SUMMARY:

• Enthusiastic Security Engineer with 5+ years of Experience in IT Security, seeking to benefit an IT Security department with complex technical knowledge. Moreover, skilled at building reports with diverse individuals while handling complex security issues.
• Hands on Experience in Identifying security and performance issues at multiple layers of deployment from hardware, operating environment, network and application perspective.
• Execute risk assessments based totally on NIST 800 - 53 Revision 4 standards
• Assist Security Project Manager in scheduling and coordinating FISMA compliance and the NIST Risk Management Framework (RMF).
• Good Knowledge on Cryptography principles.
• Enhanced different methodologies like OWASP, NIST and SANS in testing the web application to identify Critical bugs effecting the Origination.
• Proficient in understanding application level vulnerabilities like XSS , SQL Injection , CSRF , authentication bypass, weak cryptography, authorization flaws etc.
• Penetration testing (Both White and Black Box) based on OWASP Top 10.
• Having good experience in Secure SDLC and Source Code Analysis (Manual & Tools) on WEB based Applications .
• Define the timelines to the given application & Conduct the security assessments and Report out the vulnerability findings with remediation process to the development team.
• Extensive experience working with QualysGuard and Nessus to conduct Network Security assessments.
• Hands on experience in working with DAST & SAST tools.
• Having knowledge on Vulnerability Assessment Testing (VAT), Vulnerability Exploitation Testing (VET) and reporting to management along with all associated components on a monthly basis.
• Experience in observing network vulnerabilities and remediating findings, securely migrating files from legacy systems to new enterprise system.
• Good Knowledge on Threat Modeling methodologies like STRIDE, P.A.S.T. A & VAST e.tc.
• Writing the tool using scripting languages like python, pearl and shell to save the testing time.
• Good at implementing polices for SOX, PCI & HIPAA Compliance.
• Knowledge in Windows/Linux operating system configuration, utilities and programming.
• Prepare, validate, and maintain security documentation including system security plan (SSP), risk assessment (RA), contingency plan (CP), privacy impact assessment (PIA).
• Sound knowledge and hand on experience on Mainframe RACF, Active Directory services, Identity Access Management and access control process.
• Proven Knowledge on Agile, Scrum, and other software development methodologies.
• Hands on Experience working with LAN and WAN topologies, TCP/IP protocol, routers, switches, and firewalls in Internet, Intranet and Extranet environments.
• Broad knowledge of hardware, software, and networking technologies to provide a powerful combination of analysis, implementation, and support.
• Experience in troubleshooting network related issues, and work with various departments on resolving issues.
• Expertise in Microsoft Office Suite specifically Word, Excel, PowerPoint, Visio, and SharePoint.
• Strong written and oral communication skills with the ability to explain technical ideas to non-technical individuals at any level.

TECHNICAL SKILLS:

Languages: C, C++, PHP, Python, Ruby, Cold Fusion, Java Script, .Net, SQL, Pearl, Shell

Web technologies: HTML, HTML5, XML.

Operating system: Kali Linux, Windows, Ubuntu, iOS, Mac OS X.

Testing Tools: SOAP UI and SOA Test tool.

Servers and databases: MSSQL, MySQL, MongoDB, OracleWeb Application tools:

DAST Tools: Metasploit, ZAP, IBM Appscan, Accunetix, BurpSuite pro, Rapid 7.

SAST Tools: Checkmarx, HP Fortify, HP WebInspect.

Network Auditing/ ITGRC Assessment: Nessus, QualysGuard, TcpDump, Wireshark, Fiddler.

PROFESSIONAL EXPERIENCE:

Confidential, Stamford, CT

Security Engineer

Responsibilities:

• Perform pen tests on different applications a week.
• Preparation of security testing checklist to the company.
• Provide development of bug fixes and patch sets for existing web applications.
• Identify vulnerabilities like SQL Injection, XSS, CSRF, XXE, relating to session management, privilege escalation and other logical issues.
• Perform semi-automated and manual Web Application and Network Penetration Testing utilizing multiple tools to include, but not be limited to: Burp Suite, NetSparker, Tenable Nessus, SQLMap, AppDetective, Custom Scripts, Metasploit, Nmap, Netcat, and other tools within the Kali Linux toolset.
• Extensively used HP Fortify, Nmap, Burp suite, Dirbuster, tools on daily basis to complete the assessments.
• Qualysguard to assess and mitigate security risks to infrastructure components and Cloud based system.
• Performed live packet data capture with Wire shark to examine security flaws.
• IBM app scan to Identify security vulnerabilities and generate reports.
• Identify deficiencies and providing remediation.
• Maintaining all LDAP services and administration, Performs LDAP Directory upgrades, enhancement and revisions.
• Developed the Risk Management Process (NIST SP 800-30), Decommission Process, Cybersecurity Software Whitelisting Process, and provided input for the development of the Risk Assessment Methodology Process (NIST SP 800-30), POA&M process (NIST SP 800-37), and SA&A (C&A) project schedule (NIST SP 800-37 & NIST SP 800-53A Rev.4), and the Bureaus’ SSP template for individual systems and subsystems.
• Preparation of security testing checklist to the company and ensure all the controls are covered in the checklist.
• Performed Vulnerability Assessment Testing (VAT) scan support for multiple locations resulting in security compliance reporting of networked devices on an enterprise WAN.
• Provide security implementation for authorization, by controls like principle of lease privilege, Relinquishing privilege when not in use, Non-Guessable tokens, forced browsing.
• Controls on session management like Server side session states, session termination, Session ID randomness, expiration, Unique tokens, concurrent logged in session, session fixation prevention.
• Use various Firefox add-ons like Flag fox, Live HTTP Header, Tamper data to perform the pen test.
• Network scanning using tools like Nmap and Nessus.
• Troubleshot and Diagnosed Windows and UNIX processing problems and applied solutions to enhance client security.
• Monitor SIEM and IDS/IPS feeds to identify possible enterprise threats. Investigate threats to determine nature of incident.
• Conducted monthly vulnerability scanning activities and analysis reports to the ISSO.
• Collaborate with other ISSOs and Command Information Systems Security Manager (CISSM) to develop strategies on regular intervals to identify, assess, and mitigate risks associated with information systems (IS).
• Providing details of the issues identified and the remediation plan to the stake holders.
• Regularly perform research to identify potential vulnerabilities in and threats to existing technologies, and provided timely, clear, technically accurate notification to management of the risk potential and options for remediation.
• Participate in testing of GUI on technologies like CSS, Java script and jQuery.
• Perform Secure code review of the application to quickly verify the approach is implemented safely.
• Effective testing is done to identify direct object references is safe.
• Use safe API to avoid the use of interpreter entirely or provides a parameterized interface for preventing Injection.
• Recommend and implemented “white list” input validation by OWASP’s ESAPI that has an extensible library of white list input validation routines.
• Communicate findings and recommendations to client’s senior management, business stakeholders, security team members, and IT resources.

Confidential, Bridgewater, New Jersey

Security Engineer

Responsibilities:

• Black box and Gray box pen testing on internet and intranet facing applications.
• Preparation of risk registry for the various projects in the client.
• Conduct analyses of existing solutions to in corporate requested enhancements.
• Providing detailed documentation of the issues identified and the remediation plan to the stake holders.
• Develop and update system’s security documentation according to technical writing requirements and in compliance to NIST and/or OMB, such as the SSP (NIST SP 800-18), system categorization - FIPS 199 (FIPS 200 & NIST SP 800-60 Vol 1 & II, Rev.1), E-Authentication.
• Developed the Risk Management Process (NIST SP 800-30), Decommission Process, Cybersecurity Software Whitelisting Process, and provided input for the development of the Risk Assessment Methodology Process
• Review and analyze user activity data and review, approve, and audit Privileged User Access (PUA), regular user access request forms and Rules of Behavior (ROB) forms to ensure compliance with User Audit requirements (NIST SP 800-92) and NIST AC control guidelines.
• Identification of different vulnerabilities of applications by using proxies like Burp suite to validate the server side validations.
• Execute and craft different payloads to test the vulnerability of system to execute XSS and XXE.
• Used OWASP’s CSRF Tester tool to generate test cases and demonstrate the dangers of CSRF flaws.
• Collaborating on cross-team and cross product technical issues with a variety of resources including development to document software defects and customer suggestions.
• Participate in documentation and product review process for new product introductions.
• Contributing to the knowledge base by authoring and editing articles to share current information with team members.
• SQLMap to dump the database data to the local folder.
• Used Metasploit to exploit the systems.
• Performed continuous inputs to the ISSO to improve long term IS security business methodologies.
• Identified issues on sessions management, Input validations, output encoding, Logging, Exceptions, Cookie attributes, Encryption, Privilege escalations.
• Implementing the CAPTCHA to prevent CSRF.
• Providing consulting services to the client through a frequent gap analysis of the RMF and NIST guidelines which involved LOE, project plan, task listing, etc.
• Provided and validated the controls on logging like Authentication logging, profile modification logging, logging details, log retention duration, log location, synchronizing time source, HTTP logging.
• Retest the application to check if the vulnerabilities fixed.

Confidential

Jr. Security Engineer

Responsibilities:

• Explanation of the security requirements to the design team in initial stages of SDLC to minimize the efforts to rework on issues identified during penetration tests.
• Perform vulnerability assessment on the web applications to identify the issues and prioritizing them based on risk level.
• Hands-on security evaluations and penetration testing of applications based on OWASP top 10 like XSS, SQL injection, CSRF etc.
• Identify issues in the web applications in various categories like Cryptography, Exception Management.
• Verify if the application has implemented the basic security mechanisms like since that cannot be implemented on applications, Privilege escalations, Lease Privilege and Defense in depth.
• Risk assessment on the application by identifying the issues and prioritizing the issues based on risk level.
• Revalidate the issues to ensure the closure of the vulnerabilities.
• Providing remediation to the developers based on the issues identified.