SUMMARY

• A Security Engineer with experience of 7+ years in vulnerability management and penetration testing on various applications in different domains.
• Exceptional skills in critical issue identification and resolution.
• Hands on experience with Static Application Security Testing (SAST) using tools such as HP Fortify and Dynamic Application Security Testing (DAST) using tools such as IBM AppScan, Burpsuite, Nexpose.
• Strong knowledge on Vulnerability Management using QualysGuard and Nexpose.
• Identifying flaws (Security Misconfiguration, Insecure direct object reference, Sensitive data exposure, Functional level access control, Invalidated redirects) both in automated and manual testing environment.
• Coordinate with dev team to report vulnerabilities by explaining the exploitation and the impact of the issues over application.
• Experience in Threat Modeling during initial phases (requirement gathering and design phases).
• Knowledge and experience in standard security and regulatory frameworks including ISO, NIST 800 - 71, HIPAA, SOX and PCI DSS.
• Strong Knowledge on Network and Application level architecture/layer.
• Good knowledge of network and security technologies such as Firewalls, Network layer protocols, TCP/IP, LAN/WAN, IDS/IPS, Routing and Switching.
• Experience in Black box, White box, responsive design and usability and exploratory testing, PKI (Public key infrastructure) Encryption algorithms.
• Experience in QRadar and Splunk SIEM tool as Cyber Security Analyst to secure Organization Network and vulnerability management.
• Involved in Security Development Life Cycle (SDLC) to ensure security controls are in place.
• Good knowledge on OWASP Top 10 and CWE/SANS Top 25 based Vulnerability assessment of web applications.
• Experience on Network scanning and penetration testing using various web application security tools likeMetasploit, OWASP ZAP Proxy, Nmap, Nessus.
• Ability to conduct penetration testing for well-known technologies and known security flaw concepts (cross site scripting (XSS), SQL injection,CSRF, weak authentication factors etc.)
• Experienced in working on Patch Management, Vulnerability Scanners and Penetration Testing.
• Generated and presented reports on Security Vulnerabilities to both internal and external customers.
• Report the identified issues to development teams, train them over common vulnerabilities, prescribe remediation and follow up on the fixes.
• Excellent code reviewing and programming skills on java, JavaScript, XMLenvironments.
• Had proven adeptness to assigned work with good analytical, interpersonal and problem-solving skills.

TECHNICAL SKILLS

• Tools: Burp Suite, DirBuster, IBM AppScan, Kali Linux, SQLmap, HP Fortify, Nexpose, HP WebInspect, Metasploit, OpenVAS,OWASP ZAP proxy, SoapUI,QualysGuard, QRadar SIEM.
• Languages: C++, Java, C#, .net, Python.
• Web Technologies: HTML, CSS, JavaScript, XML
• Platforms: Windows XP, 10, UNIX/LINUX.
• Web Server: Apache, IIS 6.0/7.0, Windows 2003/2008/2012 Servers
• Database: My SQL, MS SQL, Oracle
• Networking Concepts: OSI Model, TCP/IP, UDP, IPV4, IPv6, LAN, WAN, Subnetting, firewall configuration.
• Network Tools: N - map, Nessus

PROFESSIONAL EXPERIENCE

Confidential, TX

Information Security Analyst / Penetration Tester

Responsibilities:

• As a security analyst and pen tester worked on OWASP top 10, SANS 25 and Common Vulnerabilities and Exposures (CVE) identifying, reporting and help developers in remediating the issues.
• Conducting Web Application Vulnerability Assessment, Threat Modeling and secure code reviews on the applications.
• Efficiently performed web application, vulnerability assessment using Burp Suite, HP Web Inspect, Nexpose and IBM AppScan.
• Perform manual security testing for OWASP Top 10 vulnerabilities like SQL Injection attacks, cross site scripting (XSS), CSRF, Session Management etc.
• Security assessment of online web applications to identify the vulnerabilities in distinct categories like Input and data Validation, Authentication, Authorization and risk assessment.
• Experience in using Kali Linux performing web application assessment to identify, validate and exploit vulnerabilities using tools like Metasploit, DirBuster, OpenVAS, Nikto, SoapUI and Nmap.
• Experience working with SQLmap, an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
• Identifying the risk level (critical, High, Medium, Low) and prioritizing vulnerabilities found in web applications based on OWASP Top 10, SANS 25 and GSEC.
• Performed static code reviews with the help of automation tools.
• Training the development team on the most common vulnerabilities and common code review issues and explaining the remediation’s, prioritizing the issues found.
• Provide software security support related to Fortify, HP Web inspect and remediation guidance to development teams.
• Identifying vulnerabilities and threats based on client’s security policy and regulatory requirements such as PCI, PII, HIPAA, and SOX.
• Performed penetration testing and vulnerability management over the enterprise systems to audit the standards to comply with NIST and ISO 2700x standards.
• Vulnerability Management by scanning, mapping and identifying possible security holes using Qualys Guard and Nessus scanner.
• Reviewing the reports and code removing the False Positives and identify the False Negatives.
• Good Knowledge on BCP (Business Continuity Planning) and DR (Disaster Recovery).
• Experience working on RSA Archer e-GRC Platform Version 5.5 (Application Builder, Access Controls, Data Feed Manager, Business Continuity Manager).
• Used QRadar and ArcSight as SIEM systems for alert and Incident Response, and manage QRadar SIEM elements such as log collection, Normalization, Correlation and Reporting.
• Developed cyber security policies and best practices to maintain confidentiality, integrity and availability of organizational data.
• Follow up and ensure the closure of the raised vulnerabilities by revalidating and ensuring 100% Closure.

Environment: Java, java script, Python, XML, UNIX, Burp Suite, Nmap,Zenmap,Metasploit, SQLmap, SoapUI,DirBuster, Kali Linux,QualysGuard,Nexpose, OWASP Top 10, HP Web Inspect, IBM App Scan, Nessus, RSA archer, SIEM,QRadar, Splunk.

Confidential

Security Engineer

Responsibilities:

• Worked in this project as Incident Analyst (Security Engineer II) and Vulnerability Assessment engineer.
• Meet with senior management to develop, refine and execute virtualization strategy and roadmap to handle any security breach or vulnerability.
• Static Code analysis using HP Fortify to identify the vulnerabilities in the applications.
• Hands on experience performing security assessment with SAST and DAST using tools like HP Fortify, HP Web Inspect and IBM AppScan.
• Performed Vulnerability Assessments using - Kali Linux / Metasploit / BurpSuite / Paros / SQLmap and many open source tools.
• Proficient in detecting application level vulnerabilities like XSS, SQL Injection, CSRF, authentication flaws etc both through automation and manual testing.
• Identified issues on session management, Input validations, output encoding, Logging, Cookie attributes, Encryption, Privilege escalations.
• Create Vulnerability Assessment report detailing exposures that were identified, rate the severity of the system & suggestions to mitigate any exposures & testing known vulnerabilities.
• Performed Network scanning using tools Nessus and Nmap and generated reports.
• Responsible for maintaining, reporting and communication of SIEM between event-sources and endpoints.
• Reverse Engineering/Analysis - IDA Pro, HB Gary Responder CE, Volatility, IBM App Scan source, HP Fortify, Qradar.

Environment: Java, .net, Burp Suite, Palo Alto Firewall, SIEM, QRadar, SQL map, DirBuster, QualysGuard, Kali Linux, OWASP Top 10, HP Web Inspect, IBM App Scan, IDS/IPS, CSS, CSRF, Nessus, HP Fort ify, PCI, SOX.

Confidential

Security Engineer

Responsibilities:

• Responsible for organization network environment maintenance.
• Conduct network monitoring and intrusion detection analysis to detect intrusions in system.
• Vulnerability assessment (VA), Cyber Security policy, and network and security audit.
• Investigate suspicious network activity, evaluate risk and propose effective solutions for risks identified.
• Configuration and management of Cisco IDS, Checkpoint firewall, Snort.
• Captured and analyzed network packets to detect possible intrusion using Wireshark.
• Performed Vulnerability management using Nessus and generated report on critical/high-level vulnerabilities.
• Conducted security assessment and penetration testing on organizational network.
• Investigate and respond to firewall, security device alerts and escalate to concerned teams.
• Configure networking devices such as servers, routers, switches, firewall before deployment
• Draft monthly reports of network efficiency to observe if changes are needed.
• Configure user accounts and password criteria for additional security.
• Configure firewall and restrict network access to unauthorized users.
• Communicate with project managers and stake holders to ensure project is in-sync with customer requirements.

Environment: Nessus,Cisco Firewall, Palo Alto, Wireshark, Windows Servers, Routing Protocols, Snort, Switching Protocols, Wireshark.