SUMMARY

• Overall 5+ years of experience as Information Security Analyst and Application Security Engineer.
• Experience with Patch Management, Dev App Sec, Source code analysis, dynamic analysis, risk assessment policy compliance, vulnerability management and Penetration Testing.
• Experience with tools like Burp Suite, DirBuster, NMap, OpenVAS, Rapid7 Nexpose, Qualys, Nessus, HPFortify, IBMAppScan, KaliLinux, SIEM, Checkmarx, Splunk, Jenkins, Kibana, SoapUI, Postman.
• Review and advise on existing reports and suggest reports that would solve current business use cases as well as factor the relevant metrics to track Vulnerability Management program.
• Progressive experience in Enterprise vulnerability management, Risk Assessment, penetration testing, generating reports, SQL Injection XSS and major OWASP Top 10 hacking protection techniques.
• Expertise with Retail industry and domain knowledge in Banking and Financial Services.
• Good knowledge of Cloud security models and controls Amazon Web Services (AWS).
• Knowledge in detecting vulnerabilities over authentication, authorization, input validation, session management, Cryptography, and Encryption.
• Involved in Security Development Life Cycle (SDLC) to ensure security controls are in place.
• Experience with development of written documents, presentations at various levels of the organization.
• Having good experience SAST and DAST applications using tools Checkmarx, HPFortify, IBM AppScan.
• Knowledge on System administration include installing and configuring system hardware, software, establishing user accounts, upgrading software, and performing backup and recovery tasks.
• Ability to develop and maintain metrics, reports on vulnerability findings and remediation compliance.
• Have Knowledge on Jira, Root Kit, IP Spoofing, Virtual Box, SELinux, Software Hardening concepts.
• Good Knowledge on HTTP, HTTPS, Web application firewalls, checking logs, SSL and TLS.
• Good knowledge on Oracle, SQL and programming skills in Java, groovy.
• Experience with Windows and Linux environments.
• Knowledge on network security such as DNS, Firewalls, TCP/IP, IDS/IPS, Routing Active Directory and IOS devices.
• Good team player and ability to learn the concepts effectively and efficiently.
• Ability to work in large and small teams as well as independently.

TECHNICAL SKILLS

Programming languages: Java, JavaScript, .Net, Python

Source Code Analysis Tools: HP Fortify, IBM App Scan Source, Vera code, Checkmarx

Dynamic Analysis Tools: IBM App Scan, HP Web Inspect, Retina, Acunetix, Burp Suite, W3af, App DetectivePro

Mobile App Testing Tools: Now Secure, Drozer, Mobile Security Framework (MobSF)

Penetration Testing: Kali Linux

Proxy Tools: Burp Suite, ZAP, Paros

Operating System: Linux, Windows

Webservices testing tools: Postman, SoapUI

Vulnerability management tools: Symantec End point protection, Nexpose Rapid7, Qualys

Network security tools: Nmap, Wire shark, Metasploit, Nessus, Qualys Guard, SSLDigger, SSLSmart, SSLScan, open ssl, SSLyze

PROFESSIONAL EXPERIENCE

Application Security Consultant

Confidential, San Antonio, TX

Responsibilities:

• Performed Security Control Assessments and independent third - party audits of information systems associated with the Affordable Health Care Act.
• Performed web application security vulnerabilities (SAST/DAST) and offered resolution advice.
• Performed SAST and DAST for Android & iOS apps using proxy tools for OWASP Mobile Top 10.
• Implemented web application administration and managed incident tickets.
• Worked on security operations concept in alignment with ISO 27001.
• Identified web application security vulnerabilities (SAST/DAST) and offer remediation advice.
• Developed, maintained, and communicate current and future state security architecture strategies and models.
• Conducted treat modeling and information security reviews on workstations, applications, and platforms.
• Worked on FedRAMP and FISMA for compliance.
• Implemented threat modeling and participated in penetration testing.
• Worked on code reviews, risk assessments, and automated testing to test for security vulnerabilities.
• Designed and developed security-based tools and applications.
• Generated technical reports containing security-based findings.
• Performed NIST Risk Management Framework.
• Documented secure coding guidelines and executed training programs to assist internal development personnel.
• Collected application vulnerability metrics and introduced automated security checks into application build processes.
• Managed WAF rule - set to address application security vulnerabilities, where necessary.
• Performed manual penetration testing to exploit and mitigate security threats such as CSRF, XSS, Buffer
• Overflows, SQL injections, and DOS Attacks, etc.,
• Responsible for the identification, evaluation, and inclusion of 3rd party Open-source Intelligence
• (OSINT) data sources.
• Defined, developed, and implemented security event monitoring and incident response strategies & methodologies.

SECURITY ENGINEER

Confidential, Bentonville, AR

Responsibilities:

• Designing and implementing a common end-user computing infrastructure, including desktop and notebook hardware, operating systems and desktop software.
• Defined and established and managed security risk metrics and tracked effectiveness in the environment.
• Assisted in the evaluation and implementation of new security technologies.
• Worked on automated testing to test for security vulnerabilities.
• Worked with data security from the perspective of SaaS, PaaS, and IaaS.
• Conduct network vulnerability assessments using tools Symantec and Beyond trust to evaluate attack vectors, identify system vulnerabilities and develop remediation plans and security procedures. web application security vulnerabilities (SAST/DAST) and offer resolution advice.
• Worked with the SCCM team in patch compliance and Client remediation process for desktops for better Saturation numbers.
• Worked on the security operations concept in alignment with ISO 27001.
• Monthly SUVP (Software Update Validation Program) testing and providing feedback to Microsoft.
• Ensure software is patched and able to protect from threats.
• Developed hardened Windows 10 image used by security Operations to monitor the corporate environment using self-created VB scripts/batch and include pre-configured access to AD/Exchange/PowerShell/etc.
• Gave an hours long workshop on previously undetected Security Vulnerabilities that existed within the environment.
• Conduct routine social engineering tests and clean-desk audits.
• Manage and maintain Jenkins integration jobs to support application security automation.
• Performed the NIST Risk Management Framework.
• Performed DAST test to spot configuration mistakes and errors and identify other specific problems with applications.
• Perform application penetration tests across public and private networks.
• Structure External, Internal, Firewall, IDS, Web, SQL, Database, Mobile, Cloud Penetration testing and expert in professional reporting.
• Perform assessments of security awareness training using social engineering.
• Work with application developers to validate, assess, understand the root cause and mitigate vulnerabilities.
• Creating a Test environment for new applications and packages to test and provide feedback before deploying.
• Played a key role as Subject Matter Expert in ensuring security baseline met Command Cyber criteria for excellent rating during a security audit. Guided leadership, peers and subordinates in tactics techniques and procedures.

INFORMATION SECURITY ENGINEER

Confidential

Responsibilities:

• Worked on security designs for complex, multi-platform systems.
• Subnetting, DNS, encryption technologies and standards, VPNs, VLANs, VoIP, and other network routing methods.
• Network and web-related protocols (e.g., TCP/IP, UDP, IPSEC, HTTP, HTTPS, routing protocols, etc.)
• Configure and install firewalls and intrusion detection systems.
• Conducted systems testing to ensure critical vulnerabilities are identified.
• Experience in protecting systems by defining access privileges, control structures, and resources.
• Determined security violations and inefficiencies by conducting periodic audits.
• Implemented security improvements by assessing the current situation; evaluating trends; anticipating requirements.
• Implemented and maintain security controls.
• Work on initiatives to propose, design, configure, implement and test strategic security system solutions to address complex technical and business requirements.
• Advanced Persistent Threats (APT), phishing and social engineering, Network Access Controllers (NAC), gateway anti-malware and enhanced authentication.
• Served as technical and/or project management leadership for large, complex projects using cross-functionally teams.
• Provided Levels 2 or Level 3 technical support and after-hours on-call technical support.
• Install, configure as well as maintain storage hardware backup inclusive of physical plus virtual tape libraries or drives along with disk storage targets.
• Worked as a team with your infrastructure and end-user systems partners to remediate vulnerabilities.
• Keeping users informed by preparing performance reports, communicating system status.
• Maintaining quality service by following organization standards.
• Performed data extrapolation and validation of reports for analysis and audits.

Network System Administrator

Confidential

Responsibilities:

• Administration of RHEL4.x, 5.x which includes installation, testing, tuning, upgrading and loading patches, troubleshooting both physical and virtual server issues.
• Creating, cloning Linux Virtual Machines, templates using VMware Virtual Client 4.0 and migrating servers between ESX hosts, Xen servers.
• Installing Red Hat Linux using kickstart and applying security polices for hardening the server based on the company policies.
• Installing, administering Red hat using Xen, KVM based hypervisors.
• RPM and YUM package installations, patch and another server management.
• Managing systems routine backup, scheduling jobs like disabling and enabling corn jobs, enabling system logging, network logging of servers for maintenance, performance tuning, testing.
• Worked and performed data-center operations including rack mounting, cabling.
• Set up user and group login ID's, printing parameters, network configuration, password, resolving permissions issues, user and group quota.
• Configuring multipath, adding SAN and creating physical volumes, volume groups, logical volumes.
• Installing and configuring Apache and supporting them on Linux production servers.
• Troubleshooting Linux network, security related issues, capturing packets using tools such as Iptables, firewall, TCP wrappers, NMAP.
• Conducted server tests to check the efficiency and accuracy of the servers.
• Supporting 24x7 production computing environments and providing on-call and weekend support