SUMMARY:

• Experienced IT professional with 6+ years of experience in Information Security /Risk Analysis and penetration testing.
• Experience in penetration testing of web/mobile applications in different domains like Healthcare, PCI and Telecom.
• Having good experience in Secure SDLC and Source Code Analysis (Manual & Tools).
• Experience with compliance frameworks and requirements like PCI and HIPAA.
• Experience on vulnerability assessment and penetration testing using various tools like Burp Suite Pro, OWASP ZAP Proxy, NMap, Nessus, Metasploit, IBM App Scan and HP Web inspect.
• Monitor compliance and ensure enforcement with all PCI DSS, ISO and NIST requirements as applicable to the organization and implementing Privilege Access Controls.
• Involved in implementing and validating the security principles of minimum attack surface area, least privilege, secure defaults, Defence in depth, avoiding security by obscurity, Keep security simple, Fixing security issues correctly.
• Working knowledge on BDD security framework and OWASP dev sec ops studio project
• Prepared various documentation on BDD security testing and OWASP covering various security test scenarios
• Prepared documents on functional and non - functional security validations
• Experience with Security Risk Management with TCP-based networking. Good knowledge of Firewalls, LAN/WAN.
• Proficient in understanding application level vulnerabilities like XSS, SQL Injection, CSRF, authentication bypass, cryptographic attacks, authentication flaws etc.
• Involved in vulnerability assessment, Patch management and penetration testing using various tools like Qualys-guard, Burp Suite, Dir Buster, IBM App scan, NMAP, Nessus, SQL Map, Acunetix, Web inspect, Wireshark.
• Implemented Application Security program (DAST and SAST) Confidential the enterprise level to identify, report and remediate security vulnerabilities from applications deployed in DEV, PRE-PROD and PROD environments.
• Involved in Software development Life cycle (SDLC) to ensure security controls are in place.
• Subject matter expertise (SME) in integrating various Security controls, policies & procedures, Enforcement of workflow, Access permissions, Reverse engineering business process to facilitate enterprise compliance and efficiencies.
• Experience with security monitoring tools and SIEMS such as AlienVault USM (Unified security management) and Splunk Enterprise.
• Knowledge of FISMA, NIST standards and guidelines, general Information Security and Privacy requirements.
• Experience in analysis of systems, firewall and IDS/IPS logs to identify indications of security events.
• Inquisitive, good in basic concepts and an excellent team player.

TECHNICAL SKILLS:

Tools: HP Fortify, HP Web inspect, IBM Appscan, Checkmarks, Veracode, Black Duck, YASCA, Burp Suite, DirBuster, Splunk, Sqlmap, AlienVault USM, OWASP ZAP Proxy, NMap, Nessus, Kali Linux, Nexpose, Appspider, SQLmap, Metasploit, Accunetix, Wireshark, Snort.

Programming Languages: Shell, Python, SQL, PHP, JAVA

Web Technologies: HTML, CSS, XML, JavaScript

Operating Systems: Kali Linux, GNU/Linux, Windows 7/10

PROFESSIONAL EXPERIENCE:

Confidential, Owing mills, MD

Application Security Analyst

RESPONSIBILITES:

• Perform security reviews of application designs, source code and deployments as required, covering all types of applications (web application, web services, mobile applications, SaaS)
• Uncovered high vulnerabilities Confidential the infrastructure level for internet facing websites.
• Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS 25 prioritizing them based on the criticality.
• Maintains network performance by performing network monitoring and analysis, performance tuning, troubleshooting network problems. Skilled using Burp Suite, Acunetix Automatic Scanner, NMAP, Dir-Buster, HP Fortify, Qualys-guard, IBM Appscan, WebInspect, Nessus, SQL Map for web application penetration tests and infrastructure testing.
• Manage and maintain Jenkins integration jobs to support application security automation.
• Detects the full spectrum of known cyber-attacks (e.g., DDoS, malware, phishing, ransomware & others) along with any security and compliance violations.
• Provide software security support related to Fortify, Webinspect and remediation guidance to dev teams.
• Security assessment of online applications to identify the vulnerabilities in different categories like Input and data Validation, Authentication, Authorization, Auditing & logging.
• Involved in Software Development Life cycle (SDLC) to ensure security controls are in place.
• Conducted Dynamic and Static Application Security Testing (SAST & DAST).
• Onboard new log sources with log analysis and parsing to enable SIEM correlation. Analyzed large datasets to identify metrics, drivers, performance gaps and opportunities for improvement.
• Work with internal resources to develop SOP for different levels of SIEM reporting.
• Update with the new hackings and latest vulnerabilities to ensure no such loopholes are present in the existing system by performing Vulnerability assessment and pen testing for our clients.
• Experience in using Kali Linux to do web application assessment with tools like Dir-buster and NMAP.
• Proficient in understanding application level vulnerabilities like XSS, SQL Injection, authentication bypass, authentication flaws and exception management etc.
• Using various Firefox add-ons like Flag fox, Live HTTP Header to perform the pen test.

Environment: App Scan source, Burp suite, Sqlmap, Splunk, Nessus, Nmap, Appspider, Accurev, Jenkins, JAVA.

Confidential, Warren, NJ

Application Security Analyst

RESPONSIBILITES:

• Regularly performed research to identify potential vulnerabilities in and threats to existing technologies, and provided timely, clear, technically accurate notification to management of the risk potential and options for remediation.
• Conduct application security vulnerability assessment and penetration testing using IBM App Scan standard and Enterprise versions.
• Conducting Web Application Vulnerability Assessment, Threat Modelling, secure code review on the applications with respective guidelines.
• Worked extensively with software development teams to review the security vulnerabilities generated by IBM App Scan, Burp Suite, HP Web Inspect, HP Fortify and eliminated false positives.
• Conducted secure code reviews using automated tools and manual techniques.
• Worked on preparing the risk registry for various projects in the client and verified with checklist
• Proficient in understanding application level vulnerabilities like XSS, SQL Injection, CSRF, authentication bypass, cryptographic attacks, authentication flaws etc.
• Identifying the critical, High, Medium, Low vulnerabilities in the web applications based on OWASP Top10 and prioritizing them based on their criticality.
• Planning, Conducting and reporting Vulnerability and risk assessment of applications. Risk associated with vulnerability explained to the project team for better understanding and guiding project team towards its closure / remediation.
• Performed vulnerability testing, application security, database security and penetration testing against various technologies like Ajax, Flash and Web services.
• Identification of Injection, Business logic, Authentication, Session Management, etc related flaws in applications and encasing attack scenarios and associated risk to business.

Environment: HP Fortify, HP Web inspect, Black duck, Burp suite, Charles Proxy, Eclipse, Nessus, Archer, Jenkins, GitHub, JAVA.

Confidential, Auburn hills, MI

Information Security Engineer

RESPONSIBILITES:

• Conducting Web Application Vulnerability Assessment, Threat Modeling, secure code review on the applications with respective guidelines.
• Experience using Burpsuite, Dirbuster, NMap tools on daily basis to complete the assessments.
• Identified issues on session management, Input validations, output encoding, Logging, Cookie attributes, Encryption, Privilege escalations.
• Classify the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and prioritizing them based on the criticality.
• Perform dynamic scans using IBM Appscan and provide the report of issues identified to development teams.
• Performed IDS/IPS mitigation/response and vulnerability scanning in support of internal and PCI requirements.
• Responds to alerts from various monitoring systems and platforms to address potentially malicious events in a timely manner.
• Worked with software development teams to review the vulnerabilities generated by IBM Appscan and eliminated false positives.
• Perform Static code analysis using Veracode and coordinate with Application teams and source code review team to remediate the vulnerabilities.
• Responsible to assess the controls to identify gaps and to design and analyze segregation of duties, least privilege for that application.
• Validate sessions management, Input validations, protocol controls, cryptography, Logging, Information leakage.
• Provide remediation steps to application teams and retest the fixed issues to ensure the closure.
• Implementation of security into SDLC via application risk assessment, requirements gathering, design review, application vulnerability assessment.
• Perform validation on design of features like authentication, authorization, accountability.
• Involved actively in the release management process to ensure all the changes of the application had gone to security assessment.
• Initiated Reconciliation of exceptions and minimizing the count of Exceptions in the projects.

Environment: Burpsuite Pro, Dirbuster, Veracode, IBM Appscan, Acunetix, NMap, Wireshark, JAVA, Asp.net, MySQL, Microsoft Visual Studio, Snort.

Confidential, Dallas, TX

Application Security Engineer

RESPONSIBILITES:

• Established vulnerability assessment practice, proactively ensuring safety of client-facing applications and minimizing client audit findings.
• Classify the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and prioritizing them based on the criticality.
• Conducted vulnerability assessments and penetration testing using Nessus, web Inspect.
• Perform responsibilities of installing, configuring, and monitoring network security system of the organization
• Validated the controls on authentication logging, profile modification logging, logging details, log location, HTTP logging.
• Performed semi-automated and manual Web Application and Network Penetration Testing utilizing multiple tools to include, but not be limited by: Burp Suite, Net Sparker, Tenable Nessus, SQL Map, Web Inspect, Custom Scripts, HP Fortify, NMAP and other tools within the Kali Linux toolset
• Having real time experience in DOS, DDOS, SQL Injection protection, XSS protection, script injection and major hacking protection techniques.
• Implement security awareness training and spot checking for compliance via phishing and USB drops
• Perform Static and Dynamic application security testing and report issues to concerned application teams.
• Researched and analysed known hacker methodology, system exploits and vulnerabilities to support Red Team Assessment activities.
• Responsible for setting up Web Application Firewalls (WAF) like SQL injection, http conversation.
• Created written reports, detailing assessment findings and recommendations.
• Assisting in preparation of plans to review software components through source code review or application security review
• Assist developers in remediating issues with Security Assessments with respect to OWASP standards.
• Plan, coordinate, and implement network security measures to protect data, software, and hardware such as Palo Alto and Check Point firewalls.
• Web application firewall (WAF) rule development and implementation
• Troubleshoot systemic patch deployment problems and remediate identified problems.
• Responsible for evaluating and developing approach to provide solutions in areas of network security issues
• Identify malicious or anomalous activity based on event data from firewalls, WAF, IPS, and other sources.
• Perform Privileged Access Reviews, Compliance Reporting, Access Control Processes and other associated tasks with Privileged User Management.
• Execute and craft different payloads to attack the system to execute XSS and different attacks.
• Verified the existing controls for least privilege, separation of duties and job rotation.
• Ensured accuracy in creating information security documents in compliance with NIST standards.
• Perform Static code analysis using Veracode and coordinate with Application teams and source code review team to remediate the vulnerabilities.

Environment: HP Fortify, Black duck, Burp suite, Sqlmap, Nessus, Nmap, Nexpose, Appspider, Jenkins, JAVA.

Confidential

Systems Engineer/Penetration Tester

RESPONSIBILITES:

• Conducting Web Application Vulnerability Assessment & Threat Modelling, Gap Analysis, secure code review on applications.
• Acquainted with various approaches to Grey & Black box security testing.
• Doing multiple level of testing before production to ensure smooth deployment cycle.
• Performed vulnerability testing using tools such as Nessus and Qualys-guard.
• Maintains network performance by performing network monitoring and analysis, performance tuning, troubleshooting network problems.
• Experience using Burp Suite, Acunetix Automatic Scanner, NMAP, Dir-Buster, Qualys-guard, Nessus, SQL Map for web application penetration tests and infrastructure testing.
• Created custom rules in the WAF and SIEM, based on the events logged and hence minimize false positives.
• Extensive Interaction with the customer in understanding the business issues, requirements, doing exhaustive analysis and providing end-to-end solutions.
• Configured, managed, monitored and analyzed IDS/IPS Signatures Attacks, Firewalls log, Systems, Applications and Security Event Log for comprehensive security monitoring and vulnerability management
• Incorporated information security requirements into other IT processes (change management, quality assurance, SDLC, log and SIEM monitoring etc.).
• Application Security Review of all the impacted and non-impacted issues.
• Assisting customer in understanding risk and threat level associated with vulnerability so that customer may or mayn't accept risk with respect to business criticality.
• Identifying the Critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS 25 and prioritizing them based on the criticality.
• Ensuring compliance with legal and regulatory requirements.
• Security monitoring to identify any possible intrusions.
• Guiding the developers in fixing the issues by simulating the attack.
• Conducting penetration testing of web applications and networks.
• Performing penetration testing on internal systems with the use of popular penetration testing tools like NESSUS, WireShark and Metasploit.
• Handled documentation and metrics reporting.
• Executed daily vulnerability assessments, threat assessment, mitigation and reporting activities in order to safeguard information assets and ensure protection has been put in place on the systems.
• Assist in vulnerability remediation efforts across various projects by proposing remediation strategies and Plan of Actions.
• Found common web site security issues (XSS, CSRF, session fixation, SQL injection, information leakage, application logic etc.) across various platforms.
• Provided oral briefings to leadership and technical staff as necessary.

Environment: Burp suite Proxy, Dirbuster, Wireshark, Nessus, NMap, Metasploit, Kali Linux, SQLmap JAVA, PHP, MY-SQL, Apache.