SUMMARY

• Good in Myappsecurity Threat Modeler and MS SDL tool for SSDLC threat modeling.
• Worked with OWASP Top 10 Vulnerability standards.
• Hands on Experience in conducting all different phases of Penetration testing.
• Strong in different security testing Methodologies like automation & manual.
• Strong in techniques like SQL Injection, Cross Site Scripting (XSS), CSRF, Session Fixation, Session Hijack & RFI.
• Good in finding Vulnerabilities in Source Code & Exploiting threats in Design Reviews.
• Good in Different Hacking Tools like Cenzic Hailstorm, Confidential Web - Inspect, IBM App-Scan, Paros, WebScarab and Various Proxy tools.
• Having good experience in Web Services Testing using with SOAPUI tool for Security issues.
• Having good experience in Mobile Security Testing methodologies and good experience on Android Application Mobile Security.
• Ability to intercept Object Oriented Programming concept and technologies including, but not limited to: HTML, Java, JavaScript and XML
• Ability to do manual review on Core Java, JSP, .NET, PHP, JSON, Groovy a Grails, Ruby, Node JS, Angular JS, XML, HTML, SQL, MySQL, ORACLE codebases etc.
• Strong knowledge of writing SQL Queries, Procedures, Function, Packages and Triggers in SQL Server.
• Worked on Different Operating Systems LINUX and Windows NT/98/2000/XP/2008 R2 Server.
• Having experience with Firefox Add-ons like Live Http Headers, Hack bar etc.
• Prior to Web Application Security, I have good experience in .NET Development Programming and PHP scripting.
• I have been supporting on weekend on call. I was leading the offshore team.
• I have trained 15 fresher’s in my project.
• Have conducted trainings on Application Security for my WiSSA team across the nation in offshore and in onsite which involved over 15 members.
• Fair knowledge and experience in Application Security
• Understanding of Onsite-offshore
• Self-starter with very good logical skills suitable for process design, data modelling and development.

TECHNICAL SKILLS

Security Code Review: (Checkmarx, Fortify 360, IBM Appscan)

Security Design Review Threat modeling: (Myappsecurity ThreatModeler, MS SDL Threat Modeler, Visio tools)

Penetration Testing: (IBM Appscan, Confidential Web Inspect, Paros, Burp Suite, Wireshark etc.)

Web-Services Testing: (Soap UI tool)

Manual review on: Core Java, JSP, .NET, PHP, JSON, Groovy a Grails, Ruby, Node JS, Angular JS, XML, HTML, SQL, MySQL, ORACLE codebases etc.

PROFESSIONAL EXPERIENCE

Confidential

Team Lead

Responsibilities:

• Evaluating all my Offshore Team members’ deliverables as per project plan and with good quality.
• Maintaining Share Point Issue Tracker, Projects Tracker, Trending Analysis for projects, JiRA issue status etc.
• Follow up with Development teams to get recent functionality changes, their security analysis scheduling and coordinating with Offshore to sync with the account project changes.
• Working on all internal & external applications of BestBuy containing Web, Web-Services & Flash applications.
• Evaluating the business requirements, Application Functionality with the Project teams to do assessment.
• Analyze the application for Security Assessment both manual & automation.
• Perform validation and verification. Recommend process improvements.
• Define the timelines to the given application & Conduct the security assessments and Report out the vulnerability findings with remediation process to the development team.
• Retesting the application for the found vulnerabilities & Post production support.
• Conducting security trainings to new hires & required development teams.

Confidential

DEVELOPER - L3 / Senior Software Engineer

Responsibilities:

• Responsible for development, support, maintenance and implementation of small to medium non-complex components of a project module.
• Worked on AMI Controller and RCS Web applications. And involved in providing end-to-end Application Security.
• Capture the Security Requirements from the Client; Analyzing the Design
• Threats in the application did the both manual and automation Security Code review, Perform the both manual and automation web application security.
• Evaluating the business requirements, Application Functionality with the Project teams to do assessment.
• Analyze the both AMIC and RCS applications for Security Source Code Review.
• Analyze the both AMIC and RCS applications for Security Assessment both manual & automation.
• Define the timelines to the given application & Conduct the security assessments and Report out the vulnerability findings with remediation process to the development team.
• Retesting the application for the found vulnerabilities & Post production support.
• Conducting security trainings to new hires & required development teams

Environment: Cenzic Hailstorm, Checkmarx, Paros, BurpSuite, TamperIE, Live HTTP Headers etc.

Confidential

Senior Associate

Responsibilities:

• Worked on all internal & external applications of Ingram containing Web,
• Web-Services & Flash applications.
• Evaluating the business requirements, Application Functionality with the Project teams to do assessment.
• Analyze the application for Security Assessment both manual & automation.

Environment: Internal & External Applications of the Client as per Confidential Security Standards

Confidential

Senior Associate

Responsibilities:

• Worked on both web and non-web applications of GE Capital, GE Health Care, GE Energy etc.
• Designing & Evaluating of Test Plans & Test Cases
• Analyze the application including either it Web or non-web application.
• Perform validation and verification. Recommend process improvements.
• Prepare the Test Strategy and Conduct the security assessments and Report out the vulnerability findings with remediation process to the development team.
• Prepare security documents like SOX, Test Strategy & SVAT Report for the applications.
• Conducting security trainings to new hires & required development teams.

Environment: Proxy tools like Paros, Burp Suit, Web-Scarab, Live HTTP Headers

Confidential

Application Security Tester

Responsibilities:

• Worked on Confidential Rack& Power Applications like Fish stick Software ( Confidential Power Manager 4.2.10), Copperfield ( Confidential UPS Module Management 2.1.3),
• Brookline PDU (Power Distribution Unit 1.0 & 1.1) of Confidential .
• Worked on different Server Applications of Confidential Mainly including HPSIM 5.4 & Confidential SMH and all of their Plug-ins
• Designing & Evaluating of Test Plans & Test Cases
• Analyze defect data and test results. Create and maintain tests and test records.
• Develop qualification test procedures, system requirements and test plans.
• Establish and execute test procedures.

Environment: Confidential Web-Inspect, Paros, Spike Proxy, Wire-Shark, Agent Ransack, Live HTTP Headers, Grendel-Scan etc.

Confidential

Application Security Tester

Responsibilities:

• Worked on Internal and External Applications used by the client.
• Worked on different Applications of client’s including OPS portal, WBDocs, EnCorr and all of their Plug-ins.
• Designing & Evaluating of Test Plans & Test Cases
• Analyze defect data and test results.
• Create and maintain tests and test records.
• Develop qualification test procedures, system requirements, and test plans.
• Conduct the security assessments and Report out the vulnerability findings with remediation process to the development team.
• Conducting security trainings to new hires & required development teams.

Environment: IBM Appscan Enterprise Edition, Paros, Live HTTP Headers, WebScarab, Wireshark, Agent Ransack etc.

Confidential

Security Tester

Responsibilities:

• Worked on different Applications of client’s including Confidential inbound and outbound web services and all of their Plug-ins.
• Involved mainly in NMS (Number Management System) and VDC (Validation Data Control) modules testing.
• Designing & Evaluating of Test Plans & Test Cases and Analyze defect data and test results.
• Develop qualification test procedures, system requirements, and test plans.
• Conduct the security assessments and Report out the vulnerability findings with remediation process to the development team.
• Conducting security trainings to new hires & required development teams.

Environment: Paros, WebScarab, TamperIE, SaopUI, IBM Appscan, Wireshark, Agent Ransack etc.