SUMMARY

• Over 8+ years of professional IT Experience in Security Testing particularly focused on performing technical activities such as Source Code review, Vulnerability Analysis, Security Architecture, Penetration testing, IT Risk Assessments, Secure Application Testing based on tools.
• Experience in Threat Modeling during Requirement gathering and Design phases.
• Excellent knowledge in OWASP Top 10,SANS 25, and WASC Threat Classification 2.0 methodologies.
• Experience on vulnerability assessment and penetration testing using various tools like Burpsuite, DirBuster, OWASP ZAP Proxy, NMap, Nessus, Kali Linux, Metasploit, and Accunetix.
• Experience in different web application security testing tools like Metasploit, Burp Suite Pro, IBM AppScan, SQLMAP, OWASP ZAP Proxy, Nessus, Nmap and HP Fortify.
• Good experience in Web technologies like HTTP, HTML, CSS, Forms, Database Connectivity.
• Having good experience in Secure SDLC and Source Code Analysis (Manual &Tools) on WEB based Applications.

TECHNICAL SKILLS

Tools: App Detect, App Rador, Cyber Ark, Oracle Identity Manager, Oracle Access Manager, Hijack, Metasploit Pro, Whitehat Sentinel, ZED attack proxy, SQLMAP, WebScarab, Paros, Nmap, BMC Blade Logic, Nessus, Rapid7 NexposeTechnical Cognizance

Security Tools: Metasploit Pro, ZED attack pro SQLMAP, Wireshark, WebScarab,, Nmap, Nessus, Rapid7 Nexpose,ArcSight SIEM

DAST and SAST tools: IBM AppScan Enterprise (ASE), Standard & Source editions, HP WebInspect, BurpSuite Pro, Acunetix, SQLMAP, Checkmarx

Languages: Java, Python, C/C++, C#.NET, Perl, UML.

Operating Systems: Oracle Solaris UNIX, RedHat LINUX 4/5, Windows Server2003/2008.

Web Servers: Apache Tomcat.

Application Servers: Weblogic Server, Microsoft IIS.

Middleware: IBM WebSphere

Databases: Oracle, MS SQL ServerWeb Services

PROFESSIONAL EXPERIENCE

Confidential, Austin, TX

Sr Security Engineer

Responsibilities:

• Implement Checkmarx (code analysis tool for web apps) for Static application security testing.
• Reviewed source code (Java/J2EE/Spring/FTL/JavaScript) and developed security filters within Checkmarx for critical applications.
• Implemented Secure Software Development Life Cycle (S - SDLC) processes; developed secure coding practices for web, mobile applications, including database and middleware systems.
• Conducted weekly meetings with developers to remediate security issues.
• Automated Veracode with Jenkins (CI/CD) to run scans on a daily basis.
• Supporting in preparation of plans to review software components through source code review or application security review.
• Expert level knowledge of OWASP, Kali Linux and other software security best practices and security tool sets.
• Experience with security tools such as - Nmap, Metasploit, Kali Linux, Burp Suite Pro, etc., as well as other various testing tools.
• Perform vulnerability assessment and Penetration Testing on Networks and Applications.
• Automated Checkmarx with Bamboo (CI/CD) to run scans on a daily basis.
• Implemented Application Security program (DAST and SAST) at the enterprise level to identify, report and remediate security vulnerabilities from applications deployed in DEV, PRE-PROD and
• Source code using IBM AppScan Source, triage and resolve the security vulnerabilities.
• Led and performed Infrastructure and Application Vulnerability Assessments, Penetration Testing, C&A, Policy Review, DR/BCP, Risk Assessments, Ethical Penetration Testing.
• Providing fixes & filtering false findings for the vulnerabilities reported in the scan reports.
• Supporting in preparation of plans to review software components through source code review or application security review.
• Performed Application Security assessments (DAST and SAST) at the enterprise level to identify report and remediate security vulnerabilities from applications deployed in DEV/CAT, DR and PROD environments.
• Performed security assessments to ensure compliance to firm’s security standards (i.e., OWASP Top 10, SANS25). Specifically, security testing has been performed to identify XML External Entity (XXE), Cross-Site Scripting, ClickJacking, CSRF, Session Management/Hijacking, and SQL Injection related attacks within the code
• Performed automated and manual testing on applications for false positive validation.
• Used Burp suite to Manual Penetration Testing for internal sites
• Conducted security assessment to ensure compliance to firm’s security standards (i.e., OWASP Top 10). Specifically, manual testing has been performed to identify Cross-Site Scripting and SQL Injection related attacks during the code review.
• Providing fixes & filtering false findings for the vulnerabilities reported in the scan reports.

Confidential

Information Security Engineer

Responsibilities:

• Performed the review of a newly implemented Security Incident and Event Management (SIEM) system. Reviewed technical specifications for SIEM, logging and proposed recommendations to improve the overall deployment of the solution.
• Used SourceFire/ FirePower management console to monitor, validate and remediateattacks/ incidents.
• Deployed and monitored Cisco AMP for malware protection.
• Conduct periodic network, system, application, and physical security audits
• Maintain a set of policy documents, security standards, and process and procedure documents for the Technologies Division
• Responsible for monitoring and, providing analysis in a 24x7x365 Security Operation Center (SOC) using various SIEM (Splunk), IDS/IPS software tools.
• Responsible for Data loss prevention (DLP) and service interruptions.
• Exposure to wild fire advance malware detection using IPS feature of Palo Alto.
• Monitor critical infrastructure including firewalls, IDS/IPS devices, virtual networks, vulnerability scanners, VPNs, WANs, and disaster recovery sites
• Managed and maintained various network security systems including firewalls, IDS systems, central authentication systems, application proxies, and general support systems
• Engineering, configuring and deploying Enterprise SIEM/SEM solutions.
• Manage Splunk (SIEM) configuration files like inputs, props, transforms, and lookups. Upgrading the Splunk Enterprise and security patching.
• Worked extensively with software development teams to review the source code, triage the security vulnerabilities generated by IBM AppScan, BurpSuite, HP Fortify, White Hat and eliminated false positives.
• Performed penetration testing for external facing web applications. Security areas covering DMZ architecture, threat modeling, secure coding practices (i.e., OWASP standards) and vulnerability analysis were assessed.
• Initiated projects to create disaster recovery plans for identified gaps.
• Established disaster recovery plan testing and auditing cadence.
• Create policies, alerts and configure using SIEM tools (Splunk )
• Assisted Intelligence Team with indicators associated with different Actor groups to combat cyber-attacks performed identification of connectivity issues through PING and Traceroute.

Confidential

Java Developer(Internship)

Responsibilities:

• Implemented MVC architecture to develop a cloud based web application to store, retrieve and to manipulate the data files within the user portal.
• Designed and developed rich user interface using JSP, HTML, JavaScript, CSS and jQuery.
• Performed client-side validations using JavaScript and used CSS to define the view of the web pages.
• Designed Tables, Indexes, Stored Procedures Joins, Functions and triggers for the database.
• Deployed the application into the glassfish application server and configured the required Jar files within the application server.
• Involved in different phases of Software Development Life Cycle (SDLC) such as requirements analysis, design and development