SUMMARY:

• Working as an IT security professional with 7 years of experience in Security Architecture, Vulnerability Assessment and Penetration testing for web services and cloud platforms.
• Expertise in manual exploitation and mitigating security findings not limited to but including OWASP Top 10 and SANS 25.
• Experienced in Black Box and White Box penetration tests. Threat Modelling Security Architecture, Vulnerability Detection and remediation.
• Utilized dynamic and static analysis techniques to assess internal and third - party applications for security vulnerabilities.
• Used vulnerabilities scans using Webinspect, IBM App Scan, Qualys Guard, Retina, Nessus, Burp Suite and Metasploit auxiliary Modules.
• Performed Industry standard vulnerability severity and risk ranking Using CWE, CVSS.
• Performed Intrusion Prevention or Detection using Snort and Suricata.
• Reverse engineered third party applications and developed proof of concepts exploits. Assist developers in remediation efforts.
• Threat Modelling the new features and design control to ensure web applications are secured.
• Provide security proficiency in authentication, authorization, audit, secure storage, encryption, input validation and secure databases communication.
• Review the application architecture and make recommendations to improve the enterprise security posture. Integrate assessments with SDLC and project management cycles.
• Experienced in implementing security automation and familiar working with global security community.
• Excellent communication and presentation skills and proven ability to communicate the threats and facilitate progress towards long term remediation.
• Experienced at mentoring and communication goals and other corporate initiatives and driving to results.

TECHNICAL SKILLS:

Opeating Systems: - Linux and Windows.

Programming Languages: - C++, c#, Java, ASP.NET, Python, Scala

Threat Modeling: - Microsoft Threat Modeling Tool (TMT), OWASP Threat Dragon

Static Analysis Tools: - HP fortify, IBM App Scan (Source), Veracode, Checkmarx.

Dynamic Analysis Tools: - IBM App Scan, Webinspect, Retina, Acunetix, NetSparker, Qualys Guard

Network Security Testing Tools: - Nmap, NessusP roxy Tools: - BurpSuite, ZAP, Paros

Tools: - SSLDigger, SSLSmart, SSLSCAN, Snort, Suricata

PROFESSIONAL EXPERIENCE:

Application Security Analyst

Confidential

Responsibilities:

• Worked with the direction of FedRAMP implementation team leader to implement static and dynamic code analysis using scanning tools for product software.
• Responsible for the review software scanning tool results and identity false positive findings and configure, tune scanning tools to improve tool report accuracy.
• Worked with security team members and software developers to run code analysis tools, analyze tool reports, remove inaccuracies and iteratively modify tool configurations to achieve more accurate scan results going forward.
• Worked with IT to implement software scanning tools for each required product environment.
• Worked with cross-functional teams and Developers to setup Checkmarx And Rapid7 application scanning tools integration into Jenkins, so that scans can be iterative, examined, cleansed and results will be reported to appropriate software development engineers.
• Responsible for ongoing configuration improvements for Checkmarx static code analysis tool.
• Responsible for ongoing configuration improvement for Rapid7 InsightAppsec dynamic code analysis tool.
• Responsible to identify for development engineers to remediate security defects in code.

Application Security Consultant

Confidential - Louisville, KY

Responsibilities:

• Performed the manual penetration attack simulations to determine and exploit the security flaws.
• Designed Threat Model (STRIDE/DREAD) to SDLC process.
• Experienced in assessing AWS components including API’s and Middleware Microservices and ensure security confidence
• Experience in integrating AWS applications with Jenkins CI/CD pipeline and performed automated security tests
• Performed manual and automated static code analysis using Fortify and Checkmarx.
• Performing Mobile Application Security Assessment including Android & iOS platforms.
• Detailed and thorough Static, Dynamic analysis for Android and IOS platforms
• Used android studio for creating android emulators and performed pen testing using burp suite
• Performed reverse engineering on mobile application (android)
• Designed security test suite for in scope web-based applications.
• Performed interception attacks using web proxies such as Burp Suite, ZAP and Paros.
• Experienced in Agile/Scrum methodology.
• Performed Intrusion detection using Snort and Suricata.
• Experienced in detection malwares in cloud platform using signature and dictionary-based methods.
• Performed Dynamic vulnerability assessments using QualysGuard, Webinspect, IBM APP Scan
• Leveraging automated security analysis integrated within our development workflow and working to improve the accuracy and coverage of these tools
• Work with the engineers and project managers on systems programming teams to include security in their workflows
• Provide security recommendations as a subject matter expert for development teams during all phases of development (code reviews, architecture reviews)
• Develop test plans for security verification and assist development teams with security testing methodologies and tools (Penetration Testing)
• Monitor platform security and assist the team to make continuous improvements.
• Engaged with cross functional application teams hands-on to improve and extend our security frameworks.
• Worked on improving security perspective of our applications by working closely with product teams and developers from each Amplify division
• Defining business requirements, architectural standards and risk assessment, reporting them back to stakeholders (Risk vs Severity)
• Responsible for completion of all environments of Android platforms and Google in house device static, dynamic and Penetration testing. (SAST, DAST, Pen Test)
• Responsible for analyzing automation reports and documenting the respective errors of the failure reason.

Application Security Engineer

Confidential - Santa Clara, CA

Responsibilities:

• Performing Black/Grey/White box testing.
• Threat modelling the new features and design controls to ensure mobile applications are secure.
• Performing Static source code analysis with HP Fortify, IBM AppScan Source and Veracode.
• Collaborating with the development team to remediate the vulnerabilities identified in web-based applications.
• Designing robust and secure application architecture.
• Performing Network Penetration testing using Nessus, Qualys Guard.
• Performing port/SSL version scans using Nmap and SSLScan respectively.
• Communicating identified vulnerability findings with the clients and remediating mitigations.
• Preparation for Test Setup, security Test Area coverage defination, Test Cases for new Features or implementation.
• Evaluate the application protest data in use, in transit and at the rest.
• Performing Manual penetration testing to exploit and miligate the security threats like CSRF, XSS, SQL injection threats, Etc.
• Assessing and risk classification of identified vulnerabilities based on the security impact and business risks.
• Prepared test setup, security test area coverage definition, test plan, and test cases for new features/implementation; Evaluated how the application protects data in use, in transit, and at rest.
• Assessed and risk classification of identified vulnerabilities based on the security impact, likelihood, and business risks.
• Developed tools & internal frameworks for web/mobile application security based on OWASP top 10; created threat models as a part of the SDLC cycle for 100 + web applications.
• Developed system architecture for cloud (AWS /Azure) based deployments of commercial-grade apps.
• Developed Infrastructure automation tools for continuous patch deployment on routers and switches; conducted penetration testing exercises on Cyber-Physical Systems (SCADA) with a hit-rate of 88%.