Testing.
- Experience with tools like Burp Suite, DirBuster, NMap, OpenVAS, Rapid7 Nexpose, Qualys, Nessus, HPFortify, IBMAppScan, KaliLinux, SIEM, Checkmarx, Splunk, Jenkins, Kibana, SoapUI, Postman.
- Review and advise on existing reports and suggest reports that would solve current business use cases as well as factor the relevant metrics to track Vulnerability Management program.
- Progressive experience in Enterprise vulnerability management, Risk Assessment, penetration testing, generating reports, SQL Injection XSS and major OWASP Top 10 hacking protection techniques.
- Expertise with Retail industry and domain knowledge in Banking and Financial Services.
- Good knowledge of Cloud security models and controls Amazon Web Services (AWS).
- Knowledge in detecting vulnerabilities over authentication, authorization, input validation, session management, Cryptography, and Encryption.
- Involved in Security Development Life Cycle (SDLC) to ensure security controls are in place.
- Experience with development of written documents, presentations at various levels of the organization.
- Having good experience SAST and DAST applications using tools Checkmarx, HPFortify, IBM AppScan.
- Knowledge on System administration include installing and configuring system hardware, software, establishing user accounts, upgrading software, and performing backup and recovery tasks.
- Ability to develop and maintain metrics, reports on vulnerability findings and remediation compliance.
- Have Knowledge on Jira, Root Kit, IP Spoofing, Virtual Box, SELinux, Software Hardening concepts.
- Good Knowledge on HTTP, HTTPS, Web application firewalls, checking logs, SSL and TLS.
- Good knowledge on Oracle, SQL and programming skills in Java, groovy.
- Experience with Windows and Linux environments.
- Knowledge on network security such as DNS, Firewalls, TCP/IP, IDS/IPS, Routing Active Directory and IOS devices.
- Good team player and ability to learn the concepts effectively and efficiently.
- Ability to work in large and small teams as well as independently.
TECHNICAL SKILLS
Programming languages: Java, JavaScript, .Net, Python
Source Code Analysis Tools: HP Fortify, IBM App Scan Source, Vera code, Checkmarx
Dynamic Analysis Tools: IBM App Scan, HP Web Inspect, Retina, Acunetix, Burp Suite, W3af, App DetectivePro
Mobile App Testing Tools: Now Secure, Drozer, Mobile Security Framework (MobSF)
Penetration Testing: Kali Linux
Proxy Tools: Burp Suite, ZAP, Paros
Operating System: Linux, Windows
Webservices testing tools: Postman, SoapUI
Vulnerability management tools: Symantec End point protection, Nexpose Rapid7, Qualys
Network security tools: Nmap, Wire shark, Metasploit, Nessus, Qualys Guard, SSLDigger, SSLSmart, SSLScan, open ssl, SSLyze
PROFESSIONAL EXPERIENCE
Application Security Consultant
Confidential, San Antonio, TX
Responsibilities:
- Performed Security Control Assessments and independent third - party audits of information systems associated with the Affordable Health Care Act.
- Performed web application security vulnerabilities (SAST/DAST) and offered resolution advice.
- Performed SAST and DAST for Android & iOS apps using proxy tools for OWASP Mobile Top 10.
- Implemented web application administration and managed incident tickets.
- Worked on security operations concept in alignment with ISO 27001.
- Identified web application security vulnerabilities (SAST/DAST) and offer remediation advice.
- Developed, maintained, and communicate current and future state security architecture strategies and models.
- Conducted treat modeling and information security reviews on workstations, applications, and platforms.
- Worked on FedRAMP and FISMA for compliance.
- Implemented threat modeling and participated in penetration testing.
- Worked on code reviews, risk assessments, and automated testing to test for security vulnerabilities.
- Designed and developed security-based tools and applications.
- Generated technical reports containing security-based findings.
- Performed NIST Risk Management Framework.
- Documented secure coding guidelines and executed training programs to assist internal development personnel.
- Collected application vulnerability metrics and introduced automated security checks into application build processes.
- Managed WAF rule - set to address application security vulnerabilities, where necessary.
- Performed manual penetration testing to exploit and mitigate security threats such as CSRF, XSS, Buffer
- Overflows, SQL injections, and DOS Attacks, etc.,
- Responsible for the identification, evaluation, and inclusion of 3rd party Open-source Intelligence
- (OSINT) data sources.
- Defined, developed, and implemented security event monitoring and incident response strategies & methodologies.
SECURITY ENGINEER
Confidential, Bentonville, AR
Responsibilities:
- Designing and implementing a common end-user computing infrastructure, including desktop and notebook hardware, operating systems and desktop software.
- Defined and established and managed security risk metrics and tracked effectiveness in the environment.
- Assisted in the evaluation and implementation of new security technologies.
- Worked on automated testing to test for security vulnerabilities.
- Worked with data security from the perspective of SaaS, PaaS, and IaaS.
- Conduct network vulnerability assessments using tools Symantec and Beyond trust to evaluate attack vectors, identify system vulnerabilities and develop remediation plans and security procedures. web application security vulnerabilities (SAST/DAST) and offer resolution advice.
- Worked with the SCCM team in patch compliance and Client remediation process for desktops for better Saturation numbers.
- Worked on the security operations concept in alignment with ISO 27001.
- Monthly SUVP (Software Update Validation Program) testing and providing feedback to Microsoft.
- Ensure software is patched and able to protect from threats.
- Developed hardened Windows 10 image used by security Operations to monitor the corporate environment using self-created VB scripts/batch and include pre-configured access to AD/Exchange/PowerShell/etc.
- Gave an hours long workshop on previously undetected Security Vulnerabilities that existed within the environment.
- Conduct routine social engineering tests and clean-desk audits.
- Manage and maintain Jenkins integration jobs to support application security automation.
- Performed the NIST Risk Management Framework.
- Performed DAST test to spot configuration mistakes and errors and identify other specific problems with applications.
- Perform application penetration tests across public and private networks.
- Structure External, Internal, Firewall, IDS, Web, SQL, Database, Mobile, Cloud Penetration testing and expert in professional reporting.
- Perform assessments of security awareness training using social engineering.
- Work with application developers to validate, assess, understand the root cause and mitigate vulnerabilities.
- Creating a Test environment for new applications and packages to test and provide feedback before deploying.
- Played a key role as Subject Matter Expert in ensuring security baseline met Command Cyber criteria for excellent rating during a security audit. Guided leadership, peers and subordinates in tactics techniques and procedures.
INFORMATION SECURITY ENGINEER
Confidential
Responsibilities:
- Worked on security designs for complex, multi-platform systems.
- Subnetting, DNS, encryption technologies and standards, VPNs, VLANs, VoIP, and other network routing methods.
- Network and web-related protocols (e.g., TCP/IP, UDP, IPSEC, HTTP, HTTPS, routing protocols, etc.)
- Configure and install firewalls and intrusion detection systems.
- Conducted systems testing to ensure critical vulnerabilities are identified.
- Experience in protecting systems by defining access privileges, control structures, and resources.
- Determined security violations and inefficiencies by conducting periodic audits.
- Implemented security improvements by assessing the current situation; evaluating trends; anticipating requirements.
- Implemented and maintain security controls.
- Work on initiatives to propose, design, configure, implement and test strategic security system solutions to address complex technical and business requirements.
- Advanced Persistent Threats (APT), phishing and social engineering, Network Access Controllers (NAC), gateway anti-malware and enhanced authentication.
- Served as technical and/or project management leadership for large, complex projects using cross-functionally teams.
- Provided Levels 2 or Level 3 technical support and after-hours on-call technical support.
- Install, configure as well as maintain storage hardware backup inclusive of physical plus virtual tape libraries or drives along with disk storage targets.
- Worked as a team with your infrastructure and end-user systems partners to remediate vulnerabilities.
- Keeping users informed by preparing performance reports, communicating system status.
- Maintaining quality service by following organization standards.
- Performed data extrapolation and validation of reports for analysis and audits.
Network System Administrator
Confidential
Responsibilities:
- Administration of RHEL4.x, 5.x which includes installation, testing, tuning, upgrading and loading patches, troubleshooting both physical and virtual server issues.
- Creating, cloning Linux Virtual Machines, templates using VMware Virtual Client 4.0 and migrating servers between ESX hosts, Xen servers.
- Installing Red Hat Linux using kickstart and applying security polices for hardening the server based on the company policies.
- Installing, administering Red hat using Xen, KVM based hypervisors.
- RPM and YUM package installations, patch and another server management.
- Managing systems routine backup, scheduling jobs like disabling and enabling corn jobs, enabling system logging, network logging of servers for maintenance, performance tuning, testing.
- Worked and performed data-center operations including rack mounting, cabling.
- Set up user and group login ID's, printing parameters, network configuration, password, resolving permissions issues, user and group quota.
- Configuring multipath, adding SAN and creating physical volumes, volume groups, logical volumes.
- Installing and configuring Apache and supporting them on Linux production servers.
- Troubleshooting Linux network, security related issues, capturing packets using tools such as Iptables, firewall, TCP wrappers, NMAP.
- Conducted server tests to check the efficiency and accuracy of the servers.
- Supporting 24x7 production computing environments and providing on-call and weekend support