SUMMARY:

• Having 7 years of experience in Information Technology with Performing penetration tests and vulnerability scans, respond to security incidents, investigate security issues, assist in development and implementation of Security policies, Install, Configure, Maintain and Support Security Tools and recommend security solutions.
• Expertise in performing Application Security risk assessments throughout the SDLC cycle of analyzing, designing, implementing and testing.
• Experienced in both manual and tool - assisted vulnerability assessment, Secure code reviews and penetration testing on Java, .Net applications using various tools like Burp Suite, DirBuster, Qradar, NMap, Nessus, IBM AppScan enterprise, Kali Linux, SQLMAP, Wireshark.
• Simulate how an attacker would exploit the vulnerabilities identified during the dynamic analysis phase.
• Assessed IT Systems for compliance against DoD 8500, NIST SP 800-53, HIPAA, and PCI-DSS requirements.
• Good working knowledge on SDLC, AWS, Jenkins CI/CD Pipeline and Automation.
• Responsible for monitoring and protecting company’s infrastructure by leveraging threat intelligence and existing security solutions.
• Performed Static and Dynamic Analysis and Security Testing (SAST and DAST) for various applications as per firm's security standards (i.e., OWASP, SANS 25).
• Extensive knowledge of Network Services, Operating Systems, Databases, Web Technologies.
• Ability to work in large and small teams as well as independently.
• Conducting security reviews, technical research, and provided reporting to increase application security defense mechanisms.
• EDUCATION/Certifications Excellent communicational skills with strong interpersonal and analytical skills. Strong time management skills, fast learner, self - motivated, and prioritizing multiple projects, initiative and Meeting Deadlines.

TECHNICAL SKILLS:

PROFESSIONAL EXPERIENCE:

Confidential, Portland, OR

Security Analyst

Responsibilities:

• Performing application security reviews which include data classification and valuation, threat modeling, vulnerability assessment, control assessment and determination of residual risk. The application risk assessment factored external inputs such as network assessment results, audit findings as well as compliance results.
• Perform security code review of JAVA, .Net, PHP code using static code analysis tools e.g. HP Fortify and IBM AppScan. Help team to remediate security issues with sample code.
• Identified OWASP top 10 vulnerabilities such XSS, SQL injection, CSRF, Session management.
• Identification of different vulnerabilities in applications by using Nessus and proxies like Burp suite pro to validated the server side validations.
• Build appropriate test environments to enable effective security testing.
• Manual penetration testing of the applications and APIs to identify the OWASP Top 10 vulnerabilities and SANS 25.
• Security Testing of API’s using SOAP UI.
• Operated the QRadar SIEM in a 24/7 SOC environment to investigate alarms, and mitigate incidents and events.
• Performed the risk analysis and write-ups for the critical and high vulnerabilities related to Network and web applications.
• Conducted numerous Risk assessments and Information security reviews against corporate standards, industry standards (NIST 800-53, PCI).
• Performed Application architecture reviews to identify sensitive data (and applicable security requirements) and to validate security controls (e.g. related to access management, input validation, session management, cryptography, etc) included in the design.
• Penetration testing of various applications to identify issues in various categories likes Configuration Management, Session Management, Sensitive data handling.
• Developed, implemented and monitor compliance of security policies, standards, guidelines and procedures.
• Responsible for maintaining awareness of Corporate Security policies regarding system assets, business critical data, client data, and PII.
• Worked with development teams to review findings and ensure provided remediation advice is interpreted correctly in order to avoid erroneous implementations.
• Compiled security metrics to evidence the work completed and provide transparency to Sr. Management.

Confidential, Austin, TX

Sr. Security Engineer

• Performed security analyses and risk/vulnerability, network and application security assessments.
• Perform pen tests on different application a week.
• Penetration testing of various applications to identify issues in various categories likes Configuration Management, Session Management, Sensitive data handling.
• Evaluation of information assurance technologies for application to the projects and systems.
• Worked extensively with software development teams to review the source code, find the vulnerabilities generated by ChekMarx, Whitehat, Burp suite, Metasploit, Qradar and eliminate false positives.
• Develop the Queries in Qradar Log Manager Tool to check the integrity of event and flow logs to determine if the logs were modified.
• Verified if the application has implemented the basic security mechanisms like Job rotation, Privilege escalations, Lease Privilege and Defense in depth.
• Used various add on in Mozilla to assess the application like Wappalyzer, Flag fox, Live HTTP Header, Tamper data.
• Identified issues on sessions management, Input validations, output encoding, Logging, Exceptions, Cookie attributes, encryption, Privilege escalations.
• Execute and craft different payloads to attack he system to execute XSS and different attacks.
• SQLMAP to dump the database data to the local folder.
• Implementing, monitoring, and maintaining IDS (SNORT)
• Utilizing ArcSight, SCCM, SCOM, HBSS to secure systems.
• Identifying issues on sessions management, Input validations, output encoding, Logging, Exceptions, Cookie attributes, encryption, Privilege escalations.
• Forming documentation of penetration testing and vulnerability testing results and make recommendations to software architects, developers, and system administrators on remediation.
• Implemented Grey & Black box pen testing on internet and intranet facing applications
• Scheduled a Penetration Testing Plan throughout the organization and completed all the tasks in the given time frame.
• HIPAA Control Assessments.
• Update with the new hackings and latest vulnerabilities to ensure no such loopholes are present in the existing system.
• Performed Static application security testing (SAST) and Dynamic application security testing (DAST) on production applications.
• Performed vulnerability testing using tools such as Nessus and QualysGuard.
• Explanation of the security requirements to the design team in initial stages of SDLC to minimize the efforts to rework on issues identified during penetration tests.
• Identified issues in the web applications in various categories like Cryptography, Exception Management.
• Ensuring compliance of applicable systems through vulnerability scanning.
• Review and maintenance of certification plans and accreditation documentation.

Confidential

Security Engineer

• Performing manual penetration testing to exploit and mitigate security threats such as XSS, CSRF, SQL Injection, Buffer Overflows and DOS Attacks.
• Burp Suite, DirBuster, Hp Fortify, Acunetix, NMap, Kali Linux, Mozilla Add-On tools were used as part of the penetration testing, on daily basis to complete the assessments.
• Spear headed the collaboration with the client to configure Nessus security center to execute continuous monitoring for the entire organization.
• Performed Penetration Testing standard based methodology testing, with prescribed PCI-DSS requirements.
• Completed all penetration tests reports, and maintained progress report during all pentesting phases.
• Provided proof of concepts for vulnerability assessments, and assistance on the remediation efforts.
• Works closely with Application Developers, coordinates and reviews Application security Controlled Penetration Tests (CPT) and Dynamic Scanning for Application vulnerability identification and resolution.
• Developed maintained, reviewed and coordinates the implementation of all application-related security plans, policies and procedures throughout the organization's network.
• Developed a new security program and framework using the PCI-DSS and NIST Risk Management Framework.
• Review and validate the privileged users and groups at Active Directory, Databases and application on a periodic basis.
• Used ArcSight Express for SIEM/Correlation functionality and ArcSight Logger for Log Management.
• Providing senior management with technical reports detailing penetration testing engagement results.
• Working knowledge of Network OSI Model and security technologies such as Firewalls, TCP/IP, LAN/WAN, IDS/IPS, Routing and Switching.
• Performed QRadar Incident Forensics. This helps to search, verify that an incident occurred, determine the severity, reconstruct the event, review it, determine the root cause, and take corrective and preventative action.
• Wrote reports in multiple formats for both adhoc and monthly assessments for vulnerabilities identified during security assessments to include word, xml, pdf, csv, and excel.
• Conducted security reviews, technical research, and provided reporting to increase application security defense mechanisms.

Confidential

C# Developer

• Analyzing the System requirements.
• Designed different components using C#.NET and extensively used Object Oriented Programming techniques.
• Used N-tier architecture for presentation layer, Business and Data Access Layers using C#.NET.
• Developed UI using JavaScript, HTML and CSS.
• Developed Stored Procedures, Triggers, and Views in SQL Server for accessing the database.
• Written Unit tests and Integration tests for all the Service, Business and Data layer methods.
• Extensively worked with LINQ.
• Used Ajax Control Tool kit to run client side script; enhance rich web UI and data validation.
• Having good working knowledge on IIS deployment.