SUMMARY:

• Lead Security Engineer with around 9 years of experience . Responsible for the overall security posture of the organization including Application Security, Security Architecture & Design, Cloud Security, Security Investigation, Third Party Vendor Assessments, Network Security, Penetration Testing and Secure Coding.
• In - depth knowledge of Mobile Application Security, Application Security Controls and Validation, IT Risk Assessments, Continuous Integration (CI) and Continuous Delivery (CD) and Automation of Vulnerability Scanning (DevSecOps), Incident Response (IR), Regulatory Compliance (NIST, PCI-DSS, CIS, FFIEC, HIPAA, SOX) and Secure Software Development Life Cycle (secureSDLC).

TECHNICAL SKILLS:

Checkmarx, Contrast Security, BurpSuite Pro, WebScarab, Nexpose, ZAP proxy, Microfocus Fortify, Microfocus WebInspect, IBM AppScan, Veracode, DBprotect, AppDetective, Splunk Enterprise Security, Nessus, Nmap, Symantec DLP, EnCase Endpoint Security, Wireshark, Imperva SecureSphere, Scuba, tcpDump, Metasploit, Kali Linux, Gemalto ProtectDB, ProtectFile.

Java, J2EE/JEE, C/C++, C#.NET, Python, CGI/Perl, SQL, ASP.net, Shell Scripting

Linux, UNIX (Solaris, AIX), Windows Active Directory (AD), IOS, Android.

HTTP, HTTPS, SSL/TLS, SSH, SMTP, IPSec, Secure FTP, DNS, TCP/IP, PKI, VPN, Digital CertificatesCryptography, Firewalls, ModSecurity, AppSensor

Amazon Web Services (AWS) Cloud Security

Apache Tomcat, IIS, NGinx, iPlanet, JBoss, WebLogic, WebSphere, MFA, HTML, SSO, SAMLOAuth2.0, OpenID, JavaScript, AJAX, XML, JQuery, JSON, CSS, ANT, Maven, SVN, Git, RCS, EclipseVisual Studio, REST, SOAP, WSDL, MVC, Spring, SOA, Struts, Hibernate, SharePoint.

PROFESSIONAL EXPERIENCE:

Lead Information Security Engineer

Confidential, New York, NY

Roles and Responsibilities:

• Conducted security assessments to ensure compliance to firm’s security standards (i.e., OWASP Top 10). Specifically, security testing has been performed to identify XML External Entity (XXE), DOM based Cross-Site Scripting (XXS), ClickJacking, and SQL Injection related attacks within the code.
• Developed Application Security program (DAST and SAST) at the enterprise level to identify, report and remediate security vulnerabilities from applications deployed in DEV, PRE-PROD and PROD environments.
• Implemented Security Group Policies for Elastic Compute Cloud (EC2) instances within AWS. Developed AWS Service Roles to protect Identity Provider access.
• Participated in the implementation of Virtual Private Cloud (VPC). Implemented multiple layers of security, including security groups, network access control lists ( NACLs ), to control access to Amazon EC2 instances in each subnet.
• Participated in the implementation of data tokenization in various environments to ensure compliance to regulations.
• Developed AWS Security Groups to control traffic to various instances in the Cloud.
• Developed authentication and authorization policies for S3 buckets in AWS. Also, encrypted data stored in S3 buckets using AWS KMS.
• Performed the penetration testing of mobile (Android and iOS) applications, specifically, APK reverse engineering, traffic analysis and manipulation, dynamic runtime analysis.
• Expertise on full scale Ethical Hacking/Penetration testing practice. Participated in Pen Testing and Ethical hacking activities on identified tasks.
• Automation of security scanning process (DevSecOps) into the build environment with CI/CD pipeline using Jenkins, Maven, Gradle, GitHub tools.
• Worked extensively with software development teams to review the source code, triage the security vulnerabilities generated by IBM AppScan, Microfocus Fortify and Checkmarx and eliminated false positives.
• Conducted monthly developer workshops to educate and train developers on secureSDLC.
• Performed the penetration testing of mobile (Android and iOS) applications, specifically, APK reverse engineering, traffic analysis and manipulation, dynamic runtime analysis.
• Implemented Multifactor A u thentication (MFA) for AWS root accounts, including password rotation policies. Set up Access Keys and Secret Assess Keys for newly created users.
• Develop security requirements for applications and infrastructure deployed in the Cloud. Ensured that Cloud security best practices have been followed.
• Actively collaborate with other security team members, product teams, and other stakeholders to help create and maintain software-based security controls in line with industry best practices and specific business requirements.
• Extensively worked with stakeholders including enterprise security leadership to track open issues and follow up to resolution and build security hardened tech stacks are used for development and production.
• Performed dynamic and static analysis of web and mobile applications (iOS and Android) using IBM AppScan Enterprise, Standard and Source editions
• Worked with DevOps teams to automate security scanning into the build process.
• Developed secure standard control libraries for use by development teams transversely across the organization using Java, .NET. and Provided software solutions to help mitigate the Frond End security vulnerabilities.
• Reviewed source code and identified security vulnerabilities manually as well as the scanning tools. The code written in Java/J2EE/Spring/JSP/JavaScript has been reviewed.
• Implemented column level encryption for securing confidential customer data. Utilized SafeNet ProtectDB for encryption and decryption of the data.
• Designed security architecture for web and mobile apps. Reviewed architecture flow diagrams to identify security anomalies in the system architecture and design, and provided recommendations to address data security and privacy concerns.
• Developed threat modeling framework for critical applications to identify potential threats during the design phase of applications. The STRIDE methodology has been utilized for identifying the threats.
• Administered cryptography, certificate management and maintained key rotation.
• Participated in the development of IT risk assessments for enterprise applications. The NIST framework has been utilized for IT risk assessments.
• Rolled out IBM AppScan products such as AppScan Enterprise (ASE), Standard, Source, Checkmarx, Developer plug-ins to various development teams across the business lines.
• Generated executive summary reports showing the security assessments results, recommendations (CWE, CVE) and risk mitigation plans and presented them to the respective business sponsors and senior management.
• Participated in the implementation of AWS Cloud security for applications being deployed in the Cloud. Implemented security for Iaas, Paas, Saas and made sure the security best practices have been applied.
• Reviewed Android and iOS mobile source code manually and recommended code fixes.
• Analyzed security incidents originated from various network/application monitoring devices (e.g., Symantec DLP) using Splunk and coordinated with Engineering teams for tracking and problem escalation, incident response (IR), including remediation.
• Performed security incident analysis and investigations using EnCase Endpoint Security, Investigator tools and Splunk Enterprise Security. The Incident Response (IR) procedures have been documented and published to the respective teams.
• Developed secureSDLC policies and standards for Web and Mobile apps. Various industry standards have been utilized such as NIST, CIS Benchmarks, OpenSAMM, and FFIEC.

Sr. Security Engineer

Confidential, Charlotte, NC

Roles and Responsibilities:

• Performed pen testing of both internal and external networks as per PCI-DSS standards. The pen testing scope included O/S (Windows and Linux) and external facing web apps and database servers that store credit card information.
• Conducting Web Application Vulnerability Assessment & Threat Modelling, Gap Analysis, secure code review on the applications.
• Hands-on with Secure Coding, Penetration Testing, DAST, SAST and manual ethical hacking.
• Reviewed security vulnerability reports for applications and databases, analyzed and worked extensively with the development teams for the implementation of mitigating controls.
• Implemented IBM AppScan standard, source editions, HP WebInspect, Nessus, and QualysGuard web application scanners. In addition, the security tools Metasploit and BurpSuite were utilized for manual penetration testing.
• Performed security assessments for the client-facing apps. The associated IT infrastructure such as database management systems, middleware systems, web services (SOA) were also included in the security assessments.
• Participated in the implementation of AWS Cloud security for applications being deployed in the Cloud. Developed WACLS for AWS Web Application Firewalls (WAF) and configured the rules and conditions to detect security vulnerabilities in the Cloud Front.
• Implemented Secure Software Development Life Cycle (S-SDLC) processes; developed secure coding practices for web, mobile applications, including database and middleware systems.
• Performed architecture design reviews and solution overview reviews to identify security anomalies in the system architecture and design, and provided recommendations to address data security and privacy concerns.
• Extensively worked with stakeholders including enterprise security leadership to track open issues and follow.
• Implemented Splunk Enterprise Security including, correlation rules, forwarders, dashboard reports, notable events, glass tables, and pattern discovery.
• Conducted manual source code reviews of external facing applications, including iOS and Android mobile apps. The key areas of confidential and sensitive data stored on the mobile devices were reviewed and made recommendations to secure customers’ PII and PCI data.
• Conducted pen testing for the Web Services (SOA), applications and networks.
• Reported security findings, recommendations and presented to the business users, executive committee and Compliance departments.
• Experience with Identity and Access Management (IAM) and development of user roles and policies for user access management.
• Performed Static and Dynamic Analysis and Security Testing (SAST and DAST) for various applications as per firm’s security standards (i.e., OWASP, SANS 25).
• Developed threat models for the applications and IT infrastructure.
• Worked with software development teams, DB/Unix administrators and solution architects as a subject matter expert related to security compliance with PCI DSS 3.2 and industry standards.
• Worked with Internet Engineering team in the design and configuration of BlueCoat Internet proxy. Implemented WebFilter database for URL content Filtering.
• Developed security policies and baselines for mobile and web applications. Performed compliance audits to ensure security policies and baselines have been adequately implemented.
• Participated in the implementation of SafeNet product for encrypting customer credit card information using Public Key Infrastructure (PKI).
• Developed correlation rules for Security Incident and Event Management (SIEM) system. Reviewed the solution implemented for “log forwarding” from various network devices to ArcSight central logging for alerting and security monitoring. Experience with Splunk in investigating various logger events related to security incidents.
• Performed PCI pre-assessment audit for the entire network as well as the related applications in preparation for the annual external PCI compliance audit.

Security Engineer

Confidential, Durham, NC

Roles and Responsibilities:

• Performed the tasks of designing Advanced Security & Management Solutions for the organization.
• Experience with Identity and Access Management (IAM) and development of user roles and policies for user access management.
• Performed dynamic and static analysis of web application using IBM AppScan
• Well versed with various vulnerabilities and attacks at application - OWASP top 10, SQL Injection, XSS, CSS, LDAP injection, XPath injection etc.
• Conducts regularly review of Global Security Incidents as well as reports and update the same to the internal teams.
• Deployed and configured Symantec Data Loss Prevention (DLP) for both data in transit and data at rest.
• Execute and craft different payloads to attack he system to execute XSS and different attacks
• Identified database security vulnerabilities using SQLMAP pen testing tool.
• Performed IT Risk Assessment Services and provides Solutions to mitigate Risks identified and reported.
• Conducted security assessments for various applications supporting Corporate & Investment Banking, Loan, Treasury, Equities and FI businesses. The web application infrastructure such as IBM WebSphere, Apache Tomcat, and IIS web/application servers were reviewed for compliance to firm’s security baselines.
• Developed correlation rules for Security Incident and Event Management (SIEM) system. Reviewed the solution implemented for “log forwarding” from various network devices to ArcSight central logging for alerting and security monitoring.
• Ensured that the operation, design, and management of information systems are in according to the standards of the organization.
• Established and maintained a framework to ensure that information security policies, technologies and processes are aligned with the business regulations of the organization.
• Identifies as well as applies innovative practice in security to enhance the global operations of the organizations.
• Performed risk assessments and defines strategies to address the identified risks.
• Ensured that risk identification, mitigation controls and analysis are integrated into application life cycle and change management processes.
• Performed PCI-DSS (3.2, 3.1) pre-assessment audit for the entire network as well as the related applications in preparation for the annual external PCI compliance audit.

Application Developer

Confidential

Roles and Responsibilities:

• Implemented MVC architecture by making use of Java Struts, Spring frameworks.
• Implemented Struts framework (Action & Controller classes) for dispatching request to appropriate classes.
• Used simple Struts Validation for validation of user input as per the business logic and initial data loading.
• Developed Java Server Pages(JSPs) and Servlets in the web-tier and EJB's in the business tier
• Client side validation was done using JavaScript and CSS was used to define the view of the pages.
• Implemented business logic using Session Beans.
• Implemented data access objects using Entity Beans.
• Created RESTful web services in pushing data to downstream systems.
• Used JMS/TIBCO for synchronous/asynchronous communication and sending updates to various other applications.
• Developed user interface using JSPs and HTML, JavaScript, CSS, Stylesheets.
• Designed Tables, Indexes, Stored Procedures, Functions and Triggers for the database.
• Involved in different phases of Software Development Lifecycle (Agile methodology) such as Requirement Analysis, Design and Development.
• Developed the application using JBoss.
• Coded Ant build scripts to build and deploy the application on JBoss on Unix.