SUMMARY

• Dynamic InfoSec professional with 5+ years of work experience and Master’s degree in Information Assurance.
• Strong experience of Web - application Security - web application vulnerability assessments, penetration testing.
• Ability to conduct penetration testing for well-known technologies and known security flaw concepts (SQL injection, XML injection, XSS, CSRF, IDOR, Path Traversal, etc.)
• Experienced in Testing Client Server applications and Web based application using both Manual and Automated testing tools.
• Experience in information security policies, network security design and implementation.
• Experienced in Black box, White box, responsive design, and exploratory testing, PKI Encryption algorithms.
• Experienced on vulnerability assessment and penetration testing using various tools like Burp Suite, OWASP ZAP Proxy, NMap, Nessus, Qualysguard, OpenVAS, Nexpose, Wireshark, DirBuster, w3af, Havij, Maltego, Foca, Colasoft, Nikto web scanner, HTTrack, WebScarab, sqlmap, etc.
• Strong experience in using VAPT tools on Kali Linux platforms, like Metasploit Framework, & Armitage.
• Strong experience on assessing and mitigating OWASP top 10 critical risks.
• Good understanding of Vulnerability scanning, Patching techniques, O/S Hardening, NIST, CIS benchmark creation.
• Experienced working on Simulators and emulators, cross browser testing like Fire Fox, Google Chrome, Safari and internet explorer using proxy management tools like FireSheep, FoxyProxy.
• Strong understanding about control objectives and PCI DSS Compliance requirements - payment card industry data security standards. (PCI-DSSv3.2).
• Strong understanding on wireless security with hands-on experience using Kismet.
• Monitored and mitigated threats from intrusion detection systems, firewall logs, proxy logs, Security Risk Management with TCP-based networking and user reports.
• Good knowledge on SIEM & Log analysis tools like Splunk.
• Strong knowledge in handling business unit requests, ensuring CIA (Confidentiality, Integrity, and Availability) of customer and Company data and providing solutions without disruptions in services.
• Good knowledge on mobile application security assessments using security tools and Android studio 2.2.
• Good knowledge of network and security technologies such as Firewalls, TCP/IP, LAN/WAN, IDS/IPS, Routing and Switching.
• Involved in Software development Life cycle (SDLC) to ensure security controls are in place.
• Extensive experience in creating Dashboards, Reports, Queries, Asset Groups, Alerts, using Common Vulnerability scoring system (CVSS).
• Generated and presented reports on Security Vulnerabilities to both internal and external customers.
• In depth understanding about risk assessment, penetration testing framework, Business continuity planning (BCP), & Disaster recovery (DR).
• Ability to convey complex technical security concepts to technical and non-technical audiences including executives.
• Highly self-motivated, with strong interpersonal, written, and oral communication skills.

TECHNICAL SKILLS

Tools: Kali Linux, Burp Suite, Wire shark, OWASPZAP, Metasploit framework, Armitage, SOAPUI, SQLmap, DIRBuster, WebScanner, Maltego, Havij, w3af, Foca, Colasoft, Nikto, HTTrack, WebScarab, SQLmap, Paros Proxy, SET, bwapp, Recon-ng, Kismet, Firewalk, NMap, Wire Shark, Nessus, QualysGuard, OpenVAS, Nexpose

Platforms: Kali Linux, BackTrack, Windows 98/2000/XP/Vista/Windows 7, Windows Server 2000/2003/2008

Database: MySQL 5, Oracle10g, 11g, SQL Server 05/2008.

Packages: MSOffice

PROFESSIONAL EXPERIENCE

Confidential

Web Applications Penetration Tester

Tools: Kali Linux, Metasploit, Armitage, BurpSuite, DirBuster, Maltego, Nessus, SQLmap, w3af, WebScanner, OpenVAS, QualysGuard, Nmap, Havij, foca, Wireshark.

Responsibilities:

• Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS 25 prioritizing them based on the criticality.
• Security assessment of online applications to identify the vulnerabilities in different categories like Input and data Validation, Authentication, Authorization, Auditing & logging.
• Vulnerability Assessment of various web applications used in the organization using Paros Proxy, Burp Suite, Foca, Metasploit framework, Kali Linux, WebScarab, & Nessus.
• Security testing of APIs using SOAP UI.
• Update with the new hackings and latest vulnerabilities to ensure no such loopholes are present in the existing system by performing Vulnerability assessment and pen testing for our clients.
• Perform security reviews of application designs, source code and deployments as required, covering all types of applications (web application, web services, mobile applications, thick client applications, SaaS)
• Played vital role in Vulnerability Management/Security position.
• Threat modeling of the Project by involving before development and improving the security at the initial phase.
• Training the development team on the most common vulnerabilities and common code review issues and explaining the remediation.
• Follow up and ensure the closure of the raised vulnerabilities by revalidating and ensuring 100% Closure.
• Collaborate with business units to determine continuity requirements.
• Conduct business impact analysis for vital functions, document recovery priorities of the key process, applications and data.
• Establish disaster recovery testing methodology.
• Plan and coordinating the testing of recovery support and business resumption procedures while ensuring the recovery and restoration of key IT resources and data and the resumption of critical system within the desired timeframe.
• Regularly performed research to identify potential vulnerabilities in and threats to existing technologies, and provided timely, clear, technically accurate notification to management of the risk potential and options for remediation.
• Developed, implemented, and documented formal security programs and policies.
• Involved in report writing using standardized method for rating IT vulnerabilities and determining the urgency of response. (CVSSv2.0 Calculator.)

Confidential

Security Analyst

Tools: BurpSuite, DirBuster, SQLmap, Nexpose, Nessus, Nmap, Wireshark, WebScanner, WebScarab, Nikto, Colasoft, HTTrack.

Responsibilities:

• Perform application and infrastructure penetration tests, as well as physical security review and social engineering tests for our clients.
• Acquainted with various approaches to Grey box & Black box security testing.
• Analyzed product requirements, outlined test plans and conducted tests.
• Identified vulnerabilities of applications by using proxies like Burp Suite to validate the server side validations.
• OWASP Top 10 Issues identifications like SQLi, CSRF, XSS, XML injection, Path traversal, IDOR, and file upload vulnerabilities.
• Executed different payloads to attack the system using XSS.
• Identified issues on sessions management, Input validations, output encoding, Logging, Exceptions, Cookie attributes, Encryption, Privilege escalations.
• Identified security issues on DOM (Document Object Model) based environments.
• Provided and validated the controls on logging like Authentication, profile modification, logging details, log retention, duration, log location, synchronizing time source, HTTP logging.
• Experience in detecting - SQL injection, XML injection, techniques to obtain command prompts on the servers, PDF exploits, HTTP response splitting attacks, CSRF, web services vulnerabilities, Anonymity (TOR) traffic identification - DOS pattern identification using Artificial Intelligence algorithms etc.
• Identified vulnerabilities, recommend corrective measures and ensure the adequacy of existing information security controls.
• The ability to balance risk mitigation with business needs.
• Performing web and URL filtering using various filtering tools and also analyzing various TCP/IP protocols.
• Conducted penetration testing and security tests and formulated scripts to test systems.
• Provided detailed reports on the findings of network and application penetration tests including mitigation and remediation activities.
• Verified the remediation results by performing the security assessments of the identified vulnerability.