SUMMARY:

• An IT professional with 6+ years of experience in Information Security.
• Good experience in Web technologies like HTTP, HTML, CSS, Forms, DatabaseConnectivity.
• Excellent team player, enthusiastic initiator, and ability to learn the fundamental concepts effectively and efficiently.
• Good knowledge in programming and scripting in Python, asp, Java.
• Ability to work in large and small teams as well as independently.
• Expertise in detecting various vulnerabilities comprised over authentication, authorization, input validation, session management, server configuration and information leakage areas.
• Sound knowledge and industry experience in Vulnerability Assessment and Penetration Testing on WEB based Applications, Mobile based application and Infrastructure penetration testing.
• Extensive experience working with Qualys Guard to conduct Network Security assessments.
• Capable of identifying flaws like Security Misconfiguration, Insecure direct object reference, Sensitive data exposure, Functional level access control, Invalidated redirects.
• Developed, implemented and enforced security policies through experience, in - depth knowledge of security software, involved in enhancing the security stature of the project by initiatives like Threat Modeling, Security awareness sessions.
• Excellent programming skills on JavaScript, Python Scripting and Ruby.
• Knowledge in Windows/Linux operating system configuration, utilities and programming.
• Hands on Experience working with LAN and WAN topologies, TCP/IP protocol, routers, switches, and firewalls in Internet, Intranet and Extranet environments.
• Excellent communication, analytical, troubleshooting, customer service and problem solving skills; excels in mission-critical environments requiring advanced decision-making.
• An enthusiastic team player who embodies a strong work ethic, good initiator and utilizes complex solving skills for incident analysis.
• Performed software Licensing audit.
• Having good experience in Secure SDLC and Source Code Analysis (Manual & Tools) on WEB based Applications.
• Experience in implementing security in every phase of SDLC. Excellent knowledge in OWASP Top 10 2010, and WASC THREAT CLASSIFICATION 2.0 methodologies.
• Experience in detecting - SQL injection, XML injection, XSS, CSRF, weak cryptography, techniques to obtain command prompts on the servers, PDF exploits, HTTP response splitting attacks, web services vulnerabilities, Anonymity(TOR) traffic identification, authentication flaws etc.
• Experience in using a wide variety of security tools to include Nmap, Kali-Linux, Wireshark, Lophtcrack, Snort, Cain and Abel, Nitko, Dirbuster, IBM App scan, Nessus, Open Vas, W3AF, Etthercap, Maltego, Acunetix, Metasploit, Burp Suite, SQLmap, OWASP ZAP Proxy and HP Fortify.
• Experience with scheduling firewall policy provisioning and user interaction to identify connectivity related issues.
• Experience in different web application security testing tools like Acunetix, Metasploit, Burp Suite, Sqlmap, OWASP ZAP Proxy and HP Fortify.
• As a Security Consultant involved in enhancing the security stature of the project by initiatives like Threat Modelling, Security awareness sessions.
• Good experience in Manual penetration testing of the applications and APIs to identify the OWASP Top 10 vulnerabilities, CWE and SANS 25.
• Reporting the identified issues in the industry standard framework.
• Simulate how an attacker would exploit the vulnerabilities identified during the dynamic analysis phase.
• Experience in software Licensing audit.

TECHNICAL SKILLS:

Web Application: Manual SQL Injection, Manual Cross Site Scripting(XSS), Cross site request forgery (CSRF), SQLmap

Network Enumeration: Maltego, Google Hacking, DNS, SMB, LDAP.

Port/Vulnerability Scanning: Nmap/Nmap Scripting Engine (NSE), Netcat, Nessus

Sniffing/ManintheMiddle: Wireshark, Ettercap, Cain

Web Application Vulnerability Scanning: OpenVAS, Vega, Acunetix, HP Web inspect, IBM AppScan.

Server/ClientSide Exploitation: Metasploit, Social Engineering Toolkit (SET).

Password Cracking: Hydra, Rainbow Crack, 0phcrack, John the Ripper, Pyrit

Debuggers: Ollydbg, WinDBG.

Wireless: Aircrack-NG Suite and Kismet.

Tools: IBM AppScan Standard Edition, HP Web Inspect, Acunetix, Burp proxy, Parosproxy, Wire shark, OWASP, Web Scarab, map, Metasploit, Burp Suite, SQLmap, OWASP ZAP Proxy and HP Fortify, DIR-Buster, Acunetix Web Scanner, SQL Injection Tools, Havij, CSRF Tester AND Kali Linux, Fortify, veracoad, Webgoat SSL implementation, RSA implementation, PKI (Public key infrastructure) Encryption algorithms

Platforms: Windows 98/2000/XP/Vista/Windows 7/Windows 10, Windows Server 2000/2003/2008

Database: My SQL 5.0

Packages: MSOffice

Network Tools: NMap, Wire Shark, Nessus, Qualys Guard

WORK EXPERIENCE:

Confidential, NJ

Security Consultant

Responsibilities:

• Performed security research, analysis and design for all client computing systems and the network infrastructure.
• Security assessment of online applications to identify the vulnerabilities in different categories like Input and data Validation, Authentication, Authorization, Auditing & logging.
• Vulnerability Assessment of various web applications used in the organization using Paros Proxy, Burp Suite, and Web Scarab, YASCA, HP Webinspect.
• Coordinate with development team to ensure closure of reported vulnerabilities by explaining the ease of exploitation and the impact of the issue.
• Security testing of APIs using SOAP UI.
• Experience in using Kali Linux to do web application assessment with tools like Dirbuster, Nikto, and Nmap.
• Skilled using Burp Suite, Acunetix Automatic Scanner, NMAP, Dirbuster, Qualysguard, Qualys VM and WAS, Nessus, SQLMap for web application penetration tests and infrastructure testing.
• Performing onsite & remote security consulting including penetration testing, application testing, web application security assessment, onsite internet security assessment, social engineering, wireless assessment, and IDS/IPS hardware deployment.
• Capturing and analyzing network traffic at all layers of the OSI model.
• Monitor the Security of Critical System (e.g. e-mail servers, database servers, Web Servers, Application Servers, etc.).
• Change Management to highly sensitive Computer Security Controls to ensure appropriate system administrative actions, investigate and report on noted irregularities.
• Conducted network Vulnerability Assessments using tools to evaluate attack vectors, Identify System Vulnerabilities and develop remediation plans and Security Procedures.
• Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS 25 and prioritizing them based on the criticality.
• This experience has enabled me to find and address security issues effectively, implement new technologies and efficiently resolve security problems with having strong network communications, System & Application Security(software) background looking forward for implementing, creating, managing and maintaining information security frameworks for large scale challenging environments.

Environment: Metasploit, Burp Suite, SQL Map, Kali Linux, IBM App Scan, OWASP Top 10, and SANS Top 25, Wireshark, Nessus Security Center, IDS reports, CVSS Scores, Plan against Phishing Attacks, PKI enabled Applications, Network and Security.

Confidential, Kentuchy, KY

Security Consultant

Responsibilities:

• Conducted application penetration testing on several business applications.
• Performed functional testing of security solutions like RSA two factor authentication, Novel single sign on, DLP and SIEM.
• Worked on various business development activities like drafting response to RFP's and preparing SOW's documents.
• Acquainted with various approaches to Grey & Black box security testing.
• Proficient in understanding application level vulnerabilities like XSS, SQL Injection, CSRF, authentication bypass, cryptographic attacks, authentication flaws etc.
• Identifying the critical, High, Medium, Low vulnerabilities in the web applications based on OWASP Top10 and prioritizing them based on their criticality.
• Conducted security assessment of PKI Enabled Applications.
• Good knowledge on IBM Appscan to enhance the web application security.
• User ID reconciliation on quarterly basis.
• Update with the new hackings and latest vulnerabilities to ensure no such loopholes are present in the existing system.
• Threat modeling of the Project by involving before development and improving the security at the initial phase.
• STRIDE assessment of the applications during the design phase, identifying the threats possible and providing security requirements.
• Training the development team on the most common vulnerabilities and common code review issues and explaining the remediation.
• Good knowledge in programming and scripting in .net, Java.
• Follow up and ensure the closure of the raised vulnerabilities by revalidating and ensuring 100% Closure.
• Good experience in Web technologies like HTTP, HTML, CSS, Forms, Database Connectivity.

Environment: RSA 2-factor Authentication, Novell Single Sign-on, Data Loss Prevention (DLP), John the Ripper, RainbowCrack, Hydra, Ophcrack, network traffic at all layers of OSI model, NIDS, Application Firewall, Paros Proxy, SQL Map, Burp Suite, WebScarab, Yasca, Maltego and Kali Linux

Confidential

Security Consultant

Responsibilities:

• Working in collaboration of both networking and security teams.
• Scheduled a Penetration Testing Plan throughout the organization and completed all the tasks in the given time frame.
• Performed pen tests over different business applications and network devices of the organization.
• Conduct penetration tests on systems and applications using automated and manual techniques with tools such as Metasploit, Burp Suite, IBM App Scan, Kali Linux, and many other open source tools as needed. Work with support teams to address findings as a result of the tests.
• Performed vulnerability scanning using Nessus Security Center and maintained clear documentation for every report that is generated.
• Performed vulnerability analysis over wired and wireless networks.
• Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS Top 25 and prioritizing them based on the criticality.
• Update with the new hackings and latest vulnerabilities to ensure no such loopholes are present in the existing system.
• Performed static code reviews with the help of automation tools.
• Performed a threat analysis on the new requirements and features.
• Burp Suite, DirBuster, Hp Fortify, N-map, SQL Map tools were used as part of the penetration testing, on daily basis to complete the assessments.
• Establishing and improving the processes for privileged user access request.
• Promoted a new and cost effective Plan against Phishing Attacks and successfully reduced the volume of phishing mails up to 60%.
• Proactively conducted research, analyze, and report on trends in certain activities, vulnerabilities, reported attack methods and known exploits that could impact network and information assets.
• Conducted attack analysis on the IDS reports to detect the attacks and reported the analysis.
• Conducted security assessment of PKI Enabled Applications.
• Performed penetration testing over the enterprise systems to audit the standards to comply with ISO Standards.
• Conducted Pre-IAM Assessments and created detailed reports displaying prioritized findings, demonstration of exploits, and explanation of compromise impacts, and recommendations for mitigation.
• Executed live packet data capture using Wireshark to examine security flaws in the network devices.
• Given presentations to client over their security issues and potential solutions for those problems.
• Used CVSS Scores to create reports demonstrating the severity of the existing vulnerabilities and was helpful to prioritize the course of implementation depending on the severity of the vulnerabilities.
• Documented a Closure Document detailing my findings and recommendations for security improvement and patch management.

Environment: Vulnerability Assessment, Application level vulnerabilities, PKI Enabled Applications, Burp Suite, IBM App Scan, Acunetix Automatic Scanner, N-map, Havij, DirBuster, SQL Map, Paros Proxy, Web Scrab, Yasca, HP Web Inspect.