Seasoned Lead Information Security Engineer/Consultant with 9+ years of experience in Penetration Testing, Cloud Security, API Security (OAuth 2.0 & SAML), Secure Coding, Web & Mobile Application Security, Database Activity Monitoring (DAM), SIEM, Security Controls and Validation, IT Security Risk Assessments & Regulatory Compliance. Forward looking professional mindful of IT risk and growth factors; providing effective and viable approach to problems that exceed expectations.
Languages: Java, J2EE/JEE, C/C++, C#.NET, Python, CGI/Perl, SQL, ASP.net, Shell Scripting
Operating Systems: Linux, UNIX (Solaris, AIX), Windows Active Directory (AD), IOS, Android.
Security Tools: IBM AppScan, BurpSuite Pro, WebScarab, ZAP proxy, HP Fortify, HP WebInspect, Veracode, DBprotect, App Detective, Checkmarx, Nessus, Nexpose, Nmap, Wireshark, Imperva SecureSphere, Scuba, tcpDump, Metasploit, Kali Linux, SafeNet/Gemalto ProtectDB, ProtectFile.
Database Servers: Oracle, MySql, SQL Server
Protocols: HTTP, HTTPS, SSL/TLS, SSH, SMTP, IPSec, Secure FTP, DNS, TCP/IP, PKI, VPN, Digital Certificates, Cryptography, Firewalls, ModSecurity, AppSensor
Web Servers and Development:
Lead Information Security Engineer/Consultant
Confidential, Arlington, VA
- Worked extensively with software development teams to review the source code, triage the security vulnerabilities generated by IBM AppScan, BurpSuite, HP WebInspect, and HP Fortify and eliminated false positives.
- Conducted security assessments to ensure compliance to firm’s security standards (i.e., OWASP Top 10, SANS25). Specifically, security testing has been performed to identify XML External Entity (XXE), Cross - Site Scripting, ClickJacking, and SQL Injection related attacks within the code.
- Implemented OAuth2.0, SAML and Single Sign-on (SSO) for AzureAD & Mobile applications for corporate applications Working knowledge of OSSTMM, OWASP Top 10 and SANS Top 25 software guidelines, Federal Financial Institutions Examination Council's (FFIEC) regulations, including Payment Card Industry (PCI-DSS), HIPAA and Sarbanes-Oxley Section404 (SOX).
- Performed the penetration testing of mobile (Android and iOS) applications, specifically, APK reverse engineering, traffic analysis and manipulation, dynamic runtime analysis.
- Worked with Security Operations (SOC) and Incident Response (IR) teams to identify security incidents and follow through the process until the resolution. Monitor the security alerts originating from IDS/IPS and DLP.
- Performed security assessments for various types of Operating Systems (O/S) used by the firm. The security audits of RedHat Linux, Unix, SharePoint, Oracle Solaris, SunOne, AD, Ping LDAP Windows (including Active Directory) and IBM AIX were conducted. Several security control enhancements were recommended.
- Developed Application Security program (DAST and SAST) at the enterprise level to identify, report and remediate security vulnerabilities from applications deployed in DEV, PRE-PROD and PROD environments.
- Configured SafeNet/Gemalto ProtectDB to enable column level encryption for securing confidential customer data. Installed, configured and deployed SafeNet/Gemalto ProtectFile for securing file shares that contain confidential data.
- Identity and access management (IAM), network security) within SaaS, IaaS, PaaS, IDaaS and other cloud environments.
- Performed code analysis with CHECKMARX, and strong knowledge in IBM Security Privilege Identity Manager (ISPIM).
- Working knowledge of Splunk in developing search queries including, knowledge objects such as Event Types, Tags, Database Queries etc.
- Implemented Tripwire to detect unauthorized access to confidential data files in production environment. Installed and configured Splunk and set up search filters, tags and help security teams in investigating security incidents.
- Participated in the development of IT risk assessments for enterprise applications. The NIST framework Risk Management Framework (RMF) and FISMA has been utilized for IT risk assessments.
- Security Management Act (FISMA) and Federal Risk and Authorization Management Program (FedRAMP) related engagements for commercial clients.
- Analyzed and designed implementation strategies of PKI encryption technologies and products
- Assisted in the collection of requirements and contribute Subject Matter Expertise (SME), advice in the areas of Cloud security architectures, designs, policies, and control standards with special emphasis on Amazon Web Services (AWS) and made sure Proactively engages staff throughout client to communicate cloud security standards, guidelines and strategies
- Participated in the implementation of API Security projects.
- Gathered the requirements, Developed API use cases, scenarios and worked on Application boarding, API integration and troubleshooting
- Designed security architecture for web and mobile applications. Reviewed Solution overview Documents (SODs) to identify security anomalies in the system architecture and design, and provided recommendations to address data security and privacy concerns.
- Developed threat modeling framework (STRIDE, DREAD) for critical applications to identify potential threats during the design phase of applications.
- Implemented file system security by applying hashing techniques for protecting data stored in files on the file servers.
- Conducted security audits of web and mobile applications and recommended secure coding practices to the developers. Played the role of an SME for secure coding guidelines for enterprise applications across the business lines.
- Administered cryptography, certificate management and implemented dual keys to address segregation of duties issue between DBAs and security admins.
- Participated in the development of IT risk assessments for enterprise applications. The NIST framework has been utilized for IT risk assessments and risk analysis.
- Rolled out IBM products such as AppScan Enterprise (ASE), Standard, Source, Developer plug-ins to various development teams across the business lines.
- Worked extensively with software development teams to review the source code, triage the security vulnerabilities generated by IBM AppScan, BurpSuite, Nessus, HP WebInspect, HP Fortify, Checkmarx and eliminated false positives.
- Generated executive summary reports showing the security assessments results, recommendations (CWE, CVE) and risk mitigation plans and presented them to the respective business sponsors and senior management.
- Conducted monthly developer workshops to educate and train developers on secureSDLC, scan source code using IBM AppScan Source, triage and resolve the security vulnerabilities.
- Participated in the implementation of AWS Cloud security for applications being deployed in the Cloud. Developed WACLS for AWS Web Application Firewalls (WAF) and configured the rules and conditions to detect security vulnerabilities in the Cloud Front.
- Worked with DevOps teams to automate security scanning into the build process.
- Reviewed Android and iOS mobile source code manually and recommended code fixes.
- Participated in the Proof of Concept (POC) in implementing Arxan application protection software for Mobile apps.
- Analyzed security incidents originated from various network/application monitoring devices (e.g., Symantec Vontu DLP) and coordinated with engineering teams for tracking and problem escalation, including remediation.
- Developed secureSDLC policies and standards for Web and Mobile apps.
Sr. Security Engineer
Confidential, Madison, WI
- Performed security assessments (asset inventory, scanning, manual code reviews, penetration tests) of applications using HP Fortify, IBM AppScan, Nessus, HP WebInspect and ZAProxy to verify compliance with policies, standards, best practices and worked with developers on vulnerability mitigation.
- Participated in the implementation of SafeNet product for encrypting customer credit card information using Public Key Infrastructure (PKI).
- Implemented Database Activity Monitoring (DAM) for critical database servers using Imperva Scuba vulnerability scanner.
- Developed Security API and deployed to development teams which helps them write lower risk applications in a secure manner.
- Performed code analysis with CHECKMARX, and strong knowledge in IBM Security Privilege Identity Manager (ISPIM).
- Worked with Security Operations (SOC) and Incident Response (IR) teams to identify security incidents and follow through the process until the resolution.
- Developed correlation rules for Security Incident and Event Management (SIEM) system. Reviewed the solution implemented for “log forwarding” from various network security devices to HP ArcSight central logging for alerting and security monitoring.
- Collaborated with global Network, Platform, Engineering, and Dev teams around architecture design and review.
- Participated in the implementation of AWS Cloud security for applications being deployed in the Cloud. Developed WACLS for AWS Web Application Firewalls (WAF) and configured the rules and conditions to detect security vulnerabilities in the Cloud Front
- Reviewed security incidents of malicious code and performed root cause analysis to determine the risk and impact of the affected systems.
- Implemented application and database security program and provided subject matter expertise on code reviews, threat intelligence, third party/vendor security, compliance to security standards, and training.
- Experience with Identity and Access Management (IAM) and development of user roles and policies for user access management.
- Participated in developing project plans and road maps for enterprise wide security projects.
- Identified missing security patches in the infrastructure and provided recommendations for their resolution.
- Prepared technical documentation which included vulnerability reports, checklists, metrics, enrollment forms, DAST & SAST play books and user guides.
- Worked with Internet Engineering team in the design and configuration of BlueCoat Internet proxy. Implemented WebFilter database for URL content Filtering.
- Researched, initiated and drove the evaluation of tools, technologies, processes, policies, controls, standards to maintain and enhance the security of applications.
- Participated in the deployment of HP ArcSight Security Incident and Event Management (SIEM) system. Reviewed technical specifications for SIEM, logging and proposed recommendations to improve the overall deployment of the solution.
- Developed “Database Security and Compliance Life Cycle” program at the enterprise level. This program includes, database server discovery, assess DB security vulnerabilities, audit and monitor the database activity.
- Developed security compliance programs for IT infrastructure supporting various business lines to facilitate end-to-end compliance with internal and external security standards/regulations.
- Conducted security compliance audits covering Disaster Recovery (DR) simulations and its adherence to security policies and standards (SOX, FFIEC, SysTrust, SSAE 16).
- Performed penetration testing for external facing web applications. Security areas covering DMZ architecture, threat modeling, secure coding practices (i.e., OWASP standards) and vulnerability analysis were assessed.
- Conducted security assessments for various applications supporting various businesses. The web application infrastructure such as IBM WebSphere, Apache Tomcat, and IIS web/application servers were reviewed for compliance to firm’s security baselines.
- Performed security assessments for various types of Operating Systems (O/S) used by the firm. The security audits of RedHat Linux, SharePoint, Oracle Solaris, Windows (including Active Directory) and IBM AIX were conducted. Several security control enhancements were recommended.
- Executed database management system security assessments across all business lines and entities. Database servers such as, Oracle, SQL Server and Sybase were reviewed for compliance to global and local security standards.
- Participated in the integrated security design reviews. Reviewed authentication, authorization, security monitoring controls and identified security gaps.
- Implemented MVC architecture by making use of Java Struts, Spring framework.
- Developed complete front & back end using JSPs & Servlets.
- Developed server side business components using Java Servlets, JSPs, and Enterprise Java Beans (EJBs).
- Automated code deployment to production environment by creating tasks using ANT, Maven deployment tool.
- Developed stored procedures, views and triggers using Oracle PL/SQL.
- Design and implementation of RESTful Web services.
- Developed application presentation layer, which is based on Spring MVC framework involving JSP, Servlets and HTML, CSS.
- Developed this web application to store all system information in a central location. This was developed using Spring MVC, jQuery, JSP, Servlet, Oracle 10g, HTML and CSS.
- Developed Servlets and JQuery to create a fast and efficient chat server.
- Implemented the Scrum Agile methodology for iterative development of the application.
- Involved in system design, enterprise application development using object-oriented analysis in Java/JEE6.
- Used Spring Framework for Dependency injection and integrated with the Hibernate framework for interacting with the Oracle database.