SUMMARY

• Having 5 years of experience in IT industry as security analyst and penetration tester.
• Static Code Analysis during development phase. Penetration testing based on OWASP Top 10.
• Worked as an Information Security Test Consultant, involved in recommending security solutions of new applications incorporating secured SDLC, OWASP Top 10 based Vulnerability Assessment of various Internet facing Point of Sale web applications.
• Experience in Threat Modeling during Requirement gathering and Design phases.
• Hands on Experience on vulnerability assessment and penetration testing using various tools like BurpSuite, DirBuster, OWASP ZAP Proxy, Nmap, Nessus, HP FORTIFY, YASCA, Nikto, Kali Linux, Metasploit, Accunetix
• Capable of identifying flaws like Injection, XSS, SQL injection, Insecure direct object reference, Security Misconfiguration, Sensitive data exposure, Functional level access control, CSRF, Invalidated redirect.
• Involved in implementing and validating the security principles of minimum attack surface area, least privilege, secure defaults, Defense in depth, avoiding security by obscurity, keep security simple, Fixing security issues correctly.
• Experience in using Kali Linux to do web application assessment with tools like Dirbuster, Nikto, and Nmap.
• Threat modeling of the Project by involving before development and improving the security at the initial phase.
• STRIDE assessment of the applications during the design phase, identifying the threats possible and providing security requirements.
• Training the development team on the most common vulnerabilities and common code review issues and explaining the remediation’s
• Expertise in using the DAST tools (Like IBM Appscan and Burp suite Pro) while the application is running to penetrate the application in various ways to identify potential vulnerabilities outside the code and in third party interfaces
• Used SAST tools (Like HP Fortify ) to test source code, byte code to expose weaknesses in the software before it is deployed.
• Experienced with DNS/DFS/DHCP/WINS Standardizations and Implementations.
• Experienced with Security Risk Management with TCP - based networking.
• Experienced with TCP/IP, Firewalls, and LAN/WAN, UDP, IPSEC and routing protocols.
• Experienced with HTML, CSS, Java Script
• Experience in Performing secure code review (SCR) of various applications using static code analyzer (SCA) like HP FORTIFY and YASCA.
• Validate the false positives and report the issues.
• Interpreted least privilege for applications and segregation of duties.
• Certified Ethical hacker. A good team player, Inquisitive, good in basic concepts and an excellent team player.

TECHNICAL SKILLS

Regulations: OWASP, PCI-DSS, HIPAA, GLBA

Application Security Tools: Paros Proxy, Burp Suite, Web Scarab, SQLMap, DirBuster, Web inspect Vulnerability Assessment tool, HP Fortify, YASCA, Metasploit, Nmap, Nessus, Accunetix, Live HTTP Headers, Tamper Data

Operating Systems: Windows OS, Mac OS, Red hat Linux, Kali Linux.

Programing Languages: HTML5, CSS3, JavaScript, Python, PHP.

PROFESSIONAL EXPERIENCE

Confidential, Seattle WA

Security Engineer

Responsibilities:

• Working as a Technical Security Consultant in the areas of application security highlighting the security controls needed at the design level.
• Understanding & implementation of security into SDLC via application risk assessment, requirements gathering, design review, application vulnerability assessment.
• Validate Input validations, sessions management, client protocol controls, cryptography, Logging, Information leakage.
• Perform thorough penetration testing on web applications.
• Perform both manual and automation vulnerability assessment using tools like burp suite, SQLMap.
• Ensure the issues identified are reported as per the reporting standards.
• Conductpenetrationtests on systems and applications using automated and manual techniques with tools such as Core Impact, Hp Fortify, Metasploit, Burpsuite, WebInspect, Kali Linux, CheckMartSparker and many other open source tools as needed. Work with support teams to address findings as a result of the tests.
• Perform validation on design of features like authentication, authorization, accountability.
• Provide the report and explain the issues to the development team.
• Implement security solutions according to Security Policy and Practices established by the Client.
• Review of projects during the SDLC and make actionable recommendations to the project team, understand the technology and bring solutions based on them.
• Burpsuite, Dirbuster, HP Fortify Nmap tools on daily basis to complete the assessments.
• Reviewing the SCA report by removing the false- positives and reporting to the application teams with recommended remediation’s
• Manages risk by analyzing the root cause of issues, impact to technology and required corrective actions leveraging advanced analytical skills.

Environment: JAVA, Asp.net, MySQL, HP Fortify, Yasca, Kali Linux, Burpsuite, Dirbuster, Microsoft Visual Studio, HP Fortify, Nmap, Wireshark

Confidential, Minneapolis, MN

Pen Tester

Responsibilities:

• Vulnerability Assessment of various web applications used in the organization using Paros Proxy, Burp Suite and Web Inspect etc.
• Preparation of security testing checklist to the company.
• Involved in secured design and solution for newly proposed applications, incorporating security right at the requirement elicitation and designing phase of SDLC.
• Identified attacks like SQLi, XSS, CSRF, RFI/LFI, logical issues.
• Monthly Automated Scans of the online applications in production using Web inspect and followed by report presentation.
• Good knowledge on IBM AppScan to enhance the web application security.
• OWASP TOP TEN 2013 Vulnerabilities Assessment. Online application testing and CR Regression testing, Assessment and Reporting.
• Creating documentation for the vulnerabilities identified and reporting it to the application development team. Ensuring timely delivery of issues reported and remediation.
• Network scanning using tools like Nmap and Nessus.
• Secured Code Review of the applications using open source utilities identifying flaws in the coding practises and encouraging secured coding among the developer community.
• Grey Box testing of the applications.

Environment: JAVA, PHP, MS SQL, Kali Linux, Burpsuite, Dirbuster, IBM Appscan Enterprise, Nmap, Nessus.

Confidential

Security Tester

Responsibilities:

• Perform pen tests on different application a week.
• Preparation of security testing checklist to the company.
• OWASP Top 10 Issues identifications like SQLi, CSRF, XSS.
• Ensure all the controls are covered in the checklist.
• Identified attacks like SQLi, XSS, CSRF, RFI/LFI, logical issues.
• Updating of the checklist on weekly basis to ensure all the test cases are up to date as per the attacks happening in the market.
• Information gathering of the application using websites like Shodan, ReverseDNS, Hackertarget.com.
• Using various Firefox add-ons like Flag fox, Live HTTP Header, Tamper data to perform the pen test.
• Network scanning using tools like Nmap and Nessus.
• Metasploit to exploit the systems.
• Awareness of information security concepts and abiding by them during delivery.

Environment: PHP, ASP, MS SQL, MY-SQL, Burpsuite, Sqlmap, Nikto, OWASP ZAP Proxy, Dirbuster, HP Fortify, Nmap, Metasploit.