SUMMARY

• 10+ years of experience in application security, mobile & data security, cloud security (AWS and MS Azure), vulnerability assessments, cryptography, secure coding, security architecture and design, Security Automation (DevSecOps), and software development in diverse industries, including financial and high - tech.
• Application/Software Security, Security Architecture, API Security, Vulnerability/Risk Management, Third Party/Vendor Security, Threat Modeling, Source Code Review, Secure Software Development Life Cycle (secure SDLC), Penetration Testing, Mobile Security (IOS and Android), Security Monitoring, Threat Intelligence, AWS/Azure Cloud Security, Single Sign On (OAuth2.0, SAML 2.0), Security Audits, Security Operations Center (SOC) and Incident Response.
• In-depth knowledge of Mobile Application Security, Application Security Controls and Validation
• IT Risk Assessments, Regulatory Compliance and Secure Software Development Life Cycle (secure SDLC).
• Automation of security scanning processes including, DevSecOps, Continuous Integration (CI) and Continuous Delivery (CD) of security operations.
• Hands-on with Penetration Testing, DAST, SAST, IAST and manual ethical hacking.
• Experience in conducting IT Security Risk Assessments in accordance to NIST, HIPAA and FFIEC framework.
• Worked with global security teams performing application and IT infrastructure security assessments.
• In-depth knowledge of penetration testing for web and applications.
• Performed security design and architecture reviews for mobile (iOS and Android) web and mobile applications
• Hands-on experience in developing threat models, security controls, threat analysis, creation of risk control matrices and risk mitigation strategies.
• Working knowledge on cloud security engineering and administrating for SaaS, PaaS, and IaaS (including AWS and Azure).
• Working knowledge of AWS and MS Azure Cloud Security controls.
• Working knowledge of OWASP Top 10 and SANS Top 25 software guidelines
• Federal Financial Institutions Examination Council's (FFIEC) regulations, BSIMM, ISO 27001, including Payment Card Industry (PCI-DSS).
• Experience in implementing Security Incident and Event Management System (SIEM) using HP ArcSight.
• Ability to handle multiple tasks and work independently as well as in a team.
• In-depth knowledge of Mobile Application Security, Application Security Controls and Validation, IT Risk.
• Assessments, Regulatory Compliance and Secure Software Development Life Cycle (secure SDLC).
• Continuous Integration (CI) and Continuous Delivery (CD) of security scanning.
• Hands-on with Penetration Testing, DAST, SAST and manual ethical hacking.

TECHNICAL SKILLS

Security Tools: IBM Appscan Enterprise (ASE) Standard & Source Editions HP Web inspect Qualys guard Burp suite Pro Acunetix Fortify SCA SQLMAP CHEKMARX ( Code Analysis) Appdetect Apprador SafeNet/Gemalto Oracle Identity Manager Oracle Access Manager Jhijack, Metasploit Pro ZED Attack Proxy Firemon Wireshark Webscarab Paros Bluecoat Proxy Nmap BMC BladeLogic Nessus Rapid7 Nexpose Tripwire Symantec DLP Dbprotect ArcSight SIEM Splunk Enterprise Security E-DMZ Password Auto Repository (PAR) Varonis

Programming Languages: Java .NET C# C C++

Scripting Languages: Python PowerShell Shell Scripting

Cloud Technologies: Amazon Web Services (AWS) MS Azure

Web Technologies: Html 4.0/5 XHTML DHTML CSS2/CSS3 JavaScript jQuery Ajax JSON XML

Web Services: Restful/SOAP SOA UDDI WSDL

Operating System: Linux/Unix (Red Hat Enterprise Linux, Debian, Ubuntu, Fedora, Santoku, Kali Linux) Windows

Databases: PL/SQL MySQL Oracle MSSQL C#.NET AJAX Apache C++ Cisco Compliance Audits Compliance Audit Concept Encryption Cryptography Database Management EJB Event Management XML Firewalls IBM WebSphere Investment Banking Java JMS Java Server Pages JavaScript Jboss JDBC jQuery Linux Logging Middleware Oracle Perl Python Red hat LINUX 4 Risk Assessment Software Development Solaris MS SQL SQL Struts2 Struts Sybase Symantec System Architecture Tomcat Triage UML UNIX User Interface Validation Web Applications Web Servers WebLogic Windows Server

PROFESSIONAL EXPERIENCE

Confidential, Scotsdale-AZ

Lead Security Engineer

Responsibilities:

• Developed Application Security program (DAST, SAST, IAST) at the enterprise level to identify, report and remediate security vulnerabilities from applications deployed in DEV, PRE-PROD and PROD environments.
• Administered PKI, cryptography, certificate management and implemented dual keys to address segregation of duties issue between DBAs and security admins.
• Completed proof-of-concept thin-client web framework for enterprise intelligence applications with web developer under extreme deadline.
• Conducted penetration testing for infrastructure using Kali Linux toolset.
• Configured AWS Simple Storage Service (S3) to securely store the organization’s critical file systems.
• Implemented Access Control Lists (ACLs) and Bucket Policies for controlling access to the data. Ensured that Cloud security best practices have been followed.
• Designed, documented and executed maintenance procedures, including system upgrades, patch management and system backups.
• Developed AWS Security Groups to control traffic to various instances in the Cloud.
• Developed security requirements for applications and infrastructure deployed in the Cloud.
• Developed threat modeling framework (STRIDE, DREAD) for critical applications to identify potential threats during the design phase of applications.
• Developed WACLS for AWS Web Application Firewalls (WAF) and configured the rules and conditions to detect security vulnerabilities in the Cloud Front.
• Enabled threat detection for databases in the AWS Cloud and on-premise. The security alerts generated have been reviewed and remediated.
• Implemented file system security by applying hashing techniques for protecting data stored in files on the file servers.
• Participated in the implementation of enterprise password storage vault using CyberArk Enterprise Password Vault.
• Implemented Network Security Groups (NSG) to control network traffic to various Azure network resources.
• Created NSG rules (inbound and outbound) and prioritized the rules based on the requirements.
• Associated NSGs to VMs, NICs, and subnets based on the deployment model.
• Multifactor Authentication (MFA) for AWS root accounts (Implementation), administered password rotation policies.
• Management of Access Keys and Secret Assess Keys for new users.
• Participated in the development of IT risk assessments for enterprise applications.
• Participated in the implementation of AWS Cloud security for applications being deployed in the Cloud.
• Participated in the implementation of data tokenization in various environments to ensure compliance to regulations.
• Reviewed AWS network security architecture and implemented security controls.
• Specifically, virtual networks, including on-premise connectivity, traffic filtering, secure communication, point-to-site VPN etc.
• Reviewed source code (Java/J2EE/C#/.NET/Spring/FTL/JavaScript) and identified security vulnerabilities.
• Set up Access Keys and Secret Assess Keys for newly created users.
• Specifically, security testing has been performed to identify XML External Entity (XXE), Cross-Site Scripting, Click Jacking, and SQL Injection related attacks within the code.

Confidential, Webster, NY

Sr. Security Engineer

Responsibilities:

• Analyzed security incidents originated from various network/application monitoring devices (e.g., Symantec DLP, IDS, IPS, WAF) and coordinated with Engineering teams for tracking and problem escalation, including remediation.
• Conducted monthly developer workshops to educate and train developers on secure SDLC, scan source code using IBM AppScan Source, triage and resolve the security vulnerabilities.
• Conducted security assessments to ensure compliance to firm's security standards (i.e., OWASP Top 10, SANS25).
• Configured Gemalto Protect DB to enable column level encryption for securing confidential customer data. Designed security architecture for web and mobile apps.
• Designed and developed Arc Sight architecture components and related upgrades.
• Developed Application Security program (DAST and SAST) at the enterprise level to identify, report and remediate security vulnerabilities from applications deployed in DEV, PRE-PROD and PROD environments.
• Developed secure SDLC policies and standards for applications.
• Developed threat modeling framework (STRIDE and DREAD) for critical applications to identify potential threats during the design phase of applications.
• Implemented file system security by applying hashing techniques for protecting data stored in files on the file servers.
• Documented executive summary reports showing the security assessments results, recommendations, risk and impact.
• Instrumental in architecting, implementing and administrating a Security and Information
• Event Management (SIEM) solution (QRADAR) to automate the correlation of I-Series, Windows and network devices. Utilized QRADAR for internal and External IDS, in addition to Cisco IPS.
• Performed the configuration of security solutions like RSA two factor authentication, Single Sign on (SSO), Symantec Vontu DLP and log aggregation and analysis using HP ArcSight SIEM.
• Analyzed correlation rules developed for Security Incident and Event Management (SIEM) system.
• Reviewed the solution implemented for “log forwarding” from various network devices to HP ArcSight central logging for alerting and security monitoring.
• Doing multiple level of testing before production to ensure smooth deployment cycle.
• Expertise in using the DAST tools (Like IBM Appscan and Burp Suite Pro) while the application is running to penetrate the application in various ways to identify potential vulnerabilities outside the code and in third party interfaces.
• Participated in the development of IT risk assessments for enterprise applications.
• Performed real-time proactive Security monitoring and reporting on various Security enforcement systems, Anti-virus, Internet content filtering/ IDS& IPS, Web Security, Anti-spam reporting, malware code prevention, Firewalls,, etc.
• Configured AWS Simple Storage Service (S3) to securely store the organization’s critical file systems.
• Implemented Access Control Lists (ACLs) and Bucket Policies for controlling access to the data. Ensured that Cloud security best practices have been followed.
• Implemented multiple layers of security, including security groups, network access control lists, to control access to Amazon EC2 instances in each subnet.
• Developed AWS Service Roles to protect Identity Provider access.
• Participated in the implementation of AWS Cloud security for applications being deployed in the Cloud.
• Performed the penetration testing of mobile (Android and iOS) applications, specifically, APK reverse engineering, traffic analysis and manipulation, dynamic runtime analysis.
• Performed the security testing to identify XML External Entity (XXE), Cross-Site Scripting, Click Jacking, and SQL Injection related attacks within the code.
• Performed vulnerability testing using tools such as Nessus and Qualys Guard.
• Prepared system plans and executed Arc Sight architecture modifications.
• Proficient in understanding application level vulnerabilities like XSS, SQL Injection, CSRF, authentication bypass, cryptographic attacks, authentication flaws etc.
• Provided oversight of all changes to corporate firewalls, including pre-implementation analysis and approval, and post-implementation auditing. Identifying and remediating any threats and vulnerabilities as a Security Monitoring (SOC), Triage and Escalation to T2.
• Researching, analyzing and understanding log sources from security and networking devices such as firewalls, routers, anti-virus products, and operating Web, Mobile and Cloud systems.
• IAM solutions developed with Azure and managed Enterprise Mobility and Security ( EMS)
• Managed a team of analysts and service providers who support the various Identity Access Management (IAM) and Data Loss Prevention (DLP) functions.
• Developed and maintained IAM policies, standards, and practices. Helped to establish a formal review process that promoted strong collaboration among a wide range of policy, standard, and practice leaders and groups.
• Implemented enterprise-wide IAM solution.
• Reviewed Solution overview Documents (SODs) to identify security anomalies in the system architecture and design and provided recommendations to address data security and privacy concerns.
• Reviewed source code (Java/J2EE/Spring/FTL/JavaScript/jQuery).
• Rolled out IBM AppScan products such as AppScan Enterprise (ASE), Standard, Source, Checkmarx, Developer plug-ins to various development teams across the business lines.
• Skilled using Burp Suite, Acunetix Automatic Scanner, NMAP, Dirbuster, Qualys Guard, Nessus, SQL Map for web application and infrastructure penetration testing.
• The NIST framework has been utilized for IT risk assessments.
• Troubleshooted and resolved web application security issues escalated from customer support and other departments with a 100% success rate.

Confidential, Memphis-TN

Sr. Security Engineer

Responsibilities:

• Created and documented reports, rules, trends and Dashboard. Analyzed Arc Sight and related tools and resolved IT security failures.
• Data Leakage Prevention f(DLP), forensics, sniffers and malware analysis tools.
• Designed security policies, alarm response protocols and access card guidelines.
• Developed and updated security procedures, security system drawings and related documentation.
• Developed correlation rules for Security Incident and Event Management (SIEM) system.
• Developed procedures for the emergency response and crisis management, physical security, information protection, incident management and investigation units.
• Experience in Network Intrusion detection/Intrusion Prevention System and Firewalls.
• Experience with Identity and Access Management (IAM) and development of user roles and policies for user access management.
• Good knowledge and experience in Installation, Configuration and Administration of Windows Servers 2000/2003, Active Directory, FTP, DNS, DHCP, TFTP, Linux OS under LAN and WAN environments.
• Implemented HP ArcSight ESM including, correlation rules, data-monitors, reports, event annotation stages, case customization, active lists, and pattern discovery.
• Implemented IBM AppScan standard, source editions, HP Web Inspect, Nessus, and Qualys Guard web application scanners.
• Implemented Secure Software Development Life Cycle (S-SDLC) processes; developed secure coding practices for web, mobile applications, including database and middleware systems.
• Reviewed Azure network security architecture and implemented security controls.
• Specifically, Azure virtual networks, including on-premise connectivity, traffic filtering, secure communication, point-to-site VPN etc.,
• Implemented Network Security Groups (NSG) to control network traffic to various Azure network resources.
• Created NSG rules (inbound and outbound) and prioritized the rules based on the requirements.
• Associated NSGs to VMs, NICs, and subnets based on the deployment model.
• Validated database security for SQL servers deployed in Azure Cloud environment. Implemented Integrated Windows authentication supported by Azure Active Directory.
• Enabled threat detection for databases in the Azure portal.
• The security alerts generated in the Azure Security Center have been reviewed and remediated.
• Implemented Azure Key Vault for storing secrets.
• Developed security controls for implementing Azure storage security. The RBAC with Azure AD has been implemented for securing the storage account.
• Implemented Web Filter database for URL content Filtering.
• Participated in the implementation of SafeNet product for encrypting customer credit card information using Public Key Infrastructure (PKI).
• Performed Static and Dynamic Analysis and Security Testing (SAST and DAST) for various applications as per firm's security standards (i.e., Conducted workshops and user awareness training on security policies, procedures and baselines. OWASP, SANS 25).
• Provided guidance for equipment checks and supported processing of security requests.
• Reported security findings, recommendations and presented to the business users, executive committee and Compliance departments.
• Reviewed Architecture Designs and Solution overview Documents (SODs) to identify security anomalies in the system architecture and design and provided recommendations to address data security and privacy concerns.
• Reviewed security vulnerability reports for applications and databases, analyzed and worked extensively with the development teams for the implementation of mitigating controls.
• The associated IT infrastructure such as database management systems, middleware systems, web services (SOA) were also included in the security assessments.
• The key areas of confidential and sensitive data stored on the mobile devices were reviewed and made recommendations to secure customers' PII and PCI data.
• The pen testing scope included O/S (Windows and Linux) and external facing web apps and database servers that store credit card information.
• Utilize Security Information and Event Management (SIEM), Intrusion Detection & Prevention (IDS / IPS) for threat hunting and incident response (IR).
• Worked directly with outside vendors to implement/troubleshoot all SAML integrations for Multi-factor Authentication (MFA).
• Worked with Internet Engineering team in the design and configuration of Bluecoat Internet proxy.
• Worked with software development teams, DB/Unix administrators and solution architects as a subject matter expert related to security compliance with PCI DSS 3.2 and industry standards.

Confidential

Java/J2EE Developer

Responsibilities:

• Agile/SCRUM was used as the project management methodology and JIRA & Confluence were the tools used to keep things in check.
• Designed and Developed End to End customer self service module using annotation-based Spring MVC, Hibernate.
• Developed Git controls to track and maintain the different version of the project.
• Developed the User Interface using JSP/HTML and used CSS for style setting of the Web Pages.
• Front-end development using HTML, CSS, JSP and client-side validations performed using Java Script.
• Implemented Bean classes and configured in spring configuration file for Dependency Injection
• Developed Controller Classes using Spring MVC, Spring AOP, Spring Boot, Spring Batch modules, handled security using Spring Security.
• Implemented complete Maven build life cycle to achieve organized application structure and conflict free dependencies in pom.xml file.
• Implemented functionality like searching, filtering, sorting, validating using Angular JS and Java Script.
• Initiated mappings among the relations and written named HQL queries using Hibernate.
• Integrated REST API with Spring for consuming resources using Spring Rest Templates and developed RESTful web services interface to Java-based runtime engine and accounts
• Involved in all stages of Software Development Life Cycle (SDLC) of the project in agile methodology.
• Involved in writing Spring Configuration XML file that contains declarations and another dependent object declaration.
• Participated Daily Scrum meeting, sprint grooming/review and demo with management and other teams.
• Used SQL statements and procedures to fetch the data from the database. Created new views, added new columns to the existing view in the database using SQL.
• Worked directly with outside vendors to implement/troubleshoot all SAML integrations.
• Wrote SQL commands and Stored Procedures to retrieve data from SQL server database

Environment: Core Java, Java, J2EE, HTML5, CSS3, Java Script, AngularJS, Spring, Hibernate MVC, Spring Boot, Restful Web Services, Git, Agile, SQL.