SUMMARY

• Over 9+ years of experience in IT professional within Information Security.
• Involved in Software development Life cycle (SDLC) to ensure security controls are in place.
• Experience in Threat Modeling during Requirement gathering and Design phases.
• Experience on vulnerability assessment and penetration testing using various tools like Burpsuite, DirBuster, NMap, Nessus, Kali Linux, Metasploit, Accunetix
• Experience with Security Risk Management with TCP - based networking.
• Experience with TCP/IP, Firewalls, LAN/WAN.
• Performed static code Assessment using Veracode and identify the false postivies.
• Monitor, Analyze and respond to security incidents in the infrastructure.
• Investigate and resolve any security issues found in the infrastructure according to the security standards and procedures.
• Experience in Linux system administration.
• Performing rapid7 and Nessus Scans against Infrastructure like Webservers, appservers and dB servers to identify the existing environmental vulnerabilities.
• Perform Vulnerability assessment on all the workstations in the organization to identify if they are patched and updated.
• Static Code Analysis during development phase.
• Integrated Vera code with SDLC process to ensure every build is analyzed using static code analysis
• A Certified Ethical Hacker.
• A Pen tester with experience of penetration testing on various applications in different domains.
• Penetration testing based on OWASP Top 10.
• A good team player, Inquisitive, good in basic concepts and an excellent team player.
• Performed the gap analysis to identify scenarios like privilege escalation.
• Performed software Licensing audit.
• Interpreted least privilege for applications and segregation of duties.
• SOX Compliance Audit experience on controls like User access management, Change Management, Incident Management.

TECHNICAL SKILLS

Penetration Testing: Backtrack, Kali Linux, Metasploit

Application Security: Burp Suit, OWASP-Zap, IBM AppScan, HP-Web inspect, acunite, Hp-fortify, checkmarx, veracode, acunetix

Network Security: Nessus, GFILanguard, Nexpose, Metasploit

Endpoint Security: FireAmp, Damballa, Bit9, Sophos

Perimeter Security: FireEye E MPS / M MPS, Sourcefire IPS, Proxy CWS

Malware Analysis: FireEye - MAS, Threat GRID, Virus Total

SIEM: Splunk, Q-Radar

Forensic Investigation: FTK, Malte go

Standards: OWASP, SANS, OSSTMM, SWAT Check List, S-SDLC, Business Logics Vulnerabilities.

PROFESSIONAL EXPERIENCE

Confidential, Atlanta GA

IT Security Consultant

RESPONSIBILITIES:

• Implemented OWASP TOP TEN 2010 Vulnerabilities Assessment. Online application testing and CR regression testing, assessment and reporting.
• Detected and prioritize vulnerability exposures and coordinating with the team for complete closure.
• Static and dynamic scanning of various application using Checkmarx and IBM Appscan, Identify false positives and report in SSC.
• Used tools like NMAP, Nessus, google dorks, Flagfox, DirBuster, and LiveHTTP Header to gather more information of the application and perform security assessment.
• Conducted host based security by using kali Linux to identify different ports and services running and identifying vulnerabilities by using NMAP script engine.
• Exploited the systems with vulnerabilities using Metasploit framework.
• Analyzed the application for vulnerabilities in categories like Input and data validation, Authentication, Authorization, Configuration Management.
• Created documentation for the vulnerabilities identified and reporting it to the application development team. Ensuring timely delivery of issues reported and remediation.
• Followed DREAD approach to provide the risk rating to the vulnerabilities identified. Preparing report with executive summary, technical details and the remediation’s
• Performed Web Service Testing using SOAP UI to analyze the vulnerabilities.
• Conducted Web Application User ID access reconciliation and audit of the privileged Database and application user IDS on quarterly basis.
• Understanding new security technologies for potential utilization in the application security testing.
• Audited the project for SOX Compliance by collecting & reviewing the evidences. Making sure all the NCs are closed before the next quarter Audit.
• Performed User Access Management and Identity Management for the various client applications through automatic disablement of dormant users and audit on monthly basis
• Implemented Gap Analysis of present Risk assessment methodology and conducting risk assessment and mitigation steps for the client.
• Identified latest threats and vulnerabilities and conducting the impact analysis to improve the risk level by continuous risk assessment.
• Prepared RMR Risk Management Report on account level. Risk assessment done for the account of 8 different projects.
• Provision of remediation’s to minimize risk and follow up to ensure proper implementation as per the control objective.
• Implemented of Software Security Assurance framework in the whole project by conducting Sessions like Secure Programing practices to all the developers.
• Involving in the complete Agile as a security consultant.Trained modules like Secure design requirements, threat modelling, secure coding practices, penetration testing.
• Using snap tool for create ticket and Hp Qc for defect logging and tracking

Environment: Windows, ASP, Kali Linux, Nessus, Nmap, Metasploit, IBM Apppscan, Checkmarx, SNAP, HP QC, Burpsuite, AWS

Confidential, Seattle WA

Security Analyst

RESPONSIBILITIES:

• Incident response, Detection, and Investigations
• Perform pen tests on different application a week.
• Preparation of security testing checklist to the company
• Ensured all the controls are covered in the checklist.
• Physical Pen Testing which includes social engineering, site reconnaissance, lock picking, security bypass, phishing attacks, etc.
• Identified attacks like SQL, XSS, CSRF, RFI/LFI, logical issues.
• Provided security implementation for authorization, by controls like principle of lease p44rivilege, Relinquishing privilege when notin use, Non Guessable tokens, forced browsing.
• Information gathering of the application using websites like Shodan, Reverse DNS, Hackertarget.com, Google dorks.
• Worked on static code analysis by using the automated tool HPfortify.
• Worked on protecting sensitive data exposure.
• Using various Firefox add-ons like Flag fox, Live HTTP Header, Tamper data to perform the pen test
• Generated automated report by using HPwebinspect.
• Performed manual testing based on the automated generated report.
• Performed monitoring using security assessment tools.
• Worked on the XSS, Path traversal attacks manually
• Performed Security Event Analysis as a point of escalation in regard to web based attacks.
• Worked on the url based vulnerabilities such as redirect and forward, Session management cookie data retrieving.
• Identified the CSRF (Cross Site Request Forgery) by inserting tokens.
• Worked on unauthenticated data access manually.
• Worked on the sensitive data exposure by analyzing the cryptographic algorithms.
• Performed Crawling of application to know the behavior of it.
• Access a web-based collaborative environment to rapidly resolve security issues in software code using HPwebinspect.
• Diagnosed and troubleshot UNIX and Windows processing problems and applied solutions to increase client security.
• Performed Unit testing for proper functioning of UI.

Environment: UNIX, ASP, Kali Linux,Jira, Nessus, Nmap, Metasploit, Hpfortify, Hpwebinspect,HPQC

Confidential, Sanjose, CA

Security Engineer

RESPONSIBILITIES:

• Black box pen testing on internet and intranet facing applications
• OWASP Top 10 Issues identifications like SQLi, CSRF, XSS
• Preparation of risk registry for the various projects in the client
• Training the development team on the secure coding practices
• Providing details of the issues identified and the remediation plan to the stake holders
• Gray Box testing of the applications.
• Identified hidden files using dirbuster.
• Worked on DOM based XSS manually.
• Worked on Directory Traversal attacks manually
• Implemented Agile Methodology to follow the work flow process.
• Worked on Middle ware technologies to ensure the application safety (TOMCAT).
• Verified the existing controls for least privilege, separation of duties and job rotation.
• Identification of different vulnerabilities of applications by using proxies likeBurpsuite to validate the server side validations
• Worked on billion laugh attacks manually by intercepting burp suit.
• Functional level access control is performed to avoid the privilege of misusing the sensitive data.
• Had worked on Accunetix tool for quick assessment of vulnerabilities.
• Participate in documentation and product review process for new product introductions.
• Contributing to the knowledge base by authoring and editing articles to share current information with team members.
• Worked on fimap to check the possibility of vulnerabilities.
• Worked on DOS and Fire wall intrusion to ensure the security of leakage of code.
• Performed API testing using Soap UI
• Attended meetings on Webex with team of Vice presidents and making valuable contributions.
• Execute and craft different payloads to attack he system to execute XSS and different attacks
• Identified issues on sessions management, Input validations, output encoding, Logging, Exceptions, Cookie attributes, Encryption, Privilege escalations.

Environment: Burp suite, Nexpose,HTTP headers, Acunetix, fimap, dirbuster, Soap UI.

Confidential

Penetration Tester

• Perform application and infrastructure penetration tests along with physical security reviews.
• Define requirements for information security solutions and perform reviews of application designs and source code.
• Design, develop and implement penetration tools and tests and also use existing ones to handle penetration testing activities.
• Document and discuss security findings with information technology teams.
• Work on improvements for security services and provide feedback and verification about existing security issues.
• Perform attack simulations on company systems and web applications to determine and exploit security flaws
• Monthly Reviews carried out over the Vulnerability Assessments and Penetration testing.
• Raising issues against any High severity vulnerabilities in the Scan reports.
• Ensured compliance with legal and regulatory requirements.
• Exhibited client facing skills and capability to articulate technical concepts to a variety of technical and non-technical audiences.
• Assisted in review of business solution architectures from security point of view which helped avoiding security related issues/threats at the early stage of project.

Environment: Nmap, Nessus, Burpsuite, Sqlmap, Dirbuster.

Confidential

IT Security Analyst

RESPONSIBILITIES:

• Perform threat modeling of the applications to identify the threats.
• Identify issues in the web applications in various categories like Cryptography, Exception Management.
• Risk assessment on the application by identifying the issues and prioritizing the issues based on risk level.
• In the team, main focus of work was to audit the application prior moving to production.
• Explanation of the security requirements to the design team in initial stages of SDLCto minimize the efforts to rework on issues identified during penetration tests.
• Analyzed the XML and HTTP requests to find the vulnerabilities.
• Performed Vulnerability assessments and preventions on the development side by leveraging the tools like Nmap, Nessus, IBM app scan
• Providing remediation to the developers based on the issues identified.
• Worked on the DOM XSS by analyzing the JavaScript.
• Good knowledge on web technologies like HTML, CSS, JavaScript to ensure the protection from XSS by reviewing the code.
• Worked on Ng-directives in angular.js for vulnerability assessments.
• Ensured to draft the script manually based on vulnerability.
• Revalidate the issues to ensure the closure of the vulnerabilities.
• Verify if the application has implemented the basic security mechanisms like Job rotation, Privilege escalations, Lease Privilege and Defense in depth.
• Using various add on in Mozilla to assess the application like Wappalyzer, Flagfox, Live HTTP Header, Tamper data.

Environment: Wappalyzer, Flagfox, Nexpose,Live HTTP header, IBM app scan