SUMMARY:

• An Information Security Professional with experience of 5+ years as penetration tester and vulnerability assessments on different applications in different domains. Adept at running tests aimed at deciphering system weaknesses and providing suggestions to overcome them.
• Excellent knowledge in CWE, OWASP, SANS 25, STRIDE and WASC THREAT CLASSIFICATION 2.0 methodologies.
• Profound knowledge of network architectures, operating systems, application software and cyber security tools.
• Experience in vulnerability assessment and penetration testing using various tools like Burp suite, DirBuster,OWASP ZAP Proxy, NMap, Nessus, Kali Linux, Metasploit, Acunetix, Wire shark.
• Having good experience in Secure SDLC and Source Code Analysis (Manual & Tools) on WEB based Applications.
• Hands on experience in working with Cryptography principles.
• Security assessment of online applications to identify the vulnerabilities in different categories like Input and data Validation, Authentication, Authorization, Auditing & logging.
• Experience in working with LAN and WAN topologies, routers, switches, and firewalls in Internet, Intranet.
• Knowledge of managing information assurance evaluation tests.
• Proficient in ensuring continuous enhancement of existing methodologies and supporting assets.
• Vulnerability Assessment covers analysis of bugs in various applications spread across N - tier on various domains by using both manual and Automation tools.
• Good knowledge on Mobile Applicationdevelopment, Cloud services models (SaaS, PaaS, IaaS) and deployment models ( Private, Public, Hybrid, and Community ).
• Manual Penetration Testing Experience it includes mapping applications, injecting SQLi, XSS, exploit creation.
• Knowledge in Windows/Linux, Unix operating system configuration, utilities and programming.
• Excellent knowledge in hardware, software, and networking technologies to provide a powerful combination of analysis, implementation, and support.
• Experience on Virtual Private Network (VPN) for operating Network and Data Centre.
• Knowledge on IBM Appscan to enhance the web application security.
• Excellent Knowledge on security support processes for technical requests with required tools.
• Good Experience in exploiting the recognized vulnerabilities.
• Conducted presentations to clients projecting the security services offered by the firm.
• Expertise in Microsoft Office Suite specifically Word, Excel, PowerPoint, Visio, and SharePoint.
• Design & Integration experience on security information and event management solutions(SIEM).
• Strong experience in organizational information assurance, risk assessment, management, and decision making, cyber defence strategies, response to system compromise, and legal and regulatory compromise.

TECHNICAL SKILLS:

Programming languages: Python, PHP, Java.

Web technologies: HTML, CSS, XML, JavaScript, web services

Operating system: Kali Linux, GNU/Linux, Windows

Testing Tools: SOAP UI and SOA Test tools for web services security.

Tracking Tools: Bugzilla, QC Trac, Team Forge

Servers and databases: MSSQL, Oracle, MySQL

Web Application tools: IBM Appscan, Zap, HP Web Inspect, WhiteHat, Fiddler2, Burp suite, Blackduck, Hailstorm, FortyDB, DirBuster, OWASP ZAP Proxy, kali Linux, Metasploit, Accunetix, HP Fortify, Wireshark, Sqlmap, Sql ninja, haviji, Tcpdump.

Network Auditing/ ITGRC Assessment: Nessus, NMAP and Sys-internal Tools, Symantec ESM, Hydra, Wireshark.

PROFESSIONAL EXPERIENCE:

Confidential, Barre, Vermont

Penetration tester

Responsibilities:

• Performed Penetration Testing in following with OWASP standards and WADS guidelines, using manual techniques and open source tools.
• Perform attack simultaneouslyon company systems and web applications to determine and exploit security flaws.
• Coordinate with development team to ensure closure of reported vulnerabilities by explaining the ease of exploitation and the impact of the issue.
• Identifying security issues and risks, and develop mitigation plans.
• Performed live packet data capture with Wire shark to scan security flaws.
• Handle flows from “black box” to “grey box” to “white box” testing according to client’s needs.
• Define requirements for information security solutions and perform reviews of application designs and source code.
• Reviewed policies and act like a Subject Matter Expert on best practice.
• Verified SSL authentication for secure applications development on Web Servers.
• Performed dynamic and static analysis of web application using IBM AppScan.
• Analyze systems for potential vulnerabilities with the help of Qualys VM that may result from improper system configuration, hardware, or software flaws.
• Conducted white/gray box penetration testing using Kali Linux, Cobalt Strike for OWASP top 10 Vulnerabilities like XSS, SQL Injection, CSRF, Privilege Escalation and all the test-case of a web application security testing.
• Update with the new hackings and latest vulnerabilities to ensure no such loopholes are present in the existing system.
• Used LDAP injection techniques of exploiting Web applications that use client supplied data.
• Reviewed security documentation and made recommendations. Assisted in conference call meeting with Development teams to mitigate vulnerability findings.
• Port scanned servers using NMAP and closed all unnecessary ports to reduce the attack surface.
• Vulnerability assessment with the use of Nessus and other monitoring tools.
• Performed live packet data capture with Wire shark to examine security flaws.
• Ran vulnerability and compliance scanning on test machines and reviewed security standards including defining Minimum Security Baseline for the client.
• Design, develop and implement penetration tools and tests use existing ones to handle penetration testing activities.
• Work on improvements for security services and provide feedback and verification about existing security issues.
• STRIDE assessment of the applications during the design phase, identifying the threats possible and providing security requirements.
• Good knowledge in programming and scripting in .net, Java.
• Good experience in Web technologies like HTTP, HTML, CSS, Forms, Database Connectivity.

Confidential, North Canton, OH

Security Engineer

Responsibilities:

• Conducted application penetration testing of 50+ business applications.
• Conducted Vulnerability Assessment of Web Applications.
• Performed functional testing of security solutions like RSA two factor authentication, Novel single sign on, DLP and SIEM.
• Acquainted with various approaches to Grey & Black box security testing.
• Proficient in understanding application level vulnerabilities like XSS, SQL Injection, CSRF, authentication bypass, cryptographic attacks, authentication flaws etc.
• Skilled using Burp Suite, Acunetix Automatic Scanner, NMAP, Havij, DirBuster, Qualysguard, Nessus, SQL map for web application penetration tests and infrastructure testing.
• Performing onsite & remote security consulting including penetration testing, application testing web application security assessment, onsite internet security assessment, social engineering, wireless assessment, and IDS/IPS hardware deployment.
• Capturing and analyzing network traffic at all layers of the OSI model.
• Monitor the Security of Critical System (e.g. e-mail servers, database servers, Web Servers, Application Servers, etc.).
• Change Management to highly sensitive Computer Security Controls to ensure appropriate system administrative actions, investigate and report on noted irregularities.
• Conduct network Vulnerability Assessments using tools to evaluate attack vectors, Identify System Vulnerabilities and develop remediation plans and Security Procedures.
• Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS 25 and prioritizing them based on the criticality.
• The experience has enabled me to find and address security issues effectively, implement new technologies and efficiently resolve security problems.
• With having strong Network Communications, Systems & Application Security (software) background looking forward for implementing, creating, managing, and maintaining information security frameworks for large scale challenging environments.
• Conducted vulnerability tests and analyzed problems in a methodical manner.
• Analyzed and reversed engineer codes to discern weaknesses and provided feedback to penetration testing teams.
• Perform vulnerability assessments using tools such as Metasploit, Nmap and Burp Suite.
• Providing details of the issues identified and the remediation plan to the stake holders.
• Used safe API to avoid the use of interpreter entirely or provides a parameterized interface for preventing Injection.
• SQLMap to dump the database data to the local folder.
• Used Metasploit to exploit the systems.
• Provided and validated the controls on logging like Authentication logging, profile modification logging, logging details, log retention duration, log location, synchronizing time source, HTTP logging.

Confidential, Solon, OH

Penetration Tester

Responsibilities:

• Performed penetration testing on CVS infrastructure and vulnerability assessment of application and database servers.
• Involved in all the projects at all stages to help in the security related issues and solutions.
• Develop test cases to test web application according to OWASP and mapped every test case to NIST control.
• Acquainted with various approaches to Grey & Black box security testing.
• Proficient in understanding application level vulnerabilities like XSS, SQL Injection, CSRF, authentication bypass, weak cryptography, authentication flaws etc.
• Conducted security assessment of PKI Enabled Applications.
• Executing Gray box testing of the applications.
• Reviewed new vulnerability signatures prior to release.
• Perform network security analysis and risk management for designated systems.
• Skilled using Burp Suite, Acunetix Automatic Scanner, NMAP for web application penetration tests.
• Good knowledge of network and security technologies such as Firewalls, TCP/IP, LAN/WAN, IDS/IPS Routing and Switching.
• Maintained a program risk register to assure risks are being cataloged and remediated in a timely manner.
• SQL Map to dump the database data to the local folder.
• Interacting and coordinating day-to-day project activities within the project team and assure that priorities are developed and known.
• Collaborated with client’s senior management, business stakeholders, security team members, and IT resources regarding the vulnerability assessments.
• Monitor, Analyze, and respond to security incidents in the infrastructure. Investigate and resolve any security issues found in the infrastructure according to the security standards and procedures.
• Ensured the issues like Error handling, Logging, Sensitive data protection are identified in time and closed prior production release.
• Worked with development teams to ensure IT support and standards maintenance by integrating with SDLC and testing for known vulnerabilities (OWASP).
• Actively search for potential security issues and security gaps that are beyond the ability of detection by any security scanner tool. Initiate and develop new mechanisms to addresses unidentified security holes & challenges.
• Real-time Analysis and defense.
• Configuration and management of Cisco IDS, Checkpoint firewall, Snort.
• Perform day by day checking and examination of host and network alerts from the Data Loss Prevention (DLP) product(s) and investigate output.

Confidential

Security Analyst

Responsibilities:

• Conducted application penetration testing of 90+ business applications.
• Evaluated all repeated threats to all systems and performed vulnerability tests.
• Conducted Compliance Audits.
• Acquainted with various approaches to Grey & Black box security testing.
• Proficient in understanding application level vulnerabilities like XSS, SQL Injection, CSRF, authentication bypass, weak cryptography etc.
• Conducted security assessment of PKI Enabled Applications.
• Skilled using Burp Suite, Acunetix Automatic Scanner, NMAP for web application penetration tests.
• Good knowledge of network and security technologies such as Firewalls, TCP/IP, LAN/WAN, IDS/IPS, Routing and Switching.
• Generate and present reports on security vulnerabilities to both internal and external customers.
• Monitor, Analyze and respond to security incidents in the infrastructure. Investigate and resolve any security issues found in the infrastructure according to the security standards and procedures.
• Explanation of the security requirements to the design team in initial stages of SDLC to minimize the efforts to rework on issues identified during penetration tests.
• Identify issues in the web applications in various categories like Cryptography, Exception Management.
• Real-time Analysis and defense.
• Vulnerability assessment(VA), Security policy, and network and security audit.
• Providing remediation to the developers based on the issues identified.
• Performed static code analysis for client using tools such as Veracode, Checkmarx.