SUMMARY

• Professional with more than 10+ years of progressive experience in IT with extensive experience in Information Security, Application Security, Network Security and Penetration testing.
• Experience in application security, vulnerability assessments and OWASP along with different security testing tools like Burp Suite, Dir Buster, OWASP ZAP Proxy, Nmap, Nessus, Kali Linux, Metasploit, HP Web inspect and IBM App scan.
• Experience as an Information Security Consultant, involved in OWASP Top 10 based Vulnerability Assessment of various internet facing point of sale web applications and Web services
• Interpreted least privilege for applications and segregation of duties across the organizations
• Simulate how an attacker would exploit the vulnerabilities identified during the dynamic analysis
• Experience with Dynamic Analysis (DAST) and practical knowledge on Static Analysis (SAST).
• Having good experience in Secure SDLC and Source Code Analysis (Manual & Tools) on WEB based Applications.
• Hands on experience in SQL Injection protection, XSS Protection, Script Injection and major hacking protection techniques
• Involved in web application development with UI technologies like CSS, HTML, JavaScript.
• Hands - on experience in reviewing and defining requirements for information security solutions.
• Performed application security and penetration testing using Rational Appscan.
• Performed host, network, and web application penetration tests.
• Performed application and infrastructure penetration tests along with physical security reviews
• Worked on improvements for security services and provide feedback and verification about existing security issues.
• Knowledge on User Acceptance Testing concepts. knowledge on protocols such as TCP/IP, UDP, IPSEC, HTTP, HTTPS, routing protocols and operating systems like Windows/Linux, databases, application security and secure remote access.
• Ability to develop and maintain metrics and reports on vulnerability findings and remediation compliance.
• Knowledge on DISA STIG, CIS, CVSS, HIPPA and proactive vulnerability detection.
• Good knowledge of Cloud security models and controls Amazon Web Services (AWS).
• Proficiency in scripting, Unix operating systems and windows
• Having Good knowledge in gathering requirements from stakeholders
• Constructing RFP/RFQs, devising and planning and strong technical understanding of vulnerabilities, and how attackers can exploit vulnerabilities to compromise systems.
• Ability to exploit recognized vulnerabilities.
• Good team player with excellent analytical, inter-personal, communication & written skills, problem- solving and trouble-shooting capabilities.
• Highly motivated and can adapt to work in any new environment.

TECHNICAL SKILLS

Tools: BurpSuite, DirBuster, SQLMap, Kali Linux, OpenVAS, HPWebInspect, IBM AppScan, Acunetix, HPFortify, Checkmarx, OWASP, SANS Top 25, ZAP

Network Tools: N-map, Tenable Nessus, Rapid7 Nexpose, InsightVM, Qualys

Policy and standards: NIST, PCI DSS, CIS, HIPPA, FDCC

Risk Assessment Tools: Digital Manager 360 (Modulo), RSA Archer

Language: C, C++, Java

Web Technologies: HTML, CSS, JavaScript

Platforms: Windows XP, 10, Linux

Web Server: Apache, IIS 6.0/7.0/8/10.0

Database: MS SQL, Oracle, MySQL

Packages: MS-Office (Word, Excel, Pivot Tables), MS Visio

PROFESSIONAL EXPERIENCE

Confidential, Washington D.C

Information Security Analyst

Responsibilities:

• Performing manual and automated security testing and validation testing on a wide range of web application, host, database and mobile-based applications hosted in multiple environments.
• Nessus and Burp Suite among other tools to perform vulnerability scanning of applications and operating systems using combination of automated and manual techniques.
• Configuring automated scans using tools like Tenable Nessus, AppDetective, Scuba, Burp Suite Pro, Accunetix, DBVisualizer, Nmap and other tools.
• Used SOAP UI and Burp Suite for testing web services and API testing.
• Conducting manual code review for .Net, java script.
• Conducting security assessments in accordance with National Institute of Standards and Technology’s (NIST) A framework Revision 5.
• Perform security tests and carries out vulnerability and risk analysis in accordance with JISF’s repeatable methodology.
• Conducting host and application security testing for which the test cases are derived from controls described in the technical families of JISF (Judiciary Information Security Framework) and from guidance published by the Centre for Internet Security (CIS) for host testing and by the Open Web Application Security Project (OWASP Top 10) for the application testing.
• Conducting Network Penetration vulnerability assessment on internal network to check out for the various vulnerabilities in the existing network and ensured to communicate the correct mitigation for the existing vulnerabilities to the client.
• Experience working in the FedRAMP cloud environment and understanding IaaS, PaaS, and SaaS regarding cloud service provider (AWS) security control responsibilities.
• Understanding of security practices related to Cisco network infrastructure.
• Review the vulnerabilities identified map them to the appropriate security controls.
• Performing risk analysis of all identified vulnerabilities and assigning risk ratings based on the Common Vulnerability Scoring System (CVSS) version 3.1
• Tracking reported vulnerabilities to ensure closure by performing validation tests.
• Reporting the identified vulnerabilities in CSAM.

Confidential, Plano, TX

Sr. Information Security Analyst

Responsibilities:

• Performed manual and automated dynamic security testing and remediation testing on a wide range of web and native mobile-based applications hosted in multiple pre-prod environments using tools like IBM App Scan Standard, Burp suite and Checkmarx.
• Conducted security assessments by creating test cases and test scenarios against Session management, Cryptography, Sensitive data, Auditing and logging
• Conducted manual application testing with tools like Burp Suite Pro, using guidance published by the Open Web Application Security Project (OWASP Top 10) and the National Institute of Standards and Technology’s (NIST) framework, currently on revision 4.
• Conducted manual verification assignment of vulnerabilities reported from automated scanning to identify false positives.
• Used Nessus and Burp Suite among other tools to perform vulnerability scanning of applications and operating systems using combination of automated and manual techniques
• Configured automated scans using tools like Tenable Nessus, AppDetective, Burp Suite Pro, IBM AppScan Standard, DBVisualizer, Core Impact, Nmap, Metasploit, and other tools found in the Kali Linux Web Testing Framework distributions.
• Used Kali Linux and Nessus scanner to conduct host-based security testing for host discovery and ports running on the host.
• Performed extensive risk analysis of all identified vulnerabilities and assigning risk ratings based on the Common Vulnerability Scoring System (CVSS) version 3.
• Used tools like SOAP UI and Burp Suite and Postman for testing web services and API testing.
• Used different Firefox add-ons like Live HTTP Header, Tamper data, Flag Fox for enumeration and exploiting the security vulnerabilities.
• Tracked reported vulnerabilities to ensure closure by performing revalidation tests.

Confidential, Chicago, IL

Sr. Application Security Analyst

Responsibilities:

• Worked as Application Security Analyst for maintaining necessary security controls required at the design level.
• Worked with software development team for reviewing source code and find vulnerabilities generated by HP Fortify, IBM App scan HP Web inspect and eliminated false positives.
• Used static code analysis tools like HP Fortify for conducting security code review .Net, Java code.
• Documented reports based on Network and Application Vulnerability scan alerts and assisted development teams in remediating vulnerabilities by prioritizing the level of severity.
• Used OWASP Top 10 and SANS 25 for identifying vulnerabilities and prioritizing them based on severity.
• Performed penetration testing on applications and systems using manual and automated testing using tools like Kali Linux, Burp suite.
• Explained security requirements in initial stages of Software Development Life Cycle to design team for minimizing the issues identified during penetration testing.
• Have experience in web development tools like HTML, CSS, HTTP, Database connectivity.
• Responsible for identifying how an attacker exploits vulnerabilities during dynamic analysis phase.
• Performed through penetration testing on web applications.
• Performed SAST and DAST security testing on production applications.
• Used N-map and Nessus tools to perform network scanning.

Confidential, Warren, NJ

Security Engineer

Responsibilities:

• Established vulnerability assessment practice, proactively ensuring safety of client-facing applications and minimizing client audit findings.
• Performing security analysis and identifying possible vulnerabilities in the key derivation function, create Vulnerability
• Assessment report detailing exposures that were identified, rate the severity of the system & suggestions to mitigate any exposures & testing known vulnerabilities.
• Having real time experience in DOS, DDOS, SQL Injection protection, XSS protection, script injection and major hacking protection techniques.
• Supported to address and integrate Security in SDLC by following techniques like Threat Modeling, Risk Management, Logging, Penetration Testing, etc.
• Providing fixes & filtering false findings for the vulnerabilities reported in the scan reports.
• Adding new vulnerabilities to the Vulnerability Database for various platforms with proper exploits.
• Scan Networks, Servers, and other resources to validate compliance and security issues using numerous tools.
• Assisting in preparation of plans to review software components through source code review or application security review
• Assist developers in remediating issues with Security Assessments with respect to OWASP standards.

Confidential

Penetration Tester

Responsibilities:

• Experience with manual penetration testing on web applications.
• Good understanding and experience for testing vulnerabilities based on OWASP Top 10.
• Experience with Intrusion detection system (IDS) system that performs automatically the process of intrusion
• Detection and Intrusion prevention system (IPS) system that has an ambition to detect intrusions.
• Capable of identifying flaws like SQL Injection, XSS, Insecure direct object reference
• Security mis-configuration Sensitive data exposure, Functional level access control, CSRF, Invalidated redirects.
• Familiar with BurpSuite tool to identify the vulnerabilities manually.
• Performed Dynamic Application Security Testing (DAST) using tools such as HPFortify, IBMAppScan.
• Prepared comprehensive security report detailing identifications, risk description and recommendations for the Vulnerabilities.
• Coordinate with team members to provide guidance related to requirements.
• Experience with tools such as Tenable Nessus vulnerability scanner.
• Provided comprehensive report on vulnerabilities and action plan to mitigate the identified vulnerabilities.
• Utilizing various logs, rules, and indicators of compromise to correlate events for the purposes of exploit prevention and incident response.
• Researching, identifying and implementing best security practices for all systems and service deployments.