SUMMARY

• Accomplished IT Security professional with 9+ years of work experience assisting organizations in successfully completing enterprise - wide security projects. Experienced in performing risk assessments, penetration testing and network / application vulnerability assessments. Vulnerability assessment and penetration testing
• Domain expertise in Telecom, Banking and Financial Services, Health Care.
• Experience in vulnerability assessment and penetration testing using various tools like Metasploit, Burp Suite, DirBuster, OWASP ZAP proxy, NMap, OpenVAS, Nessus, Hp Fortify, IBM AppScan enterprise, Kali Linux.
• Good experience in Web technologies like HTTP, HTML, CSS, Forms, Database Connectivity.
• Good knowledge in programming and scripting in asp, Java.
• Simulate how an attacker would exploit the vulnerabilities identified during the dynamic analysis phase.
• Proven track record of streamlining security processes, designing and implementing efficient security solutions. Involved in implementing and validating the security principles of minimum attack surface area, least privilege and secure defaults, avoiding security by obscurity, keep security simple and fixing security issues correctly.
• Experience in Threat Modeling during Requirements gathering and Design phases. Performed software Licensing audit.
• Coordinate with dev team to ensure closure of reported vulnerabilities by explaining the ease of exploitation and the impact of the issue.
• Reporting the identified issues in the industry standard framework.
• Sound knowledge and industry experience in Vulnerability Assessment and Penetration.
• Testing on WEB based applications, Mobile based application and Infrastructure penetration testing.
• Ability to work in large and small teams as well as independently.
• Experience with Security Risk Management with TCP-based networking. Experience with TCP/IP, Firewalls, LAN/WAN. Static Code Analysis during development phase. Quick learner, committed team player with interpersonal skills and enjoys a challenging environment with scope to improve myself and contribute to the cause of the organization.

TECHNICAL SKILLS

Standards & Framework: OWASP, OSSTMM, PCI DSS

Application Scanners: IBM Appscan, HP Webinspect

Network Security Tools: Nessus, OpenVAS, NMap

Proxies/Sniffers/Tools: Burp Suite, Web scarab, Wireshark, DirBuster

Operating Systems: Windows, RHEL, Kali Linux

Databases: MySQL, MS SQL, Oracle

Penetration Testing: Wireshark, Metasploit Framework

Programming Languages: C, C#, Java, Python, Javascripting, Swift,Obj-C

PROFESSIONAL EXPERIENCE

Confidential - Anaheim, CA.

Sr.Penetration Tester

Responsibilities:

• Conducted security assessment of PKI Enabled Applications.
• Skilled using Burp Suite, Acunetix Automatic Scanner, NMAP for web and mobile application penetration tests.
• Acquainted with various approaches to Grey Black box security testing.
• Proficient in understanding application level vulnerabilities like XSS, SQL Injection, CSRF, authentication bypass, weak cryptography, authentication flaws etc.
• Actively search for potential security issues and security gaps that are beyond the ability of detection by any security scanner tool.
• Initiate and develop new mechanisms to addresses unidentified security holes and challenges.
• Performed Network scanning using tools Nessus, OpenVAS and NMap.
• Metasploit, Burp Suite, NMap tools were used as part of the penetration testing, on daily basis to complete the assessments.
• Automation scanning and analysis on the Networks and Applications on a daily basis.
• Uncovered critical vulnerabilities Confidential the infrastructure level for enterprise networks
• Real-time Analysis and defense.
• Vulnerability assessment (VA), Security policy, and network and security audit.
• Configuration and management of Cisco IDS, Checkpoint firewall.
• Good knowledge of network and security technologies such as Firewalls, TCP/IP, LAN/WAN, IDS/IPS, Routing and Switching.
• Monitor, Analyze and respond to security incidents in the infrastructure. Investigate
• Make sure the mobile applications should follow the OWASP Mobile Application Security Verification Standard(MASVS).

Confidential - San Jose, CA

PENETRATION TESTER

Responsibilities:

• Black box pen testing on internet and intranet facing applications.
• Training the development team on the secure coding practices.
• OWASP Top 10 Issues identifications like SQLi, CSRF, and XSS.
• Preparation of risk registry for the various projects in the client.
• Providing details of the issues identified and the remediation plan to the stake holders.
• Grey Box testing of the applications.
• Verified the existing controls for least privilege, separation of duties and job rotation.
• Manual penetration testing of the applications and APIs to identify the OWASP Top 10 vulnerabilities and SANS 25.
• Documented information security guidance in step by step operational procedures.
• Performed threat analysis on the new requirements and features.
• Involved in a major merger activity of the company and provided insights in separation of different client data and securing PII.
• Identification of different vulnerabilities of applications by using proxies like Burp suite to validate the server side validations
• Identified issues on sessions management, Input validations, output encoding, Logging, Exceptions, Cookie attributes, encryption, Privilege escalations.
• Execute and craft different payloads to attack he system to execute XSS and different attacks.
• SQLmap to dump the database data to the local folder.

Environment: Nmap, Nessus, Burp Suite, DirBuster and Hp Fortify

Confidential - Los Angeles, CA

Penetration Tester

Responsibilities:

• Conducted application penetration testing of internal and external business applications
• Security Code Review and Penetration Testing for all Internal & External Applications of Confidential &T.
• Follow up with Development teams to get recent functionality changes, their security analysis scheduling and coordinating with my team to sync with the project changes
• Worked on different types of vulnerability assessments reports both application generated and manual penetration testing and presented it.
• Trained the development team pertaining to the identified vulnerabilities and in the remediation process.
• Acquainted with various approaches to Grey & Black box security testing
• Discovered application level vulnerabilities like Injection flaws (SQL Injection, Command Injection etc), Cross Site Scripting (XSS), CSRF, Authentication bypass, cryptographic attacks, authentication flaws etc.
• Define the timelines to the given application & Conduct the security assessments and Report out the vulnerability findings with remediation process to the development team.
• Conducted security assessment of PKI Enabled Applications
• Used Burp Suite Pro, Acunetix Automatic Scanner, NMAP & NMAP Scripting Engine (NSE), Havij, Dirbuster, IBM Appscan, Nessus, SQLMap for web application penetration tests and infrastructure testing.
• Performing onsite & remote security consulting including penetration testing, application testing, web application security assessment, onsite internet security assessment, social engineering, wireless assessment, and IDS/IPS hardware deployment.
• Capturing and analyzing network traffic Confidential all layers of the OSI model using Wireshark.
• Monitor the Security of Critical System (e.g. e-mail servers, database servers, Web Servers, Application Servers, etc.).
• Change Management to highly sensitive Computer Security Controls to ensure appropriate system administrative actions, investigate and report on noted irregularities.
• Conduct network Vulnerability Assessments using tools to evaluate attack vectors, Identify System Vulnerabilities and develop remediation plans and Security Procedures.
• Security Tools: Worked on IBM Appscan for vulnerability assessments on web applications followed by manual methods using tools in Kali Linux, Burpsuite, HP Webinspect, Nessus, Nmap Scripting Engine etc.

Confidential, Des Moines, IA

Penetration Tester

Responsibilities:

• Conducted application penetration testing of 50+ internal and external business applications of PFG.
• Identifying the critical, High, Medium, and Low vulnerabilities in the applications based on OWASP Top 10 and prioritizing them based on the criticality.
• Follow up with Development teams to get recent functionality changes, their security analysis scheduling and coordinating with my team to sync with the project changes.
• Acquainted with various approaches to Grey & Black box security testing.
• Performed Vulnerability Assessments and Penetration testing on different applications weekly.
• Discovered application level vulnerabilities like Injection flaws (SQL Injection, Command Injection etc.), Cross Site Scripting (XSS),
• CSRF, Authentication bypass, Improper Access Controls, Authentication flaws, Privilege Escalation, Sensitive Information Disclosures and more.
• Define the timelines to the given application & conduct the security assessments and report out the vulnerability findings with remediation process to the development team.
• Conducted security assessments on Web applications, API's and Thick Client Applications, Embedded devices both in-house developed and vendor applications.
• Worked on Identifying issues on Controls on session management like Server-side session states, session termination, Session ID randomness, expiration, Unique tokens, concurrent logged in session, session fixation prevention.
• Reviewed different application vulnerability reports from vendors.
• Worked closely with developers and architects to help the team fixing issues identified in AVA tests.
• Used Burp Suite Pro, Nmap & Nmap Scripting Engine (NSE), Gobuster/Dirbuster, IBM App Scan, Postman-Burp for API Testing, ReadyAPI, ZAP, Ironwasp, Dnspy, Sysinternal suite,SQLMap for web application penetration tests and infrastructure testing.
• Performing onsite & remote security consulting including penetration testing, application testing, web application security assessment, onsite internet security assessment.
• Done Bug triaging, worked with developers to fix the high/critical and medium level issues identified.

Environment: Worked on IBM App Scan for vulnerability assessments on web applications followed by manual methods using tools in Kali Linux, Burp Suite, Nmap Scripting Engine, Nikto, Ready API, Postman.

Penetration Tester

Confidential

Responsibilities:

• Established vulnerability assessment practice, proactively ensuring safety of client-facing applications and minimizing client audit findings.
• Performing security analysis and identifying possible vulnerabilities in the key derivation function, create Vulnerability Assessment report detailing exposures that were identified, rate the severity of the system & suggestions to mitigate any exposures & testing known vulnerabilities.
• Having real time experience in DDos, Sql Injection protection, XSS protection, script injection and major hacking protection techniques
• To address and integrate Security in SDLC by following techniques like Threat Modeling, Risk
• Management, Logging, Penetration Testing, etc.
• Providing fixes & filtering false findings for the vulnerabilities reported in the scan reports.
• Adding new vulnerabilities to the Vulnerability Database for various platforms with proper exploits.
• Scan Networks, Servers, and other resources to validate compliance and security issues using numerous tools
• Assisting in preparation of plans to review software components through source code review or application security review
• Assist developers in remediating issues