SUMMARY

• Over 9+ years of experience in IT professional wifin Information Security.
• Involved in Software development Life cycle (SDLC) to ensure security controls are in place.
• Experience in Threat Modeling during Requirement gathering and Design phases.
• Experience on vulnerability assessment and penetration testing using various tools like Burpsuite, DirBuster, NMap, Nessus, Kali Linux, Metasploit, Accunetix
• Experience wif Security Risk Management wif TCP - based networking.
• Experience wif TCP/IP, Firewalls, LAN/WAN.
• Performed static code Assessment using Veracode and identify teh false postivies.
• Monitor, Analyze and respond to security incidents in teh infrastructure. Investigate and resolve any security issues found in teh infrastructure according to teh security standards and procedures.
• Experience in Linux system administration.
• Performing rapid7 and Nessus Scans against Infrastructure like Webservers, appservers and dB servers to identify teh existing environmental vulnerabilities.
• Perform Vulnerability assessment on all teh workstations in teh organization to identify if they are patched and updated.
• Static Code Analysis during development phase.
• Integrated Vera code wif SDLC process to ensure every build is analyzed using static code analysis
• A Certified Ethical Hacker.
• A Pen tester wif experience of penetration testing on various applications in different domains.
• Penetration testing based on OWASP Top 10.
• A good team player, Inquisitive, good in basic concepts and an excellent team player.
• Performed teh gap analysis to identify scenarios like privilege escalation.
• Performed software Licensing audit.
• Interpreted least privilege for applications and segregation of duties.
• SOX Compliance Audit experience on controls like User access management, Change Management, Incident Management.

TECHNICAL SKILLS

Penetration Testing: Backtrack, Kali Linux, Metasploit

Application Security: Burp Suit, OWASP-Zap, IBM Apps Scanner, HP-Web inspectAcunetix

Network Security: Nessus, GFILanguard, Nexpose, Metasploit

Endpoint Security: FireAmp, Damballa, Bit9, Sophos

Perimeter Security: FireEye E MPS / M MPS, Sourcefire IPS, Proxy CWS

Malware Analysis: FireEye - MAS, Threat GRID, Virus Total

SIEM: Splunk, Q-Radar

Forensic Investigation: FTK, Malte go

Standards: OWASP, SANS, OSSTMM, SWAT Check List, S-SDLC, Business Logics Vulnerabilities.

PROFESSIONAL EXPERIENCE

Confidential, Atlanta GA

IT Security Consultant

RESPONSIBILITIES:

• Ensured all teh controls are covered in teh checklist Performed Vulnerability Assessment of various web applications used in teh organization using Paros Proxy, Burp Suite, and Web Scarab, IBM Appscan.
• Implemented OWASP TOP TEN 2010 Vulnerabilities Assessment. Online application testing and CR regression testing, assessment and reporting.
• Detected and prioritize vulnerability exposures and coordinating wif teh team for complete closure.
• Static and dynamic scanning of various application using Checkmarx and IBM Appscan, Identify false positives and report in SSC.
• Used tools like NMAP, Nessus, google dorks, Flagfox, DirBuster, and LiveHTTP Header to gather more information of teh application and perform security assessment.
• Conducted host based security by using kali Linux to identify different ports and services running and identifying vulnerabilities by using NMAP script engine.
• Exploited teh systems wif vulnerabilities using Metasploit framework.
• Analyzed teh application for vulnerabilities in categories like Input and data validation, Autantication, Authorization, Configuration Management.
• Performed security assessment by creating test scenarios and test cases against teh categories like Sensitive data, Session management, Cryptography, Exception management, Auditing and logging.
• Created documentation for teh vulnerabilities identified and reporting it to teh application development team. Ensuring timely delivery of issues reported and remediation.
• Followed DREAD approach to provide teh risk rating to teh vulnerabilities identified. Preparing report wif executive summary, technical details and teh remediation’s
• Performed Web Service Testing using SOAP UI to analyze teh vulnerabilities.
• Conducted Web Application User ID access reconciliation and audit of teh privileged Database and application user IDS on quarterly basis.
• Understanding new security technologies for potential utilization in teh application security testing.
• Audited teh project for SOX Compliance by collecting & reviewing teh evidences. Making sure all teh NCs are closed before teh next quarter Audit.
• Performed User Access Management and Identity Management for teh various client applications through automatic disablement of dormant users and audit on monthly basis
• Implemented Gap Analysis of present Risk assessment methodology and conducting risk assessment and mitigation steps for teh client.
• Identified latest threats and vulnerabilities and conducting teh impact analysis to improve teh risk level by continuous risk assessment.
• Prepared RMR Risk Management Report on account level. Risk assessment done for teh account of 8 different projects. Provision of remediation’s to minimize risk and follow up to ensure proper implementation as per teh control objective.
• Implemented of Software Security Assurance framework in teh whole project by conducting Sessions like Secure Programing practices to all teh developers. Involving in teh complete Agile as a security consultant.Trained modules like Secure design requirements, threat modelling, secure coding practices, penetration testing.
• Using snap tool for create ticket and Hp Qc for defect logging and tracking

Environment: Windows, ASP, Kali Linux, Nessus, Nmap, Metasploit, IBM Apppscan, Checkmarx, SNAP, HP QC, Burpsuite, AWS

Confidential, Seattle WA

Security Analyst

RESPONSIBILITIES:

• Incident response, Detection, and Investigations
• Perform pen tests on different application a week.
• Preparation of security testing checklist to teh company
• Ensured all teh controls are covered in teh checklist.
• Physical Pen Testing which includes social engineering, site reconnaissance, lock picking, security bypass, phishing attacks, etc.
• Independently conduct a security assessment,penetration test, and report creation to identify security risks, threats and vulnerabilities of networks, systems, applications, and related components.
• Identified attacks like SQL, XSS, CSRF, RFI/LFI, logical issues.
• Provided security implementation for authorization, by controls like principle of lease p44rivilege, Relinquishing privilege when notin use, Non Guessable tokens, forced browsing.
• Performed semi-automated and manual Web Application and Network Penetration Testing utilizing multiple tools to include, but not be limited by: Burp Suite, Net Sparker, Tenable Nessus, SQLMap, App Detective, Custom Scripts, metasploit, nmap, netcat, and other tools wifin teh Kali Linux toolset.
• Controls on session management like Server side session states, session termination, Session ID randomness, expiration, Unique tokens, concurrent logged in session, session fixation prevention.
• Information gathering of teh application using websites like Shodan, Reverse DNS, Hackertarget.com, Google dorks.
• Worked on static code analysis by using teh automated tool HPfortify.
• Worked on protecting sensitive data exposure.
• Using various Firefox add-ons like Flag fox, Live HTTP Header, Tamper data to perform teh pen test
• Generated automated report by using HPwebinspect.
• Performed manual testing based on teh automated generated report.
• Performed monitoring using security assessment tools.
• Monitored security events, correlating information, and identifying incidents, issues, threats, and vulnerabilities found by agency data sources, but are not limited to, vulnerability scanners, baseline configuration management systems, hardware asset management systems, software asset management systems, network contextual analyzer systems, intrusion detection systems (IDS).
• Worked on teh XSS, Path traversal attacks manually
• Performed Security Event Analysis as a point of escalation in regard to web based attacks.
• Worked on teh url based vulnerabilities such as redirect and forward, Session management cookie data retrieving.
• Identified teh CSRF (Cross Site Request Forgery) by inserting tokens.
• Worked on unautanticated data access manually.
• Worked on teh sensitive data exposure by analyzing teh cryptographic algorithms.
• Performed Crawling of application to no teh behavior of it.
• Access a web-based collaborative environment to rapidly resolve security issues in software code using HPwebinspect.
• Diagnosed and troubleshot UNIX and Windows processing problems and applied solutions to increase client security.
• Performed Unit testing for proper functioning of UI.
• Regularly performed research to identify potential vulnerabilities in and threats to existing technologies, and provided timely, clear, technically accurate notification to management of teh risk potential and options for remediation.

Environment: UNIX, ASP, Kali Linux,Jira, Nessus, Nmap, Metasploit, Hpfortify, Hpwebinspect,HPQC

Confidential, Sanjose, CA

Security Engineer

RESPONSIBILITIES:

• Black box pen testing on internet and intranet facing applications
• OWASP Top 10 Issues identifications like SQLi, CSRF, XSS
• Preparation of risk registry for teh various projects in teh client
• Training teh development team on teh secure coding practices
• Providing details of teh issues identified and teh remediation plan to teh stake holders
• Gray Box testing of teh applications.
• Identified hidden files using dirbuster.
• Worked on DOM based XSS manually.
• Worked on Directory Traversal attacks manually
• Implemented Agile Methodology to follow teh work flow process.
• Worked on Middle ware technologies to ensure teh application safety (TOMCAT).
• Verified teh existing controls for least privilege, separation of duties and job rotation.
• Identification of different vulnerabilities of applications by using proxies likeBurpsuite to validate teh server side validations
• Collaborating on cross-team and cross product technical issues wif a variety of resources including development to document software defects and customer suggestions.
• Worked on billion laugh attacks manually by intercepting burp suit.
• Functional level access control is performed to avoid teh privilege of misusing teh sensitive data.
• Had worked on Accunetix tool for quick assessment of vulnerabilities.
• Participate in documentation and product review process for new product introductions.
• Contributing to teh noledge base by authoring and editing articles to share current information wif team members.
• Worked on fimap to check teh possibility of vulnerabilities.
• Worked on DOS and Fire wall intrusion to ensure teh security of leakage of code.
• Performed API testing using Soap UI
• Attended meetings on Webex wif team of Vice presidents and making valuable contributions.
• Execute and craft different payloads to attack he system to execute XSS and different attacks
• Identified issues on sessions management, Input validations, output encoding, Logging, Exceptions, Cookie attributes, Encryption, Privilege escalations.
• Provided and validated teh controls on logging like Autantication logging, profile modification logging, logging details, log retention duration, log location, synchronizing time source, HTTP logging.

Environment: Burp suite, HTTP headers, Acunetix, fimap, dirbuster, Soap UI.

Confidential

Penetration Tester

Responsibilities:

• Perform application and infrastructure penetration tests along wif physical security reviews.
• Define requirements for information security solutions and perform reviews of application designs and source code.
• Design, develop and implement penetration tools and tests and also use existing ones to handle penetration testing activities.
• Document and discuss security findings wif information technology teams.
• Work on improvements for security services and provide feedback and verification about existing security issues.
• Perform attack simulations on company systems and web applications to determine and exploit security flaws
• Monthly Reviews carried out over teh Vulnerability Assessments and Penetration testing.
• Raising issues against any High severity vulnerabilities in teh Scan reports.
• Ensured compliance wif legal and regulatory requirements.
• Exhibited client facing skills and capability to articulate technical concepts to a variety of technical and non-technical audiences.
• Assisted in review of business solution architectures from security point of view which helped avoiding security related issues/threats at teh early stage of project.
• Strong Network Communications, Systems & Application Security (software) background looking forward for implementing, creating, managing and maintaining information security frameworks for large scale challenging environments.
• Performing security analysis and identifying possible vulnerabilities in teh key derivation function, create Vulnerability Assessment report detailing exposures dat were identified, rate teh severity of teh system & suggestions to mitigate any exposures & testing non vulnerabilities.

Environment: Nmap, Nessus, Burpsuite, Sqlmap, Dirbuster.

Confidential

IT Security Analyst

RESPONSIBILITIES:

• Perform threat modeling of teh applications to identify teh threats.
• Identify issues in teh web applications in various categories like Cryptography, Exception Management.
• Risk assessment on teh application by identifying teh issues and prioritizing teh issues based on risk level.
• In teh team, main focus of work was to audit teh application prior moving to production.
• Explanation of teh security requirements to teh design team in initial stages of SDLCto minimize teh efforts to rework on issues identified during penetration tests.
• Analyzed teh XML and HTTP requests to find teh vulnerabilities.
• Performed Vulnerability assessments and preventions on teh development side by leveraging teh tools like Nmap, Nessus, IBM app scan
• Providing remediation to teh developers based on teh issues identified.
• Worked on teh DOM XSS by analyzing teh JavaScript.
• Good noledge on web technologies like HTML, CSS, JavaScript to ensure teh protection from XSS by reviewing teh code.
• Worked on Ng-directives in angular.js for vulnerability assessments.
• Ensured to draft teh script manually based on vulnerability.
• Revalidate teh issues to ensure teh closure of teh vulnerabilities.
• Verify if teh application TEMPhas implemented teh basic security mechanisms like Job rotation, Privilege escalations, Lease Privilege and Defense in depth.
• Using various add on in Mozilla to assess teh application like Wappalyzer, Flagfox, Live HTTP Header, Tamper data.

Environment: Wappalyzer, Flagfox, Live HTTP header, IBM app scan