SUMMARY:

• Over all 5 years of experience as Security Engineer in various domains such as Web Application security testing, Vulnerability Assessment, penetration testing and generating reports using tools.
• Background/understanding of software development lifecycle.
• Experience in penetration testing with Kali Linux: nmap, nessus, nexpose, wireshark, proxychains, enum4linux, password cracking, TCPDump, PWdump, FGdump, metasploit
• Proficient in Linux operating system configuration, utilities and programming
• Broad knowledge of hardware, software, and networking technologies to provide a powerful combination of analysis, implementation, and support.
• Application Security Analysis for some of the major Clients using HP Fortify & Confidential AppScan
• Managed the cycle of project continuity, reviewed the technical work of team, and ensured the quality of service deliverables.
• Experience with using a framework to evaluate and analyze mobile devices, applications, mobile environments, and supporting infrastructures and to identify design weaknesses and vulnerabilities.
• Proficient in understanding application level vulnerabilities like XSS, SQL Injection, CSRF, authentication bypass, weak cryptography, authentication flaws etc.
• Good experience with system vulnerability detection and mitigation.
• Experience using a wide variety of security tools to include Kali - Linux, Wireshark, Lophtcrack, Snort, Cain and Abel, Nitko, Dirbuster, Confidential Appscan, Nessus, Open Vas, W3AF, BeEF, Etthercap, Maltego.
• Experience in different web application security testing tools like Acunetix, Metasploit, Burp Suite, Sqlmap, OWASP ZAP Proxy, Nessus, Nmap and HP Fortify.
• Sound knowledge and industry experience in Vulnerability Assessment and Penetration Testing on WEB based Applications, Mobile based application and Infrastructure penetration testing.
• Extensive experience working with Qualys Guard to conduct Network Security assessments.
• Good Experience in exploiting the recognized vulnerabilities.
• Experience in Threat Modeling during Requirement gathering and Design phases.
• Worked as a key member in streamlining security processes, design and implement efficient security solutions achieving security efficiency.
• Excellent team player, enthusiastic initiator, and ability to learn the fundamental concepts effectively and efficiently.
• Conducted presentations to clients projecting the security services offered by the firm.
• Having good experience in Secure SDLC and Source Code Analysis (Manual &Tools) on WEB based Applications.

TECHNICAL SKILLS:

Vulnerability Testing: Tenable Nessus, NMAP, OpenVAS, Qualys Guard

Application Security: Websense, Confidential Rational AppScan, Burp Suite, Paros, HP Web Inspect, HP Fortify, SQL map, Nikto, Metasploit, Kali Linux.

SIEM Tools: TSIEM, Arc Sight

Penetration Testing: Wireshark, Metasploit Framework

Languages & Databases: HTML, JavaScript, PHP, SQL, Python

PROFESSIONAL EXPERIENCE:

Confidential, Columbus, IN

Security Engineer

Responsibilities:

• Conducted Vulnerability Assessments using Confidential Appscan to evaluate attack vectors, Identify System Vulnerabilities and develop remediation plans and Security Procedures.
• Conducting Web Application Vulnerability Assessment & Threat Modelling, Gap Analysis, secure code review on the applications.
• Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS 25 and prioritizing them based on the criticality.
• Utilize and Implement OWASP Top Ten issues, WASC and CWE's into Security Testing efforts
• Work with different application teams to help them understand the vulnerabilities listed and provide recommendations to fix the same.
• Perform Manual assessment for the results from the appscan to eliminate false positives and report the High, Medium and Low issues.
• Organize Kick off meetings with the application teams to understand the application security requirements, application flow, functionality, architecture and the technology.
• Scoring the vulnerabilities based on CWE / CVSS scoring system.
• Hands on Experience in conducting web application security scan using Confidential Appscan, HP web inspect and Accunetix.
• Assist developers in remediating issues with Security Assessments with respect to OWASP standards.
• Analyzing the enterprise's information security environment and recommending security measures to safeguard applications and information assets using threat modeling, OWASP, CWE.
• Assisting in review of business solution architectures from security point of view which helps avoiding security related issues/threats at the early stage of project
• Expertise in using the DAST tools (Like Confidential Appscan and Burpsuite Pro) while the application is running to penetrate the application in various ways to identify potential vulnerabilities outside the code and in third party interfaces.
• Performing source code analysis to find the vulnerabilities at the code level and providing mitigation techniques to the developers.
• Used SAST tools (Like HP Fortify and SonarQube) to test source code, byte code to expose weaknesses in the software before it is deployed.
• Providing KT to Development team for better understanding of Vulnerabilities.
• Other Adhoc Activities like monthly and weekly report creations. Scheduling meeting with different application teams for understanding future pipelines for applications.

Confidential, Tampa, FL

Security Engineer

Responsibilities:

• Conducted network Vulnerability Assessments using tools to evaluate attack vectors, Identify System Vulnerabilities and develop remediation plans and Security Procedures.
• Uncovered high vulnerabilities at the infrastructure level for internet facing web sites
• Conducted vulnerability scanning on both internal and external IPs using OpenVAS and reported the same.
• Network scanning using tools like NMap and Nessus, DirBuster, NMap tools and OpenVAS were used as part of the penetration testing, on daily basis to complete the assessments.
• Performing onsite & remote security consulting including penetration testing, application testing, web application security assessment, onsite internet security assessment, social engineering, wireless assessment.
• Performed vulnerability testing using tools such as Nessus and OpenVAS.
• Execute and craft different payloads to attack the system for finding vulnerabilities with respect to input validation, authorization checks, etc.
• Performing source code analysis to find the vulnerabilities at the code level and providing mitigation techniques to the developers.
• Worked closely with risk assessment team to provide them with the proof for the vulnerabilities exploited for the final report.
• Used SAST tools (Like HP Fortify and SonarQube) to test source code, byte code to expose weaknesses in the software before it is deployed.
• Providing fixes & filtering false findings for the vulnerabilities reported in the scan reports. Adding new vulnerabilities to the Vulnerability Database for various platforms with proper exploits.
• Using Network monitoring tools to ensure network connectivity and Protocol analysis tools to assess and
• Generated and presented reports on Security Vulnerabilities to both internal and external customers.
• Experience in using Kali Linux to do vulnerability assessment with tools like DirBuster, Nessus, and NMap.
• Responsible for exploiting the critical threats that were reported during the scanning phase.
• Reported the final findings, which includes the successful exploits and the recommendations to rectify them so as to make the network secure.
• Update with the new hackings and latest vulnerabilities to ensure no such loopholes are present in the existing system.

Confidential

Security Engineer

Responsibilities:

• Extensive Interaction with Onsite Coordinator in understanding the business issues, requirements, doing exhaustive analysis and providing end-to-end solutions.
• Conducting Web Application Vulnerability Assessment & Threat Modelling, Gap Analysis, secure code review on the applications.
• Utilize and Implement OWASP Top Ten issues, WASC and CWE's into Security Testing efforts.
• Analyzing the enterprise's information security environment and recommending security measures to safeguard applications and information assets using threat modeling, OWASP, CWE
• Responsible for Providing application security consulting SME Support to developers
• Utilize Qualysguard as primary tool to monitor tickets and vulnerabilities.
• Used SAST tools (Like HP Fortify and SonarQube) to test source code, byte code to expose weaknesses in the software before it is deployed.
• Created and defined Nexpose vulnerability scanning rules for assessing security posture and compliance.
• Perform vulnerability scans using QualysGuard, report findings, create remediation plan
• Identification of different vulnerabilities of applications by using proxies like Burp suite to validate the server side validations
• Performed Vulnerability Assessments using Paros Proxy, Burp Suite, Web Scarab, YASCA, and Maltego.
• Expertise in using the DAST tools (Like Confidential Appscan, HP web inspect, Accunetix and Burpsuite Pro) while the application is running to penetrate the application in various ways to identify potential vulnerabilities outside the code and in third party interfaces.
• Hands on Experience in conducting web application security scan using Confidential Appscan, Burp Suite, DirBuster, Hp Fortify, NMap tools were used as part of the penetration testing, on daily basis to complete the assessments.
• Providing KT to Development team for better understanding of Vulnerabilities.
• Other Adhoc Activities like monthly and weekly report creations. Scheduling meeting with different application teams for understanding future pipelines for applications.
• Assisting customer in understanding risk and threat level associated with vulnerability so that customer may or may not accept risk with respect to business criticality
• Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS 25 and prioritizing them based on the criticality.
• Assisting in review of business solution architectures from security point of view which helps avoiding security related issues/threats at the early stage of project

Confidential, St Louis, MO

Security Engineer

Responsibilities:

• Established vulnerability assessment practice, proactively ensuring safety of client-facing applications and minimizing client audit findings.
• Scoring the vulnerabilities based on CWE / CVSS scoring system.
• Implemented, configured and managed multiple vulnerability assessment tools such as Nexpose, Nessus.
• Performing security analysis and identifying possible vulnerabilities in the key derivation function, create Vulnerability Assessment report detailing exposures that were identified, rate the severity of the system & suggestions to mitigate any exposures & testing known vulnerabilities.
• Expertise in using the DAST tools (Like Confidential Appscan and Burpsuite Pro) while the application is running to penetrate the application in various ways to identify potential vulnerabilities outside the code and in third party interfaces.
• Preparation of risk register for the various projects in the client by performing risk assessment using NIST framework and quantitative approach
• Burp Suite, DirBuster, Hp Fortify, NMap tools were used as part of the penetration testing, on daily basis to complete the assessments.
• Identification of different vulnerabilities of applications by using proxies like Burpsuite to validate the server side validations
• Perform vulnerability scans using QualysGuard, report findings, create remediation plan.
• Analyzing the enterprise's information security environment and recommending security measures to safeguard applications and information assets using threat modeling, OWASP, CWE.
• Using Network monitoring tools to ensure network connectivity and Protocol analysis tools to assess and
• Hands on Experience in conducting web application security scan using Confidential Appscan, HP web inspect and Accunetix.
• Used SAST tools (Like HP Fortify and SonarQube) to test source code, byte code to expose weaknesses in the software before it is deployed.
• Providing fixes & filtering false findings for the vulnerabilities reported in the scan reports. Adding new vulnerabilities to the Vulnerability Database for various platforms with proper exploits.
• Assisting in preparation of plans to review software components through source code review or application security review
• Assist developers in remediating issues with Security Assessments with respect to OWASP standards.

Confidential

Jr.Security Engineer

Responsibilities:

• Perform threat modeling of the applications to identify the threats.
• Identify issues in the web applications in various categories like Cryptography, Exception Management.
• Worked on installation, configuration, and administration and troubleshooting of LAN/WAN infrastructure.
• Risk assessment on the application by identifying the issues and prioritizing the issues based on risk level.
• In the team, main focus of work was to audit the application prior moving to production.
• Explanation of the security requirements to the design team in initial stages of SDLC to minimize the efforts to rework on issues identified during penetration tests.
• Providing remediation to the developers based on the issues identified.
• Revalidate the issues to ensure the closure of the vulnerabilities.
• Verify if the application has implemented the basic security mechanisms like Job rotation, Privilege escalations, Lease Privilege and Defense in depth.
• Using various add on in Mozilla to assess the application like Wappalyzer, Flagfox, Live HTTP Header, Tamper data.