SUMMARY:

• Having 6 years of experience in IT industry as web application security professional. Specialized in information technology assurance, web application security, application security controls and validation, regulatory compliance and Secure Software Development Life Cycle (Secure SDLC).
• Experience in Developing and Implementing of Information Security Policies and Guidelines as per OWASP (Open Web Application Security Projects), SANS Secure Coding guidelines
• Hands on Experience on vulnerability assessment and penetration testing using various tools like Burp Suite, Fiddler, ZAP Proxy, SQL map, HP Web Inspect and IBM AppScan, checkmarx, HP fortify.
• Having experience in identifying SQL Injection, Script Injection, XSS, Phishing and CSRF attacks.
• Involved in Secure Software Development Life Cycle (secure SDLC) process.
• Possesses substantial understanding and experience on the SSDLC, which has been effectively translated across a number of consulting engagements.
• Hands - on with DAST, SAST and manual ethical hacking.
• Create detailed assessment reports with remediation, recommendations, and present findings to clients and re-testing the security issues.
• Vulnerability Assessment includes analysis of bugs in various applications spread across N-tier on various domains by using both manual and Automation tools.
• Excellent oral and written communications, interpersonal, negotiation, judgment, decision-making, analysis and problem-solving skills.

TECHNICAL SKILLS:

Web Application: Acunetix Web Vulnerability Scanner, IBM Appscan, Zap, HP Web Inspect, Paros, Fiddler2, Brup suite, FortyDB

Servers and Databases: MSSQL, Oracle

Web Services Testing: Soap UI tool and SOA Test tools for web services security

Tracking tools: Bugzilla, QC Trac, Team Forge

Network Auditing: Nessus, GFILAN Guard, NMAP

Web Technologies: HTML, Web services, XML

Languages: C, Java, Python Scripting Java, C++, C, SQL, X86, VBA, Python, Java Script

PROFESSIONAL EXPERIENCE:

Confidential,Reston, VA

Application Security Engineer

• Performed Web Application Security /Penetration Testing in accordance with OWASP standards using manual techniques and also automated tools.
• Recommend Best Practices for securing the Application.
• Communicating and coordinating day-to-day project activities within the project team and assure that priorities are developed and known.
• Provide assistance to IT staff and provide all security specifications for all vendor products and evaluate all requests for security architecture.
• Assess all risk and evaluate all impact for technology changes in processes and maintain knowledge of all security systems and deploy all required infrastructure.
• Manage all repeated threats to all systems and perform vulnerability tests.
• Evaluate all system and recommend all application patches and suggest appropriate security products and perform regular audit on systems and ensure compliance to all standards and policies.
• Vulnerability assessment using Nessus and other monitoring tools.
• Build enterprise risk dashboards and generate reports as needed for the organization

Environment: Web inspect, Burp suite, Nmap, Nessus, GRC Tools, Archer, Windows, Linux

Confidential,Blue Bell, PA

Application Security Engineer

• Conducted application penetration testing of 20+ business applications.
• Conducted Vulnerability Assessment of Web Applications.
• Responsible for leading in the research, mitigation, and coordination of actions designed to reduce information security risk across internet facing presence.
• Coordinate with dev team to ensure closure of reported vulnerabilities by explaining the ease of exploitation and the impact of the issue.
• Security assessment of online mobile applications to identify the vulnerabilities in different categories like Input and data Validation, Authentication, Authorization, Auditing & logging.
• Update with the new hackings and latest vulnerabilities to ensure no such loopholes are present in the existing system.
• Created clear communication and collaboration with internal and external teams.
• Performing onsite & remote security consulting including penetration testing, application testing, web application security assessment, onsite internet security assessment, social engineering, wireless assessment, and IDS/IPS hardware deployment.
• Responsible for performing application penetration testing on web, thick client, and other types of applications to identify significant vulnerabilities that threaten the confidentiality, integrity, and availability of customer systems.
• Change Management to highly sensitive Computer Security Controls to ensure appropriate system administrative actions, investigate and report on noted irregularities.
• Conduct network Vulnerability Assessments using tools to evaluate attack vectors, Identify System Vulnerabilities and develop remediation plans and Security Procedures.
• Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS 25 and prioritizing them based on the criticality.

Environment: ASP, Kali Linux, Nessus, Nmap, Metasploit, HPfortify, HPwebinspect

Confidential

Application Penetration Testing

• Established vulnerability assessment practice, proactively ensuring safety of client-facing applications and minimizing client audit findings.
• Performing security analysis and identifying possible vulnerabilities in the key derivation function, create Vulnerability Assessment report detailing exposures that were identified, rate the severity of the system & suggestions to mitigate any exposures & testing known vulnerabilities.
• Having real time experience in Sql Injection protection, XSS protection, script injection and major hacking protection techniques
• To address and integrate Security in SDLC by following techniques like Threat Modeling, Risk Management, Logging, Penetration Testing, etc.
• Providing fixes & filtering false findings for the vulnerabilities reported in the scan reports.
• Adding new vulnerabilities to the Vulnerability Database for various platforms with proper exploits.
• Scan Networks, Servers, and other resources to validate compliance and security issues using numerous tools
• Assisting in preparation of plans to review software components through source code review or application security review
• Assist developers in remediating issues with Security Assessments with respect to OWASP standards.

Confidential

Web Application Security Engineer

• OWASP Top 10 Issues identifications like SQLi, CSRF, XSS.
• Preparation of risk registry for the various projects in the client.
• Training the development team on the secure coding practices.
• Conducted research, mitigation, and coordination of actions designed to reduce information security risk across internet facing presence.
• Providing details of the issues identified and the remediation plan to the stake holders
• Verified the existing controls for least privilege, separation of duties and job rotation.
• Involved in a major merger activity of the company and provided insights in separation of different client data and securing PII
• Identification of different vulnerabilities of applications by using proxies like Burpsuite to validate the server-side validations
• Execute and craft different payloads to attack he system to execute XSS and different attacks.
• SQLMap to dump the database data to the local folder.
• Identified issues on sessions management, Input validations, output encoding, Logging, Exceptions, Cookie attributes, encryption, Privilege escalations.