SUMMARY

• 5 years of experience in the field of web application testing, vulnerability assessments, penetration testing on different domains.
• Penetration testing based on OWASP Top 10.
• Analyze the results of penetrations tests, design reviews, source code reviews and other security tests.
• Good knowledge on identifying vulnerabilities like SQL Injection, Cross - site scripting XSS, Insecure direct object reference, Security Misconfiguration and others.
• Experience using a wide variety of security tools to include Kali-Linux, Metasploit, Burp Suite Pro, Wireshark, L0phtcrack, Snort, Nmap, Nmap-NSE, Cain and Abel, Nitko, Dirbuster, IBM App scan, HP Fortify, HP WebInspect, Nessus, Open Vas, W3AF, BeEF, Etthercap, Maltego, Wifi-Security, SOAP UI, READY API, FOCA, Havij, Yersinia, Recon-ng, Aircrack-ng suite.
• Involved in implementing and validating the security principles of minimum attack surface area, least privilege, secure defaults, avoiding security by obscurity, keep security simple, Fixing security issues correctly.
• Strong knowledge in Manual and Automated Security testing for Web Applications.
• Experience performing Dynamic and Static application testing. (DAST & SAST)
• Good Experience in exploiting the recognized vulnerabilities.
• Experience in Threat Modeling during Requirement gathering and Design phases.
• Experience with Security Risk Management with TCP-based networking.
• Experience with TCP/IP, Firewalls, LAN/WAN.
• Quick Learner, committed team player with interpersonal skills and enjoy challenging environment with scope to improve self and contribute to the cause of the organization.
• Excellent problem-solving and leadership abilities.
• Experience in Web UI Development implementing web development tools like HTML 4.0/5, XHTML, DHTML, CSS/CSS3, JavaScript, jQuery, AJAX, JSON and XML.
• Knowledgeable about Document Object Model (DOM) and DOM Functions along with experience in Object Oriented Programming Concepts, Object Oriented JavaScript and Implementation.
• Worked on RWD (Responsive Web Design) and implemented basic level of Twitter Bootstrap and Angular.js.

PROFESSIONAL EXPERIENCE

Confidential, Des Moines, IA

Penetration Tester

Responsibilities:

• Conducted application penetration testing of 50+ internal and external business applications of PFG.
• Identifying the critical, High, Medium, and Low vulnerabilities in the applications based on OWASP Top 10 and prioritizing them based on the criticality.
• Follow up with Development teams to get recent functionality changes, their security analysis scheduling and coordinating with my team to sync with the project changes.
• Acquainted with various approaches to Grey & Black box security testing.
• Performed Vulnerability Assessments and Penetration testing on different applications weekly.
• Discovered application level vulnerabilities like Injection flaws (SQL Injection, Command Injection etc.), Cross Site Scripting (XSS), CSRF, Authentication bypass, Improper Access Controls, Authentication flaws, Privilege Escalation, Sensitive Information Disclosures and more.
• Define the timelines to the given application & conduct the security assessments and report out the vulnerability findings with remediation process to the development team.
• Conducted security assessments on Web applications, API's and Thick Client Applications, Embedded devices both in-house developed and vendor applications.
• Worked on Identifying issues on Controls on session management like Server-side session states, session termination, Session ID randomness, expiration, Unique tokens, concurrent logged in session, session fixation prevention.
• Reviewed different application vulnerability reports from vendors.
• Worked closely with developers and architects to help the team fixing issues identified in AVA tests.
• Used Burp Suite Pro, Nmap & Nmap Scripting Engine (NSE), Gobuster/Dirbuster, IBM App Scan, Postman-Burp for API Testing, ReadyAPI, ZAP, Ironwasp, Dnspy, Sysinternal suite,SQLMap for web application penetration tests and infrastructure testing.
• Performing onsite & remote security consulting including penetration testing, application testing, web application security assessment, onsite internet security assessment.
• Done Bug triaging, worked with developers to fix the high/critical and medium level issues identified.

Environment: Worked on IBM App Scan for vulnerability assessments on web applications followed by manual methods using tools in Kali Linux, Burp Suite, Nmap Scripting Engine, Nikto, Ready API, Postman

Confidential - Los Angeles, CA

Penetration Tester

Responsibilities:

• Conducted application penetration testing of internal and external business applications
• Security Code Review and Penetration Testing for all Internal & External Applications of Confidential &T.
• Follow up with Development teams to get recent functionality changes, their security analysis scheduling and coordinating with my team to sync with the project changes
• Worked on different types of vulnerability assessments reports both application generated and manual penetration testing and presented it.
• Trained the development team pertaining to the identified vulnerabilities and in the remediation process.
• Acquainted with various approaches to Grey & Black box security testing
• Discovered application level vulnerabilities like Injection flaws (SQL Injection, Command Injection etc), Cross Site Scripting (XSS), CSRF, Authentication bypass, cryptographic attacks, authentication flaws etc.
• Define the timelines to the given application & Conduct the security assessments and Report out the vulnerability findings with remediation process to the development team.
• Conducted security assessment of PKI Enabled Applications
• Used Burp Suite Pro, Acunetix Automatic Scanner, NMAP & NMAP Scripting Engine (NSE), Havij, Dirbuster, IBM Appscan, Nessus, SQLMap for web application penetration tests and infrastructure testing.
• Performing onsite & remote security consulting including penetration testing, application testing, web application security assessment, onsite internet security assessment, social engineering, wireless assessment, and IDS/IPS hardware deployment.
• Capturing and analyzing network traffic Confidential all layers of the OSI model using Wireshark.
• Monitor the Security of Critical System (e.g. e-mail servers, database servers, Web Servers, Application Servers, etc.).
• Change Management to highly sensitive Computer Security Controls to ensure appropriate system administrative actions, investigate and report on noted irregularities.
• Conduct network Vulnerability Assessments using tools to evaluate attack vectors, Identify System Vulnerabilities and develop remediation plans and Security Procedures.

Security Tools: Worked on IBM Appscan for vulnerability assessments on web applications followed by manual methods using tools in Kali Linux, Burpsuite, HP Webinspect, Nessus, Nmap Scripting Engine etc.

Confidential - Sunnyvale,CA

Pen Tester

Responsibilities:

• Analyze the application for Security Assessment both manual & automation.
• Perform validation and verification. Recommend process improvements.
• Conducted application penetration testing of 15+ business applications of client.
• Define the timelines to the given application & Conduct the security assessments and Report out the vulnerability findings with remediation process to the development team.
• Proficient in understanding application level vulnerabilities like XSS, SQL Injection, CSRF, authentication bypass, weak cryptography, authentication flaws etc.
• Skilled using Burp Suite, Acunetix Automatic Scanner, NMAP, Havij, DirBuster for web application penetration tests.
• Used burpsuite, dirbuster, IBM Appscan on daily basis for vulnerability assessments followed by manual penetration tests on applications.
• Generated and presented reports on Security Vulnerabilities to both internal and external customers.
• Retesting the application for the found vulnerabilities & Post production support.
• Security assessment of online applications to identify the vulnerabilities in different categories like Input and data Validation, Authentication, Authorization, Auditing & logging.
• Vulnerability Assessment of various web applications used in the organization using Paros Proxy, Burp Suite, and Web Scarab, YASCA, HP Web Inspect.
• Training the development team on the most common vulnerabilities and common code review issues and explaining the remediation.
• Follow up and ensure the closure of the raised vulnerabilities by revalidating and ensuring 100% Closure.
• Update with the new hackings and latest vulnerabilities to ensure no such loopholes are present in the existing System

Tools: Used Acunetix, HP Web Inspect, Nessus for scanning web applications and Burpsuite and other tools to find the vulnerabilities.

Confidential - Chicago, IL

Security Engineer

Responsibilities:

• Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10.
• Perform penetration tests on different applications a week.
• Preparation of security testing checklist to the company.
• Ensure all the security controls are covered in the checklist.
• Identified vulnerabilities such as File upload, Path traversal, SQL Injection and more, and helped the development team to fix the issues.
• Updating of the checklist on weekly basis to ensure all the test cases are up to date as per the attacks happening in the market.
• Providing detailed knowledge transfer to Development team for better understanding of Vulnerabilities.
• Information gathering of the application using websites like Shodan, ReverseDNS, Hackertarget.com
• Using various Firefox add-ons like Flag fox, Wappalyzer, Live HTTP Header, Tamper data to perform the pen test.
• Performed network vulnerability assessments using tools to evaluate attack vectors, develop remediation plans, and identify system vulnerabilities and security procedures.
• Network scanning using tools like NMap and Nessus.
• Used Metasploit framework to exploit the network based vulnerabilities.
• Initiative to stream line the access control mechanism of various applications.

Environment: Used Nmap/ Zanmap to scan the network form both internal and external, also used some modules of metasploit for scanning. Live http header and tamper data to perform the application testing.

Confidential

Security Tester

Responsibilities:

• Involved in Web Application Vulnerability Assessment & Threat Modeling, Gap Analysis, and secure code review on the applications.
• Extensive Interaction with Onsite Coordinator in understanding the business issues, requirements, doing exhaustive analysis and providing end-to-end solutions.
• Doing multiple level of testing before production to ensure smooth deployment cycle.
• Helped lead security engineer in writing scripts for automation of network scans.
• Security Review of all the impacted and non-impacted issues.
• Prepared report about the findings and action items to fix the identified vulnerabilities
• Other Adhoc Activities like monthly and weekly report creations. Scheduling meeting with different applications SVP for understanding future pipelines for applications.
• Assisting customer in understanding risk and threat level associated with vulnerability so that customer may or may not accept risk with respect to business criticality.
• Assisting in review of business solution architectures from security point of view which helps avoiding security related issues/threats Confidential the early stage of project

Environment: Used Nmap/ Zanmap to scan the network form both internal and external, also used some modules of metasploit for scanning. Live http header and tamper data to perform the application testing.