PROFESSIONAL SUMMARY:

• A Security Engineer with experience of 7 years in penetration testing and vulnerability Management on various applications in different domains.
• Progressive experience in Application Security, Enterprise Vulnerability Management, penetration testing, generating reports, SQL Injection XSS and major hacking protection techniques.
• Experience in testing using various tools like Burp Suite, DirBuster, OWASP ZAP proxy, NMap, OpenVAS, Nessus, HP Fortify, SCA, HP Web Inspect, IBM App Scan enterprise, Kali Linux, Metasploit, Jira and SoapUI.
• Good knowledge on OWASP Top 10 based Vulnerability assessment of web applications.
• Coordinate with dev team to report vulnerabilities by explaining the exploitation and the impact of the issue
• Had good knowledge in conducting system security assessments based on NIST .
• Reporting the identified issues in the industry standard framework.
• Experience with Security Risk Management with TCP - based networking.
• Domain expertise in Telecom, Banking and Financial Services, Health Care.
• Expertise in detecting various vulnerabilities comprised over authentication, authorization, input validation, session management, and server configuration and information leakage areas.
• Involved in Security Development Life Cycle (SDLC) to ensure security controls are in place.
• Have good experience on Core Vulnerability Insight unifies, regulates and prioritizes vulnerability management initiatives enterprise-wide.
• Established objectives for the audit. For example, determining what systems will be audited, what security activities will be reviewed, what privacy regulations will be evaluated, etc.
• Have good experience on Risk assessment, Risk mitigation and security audits.
• Used Security hardening to secure a system, to reduce the surface of vulnerability.
• Hardening to remove unnecessary usernames and passwords.
• Experience in Web technologies like HTTP, HTML, CSS, Forms, Database Connectivity.
• Experience with Security Information Event Management (SIEM) and Intrusion Detection Systems (IDS) configuration, tuning, and operation.
• Knowledge in Windows/Linux operating system configuration, utilities and programming.
• Having good experience SAST and DAST applications using different tools HP Fortify and IBM AppScan.
• Having good experience in Secure SDLC and Source Code Analysis on WEB based Applications.
• Capable of identifying flaws like Security Misconfiguration, Insecure direct object reference, Sensitive data exposure, Functional level access control, Invalidated redirects.
• Having good Knowledge on Jira, Root Kit, IP Spoofing and Virtual Box.
• Knowledge on SELinux and Software Hardening concepts.
• Good Knowledge on HTTP, HTTPS, Web application firewalls, checking logs, Web Services, SSL and TLS.
• Good Experience in OpenVAS vulnerability scanning and vulnerability management.
• Good knowledge on SQL, MS SQL and programming skills in Java, C# .
• Good Experience with Windows and Linux environments.
• Vulnerability Assessment includes analysis of bugs in various applications spread across N-tier on various domains by using both manual and Automation tools.
• Knowledge of network and security technologies such as Firewalls, TCP/IP, IDS/IPS, Routing and Switching.
• Good team player and ability to learn the concepts effectively and efficiently.
• Ability to work in large and small teams as well as independently.

TECHNICAL SKILLS:

Tools: BurpSuite, DirBuster, IBM AppScan, SQL Map, Kali Linux, HP Fortify, SCA, HP WebInspect, Metasploit, OpenVAS, OWASP ZAP proxy, SoapUI, SIEM, Jira, SELinux.

Standards Frameworks: OWASP 10

Language: C++, Java, C#

Web Technologies: HTML, CSS, JavaScript, XML

Platforms: Windows XP, 10, Linux, Unix

Web Server: Apache, IIS 6.0/7.0

Database: My SQL, MS SQL, SQL

Packages: MS-Office, MS Visio

Network Tools: N-map, Nessus

PROFESSIONAL EXPERIENCE:

Security Analyst

Confidential, Seattle, WA

Responsibilities:

• Performed penetration tests on different applications and generating reports.
• Performed manual penetration testing to find the vulnerabilities on web applications.
• Performed Static Application Security Testing (SAST) using tools such as HP Fortify and Dynamic Application Security Testing (DAST) using tools such as IBM AppScan.
• Used Burp suite to identify issues like sql injection, XSS, CSRF etc.
• Performed security design review, threat modeling and architectural/system security assessments.
• Static Code analysis using HP Fortify to identify the vulnerabilities in the applications.
• Manual penetration testing of the applications and APIs to identify the OWASP Top 10 vulnerabilities.
• Performed a threat analysis on the new requirements and features.
• Used Checkpoint firewall, to provide geo-protections and frequent, automated threat definition updates.
• Conducted Web Application Vulnerability Assessment & Threat Modeling, secure code review on the applications. Access control check to identify the privilege escalation issues on various roles and ensuring the closure by overall framework implementation.
• Checked audit logs utilizing SIEM tools.
• Vulnerability scans performed from externally hosted servers by OpenVAS.
• OpenVAS used to detect security issues in all manner of servers and network devices.
• Performed technical risk assessments and reviews of new applications.
• Penetration testing of various applications to identify issues in various categories likes Configuration Management, Session Management, Sensitive data handling.
• Provided the report and explain the issues to the development team.
• Review IT security policies and processes, with an emphasis on data center procedures and security capabilities.
• Perform the security review, often focusing on network vulnerabilities, security controls, encryption, access control and user accounts, password management, etc
• Provided remediation steps to the team and follow up.
• Retest the fixed issues and ensure the closure Train the development team on explaining the security vulnerabilities in the form of security awareness sessions by explaining the security requirements prior to development.

Confidential, Kentucky

Web Application Security Tester

Responsibilities:

• Conducted Vulnerability Assessment on various applications.
• Acquainted with various approaches to Grey & Black box security testing.
• Proficient in application level vulnerabilities like XSS, SQL Injection, CSRF, Authentication flaws etc.
• Conducting Web Application Vulnerability Assessment & Threat Modeling, secure code review on the applications. Skilled using Burp Suite, Acunetix Automatic Scanner, IBM App Scan, N-map, DirBuster for web application penetration tests.
• Generated and presented reports on Security vulnerabilities to both internal and external customers.
• Security assessment of online applications to identify the vulnerabilities in different categories like Input and data Validation, Authentication, Authorization.
• Vulnerability assessment of various web applications used in the Manual testing using Emulators and Handheld Devices.
• Assisting customer in understanding risk and threat level associated with vulnerability so that customer may or may not accept risk with respect to business criticality
• Assisting in review of business solution architectures from security point of view which helps avoiding security related issues/threats at the early stage of project.
• Training the development team on the most common vulnerabilities and common code review issues and explaining the remediation.
• Update with the new hackings and latest vulnerabilities to ensure no such loopholes are present in the existing System.

Environment: Application level vulnerabilities, Burp Suite, IBM App Scan, N-map, DirBuster, SQL Map, HP Web InspectVulnerability Management, Vulnerability Remediation

Confidential

Security Tester

Responsibilities:

• Perform Penetration Testing on projects in Web Platform.
• The security testing includes Web applications, web services, backend processes and Thick clients.
• Manage and perform IBM AppScan and Acunetix scans before all production releases and analyze vulnerabilities and report to all stakeholders.
• Performed Static Application Security Testing (SAST) using tools such as HP Fortify.
• Performed Dynamic Application Security Testing (DAST) using tools such as IBM AppScan.
• Perform manual security testing for OWASP Top 10 and WASC vulnerabilities like SQL Injection attacks, XSS, CSRF, Session Management etc.
• Performing the manual code review to remove the False Positives and also identify the False Negatives.
• Prepared comprehensive security report detailing identifications, risk description and recommendations with the code snippets for the Vulnerabilities.
• Conduct re-assessment after mitigating the vulnerabilities found in the assessment phase.
• Provide Security requirements to project teams during design phase.
• Write security test cases from project requirements and help QA teams to in corporate security testing in Scrum Backlog.
• Experience on Single Sign-On application.
• Security test planning and security test execution on Web platform projects.
• Train QA Team to identify and acknowledge security issues in their projects.

Environment: SQL Injection, XSS, script injection, Threat Modeling, Risk Management, Application Security review, Security Assessments.