SUMMARY

• Result oriented professional with 10+ years of expertise in IT predominantly in Information Security Domain.
• Experience across diverse organizations involving Security Consulting, Product Security, Security Services, Security Compliance and Incident Response.
• Hands - on experience on Vulnerability Assessment and Penetration testing of Web Application and its related infrastructure.
• Mobile Security testing based on guidelines published by OWASP.
• Experience in Enterprise Risk Management and Software Security Testing
• Working experience in audit requirement for PCI-DSS, SOX, HIPPA and Common Criteria.
• Proficient in analyzing information system needs, evaluating end-user requirements, custom designing solutions, troubleshooting for complex issues.
• Capable of defining business mission and integrating resource strengths to deliver impeccable performances aligned to overall security objectives.
• Demonstrated leadership, teaming, organizational and people-management skills with consistent performance levels in excess of job requirements.
• Offensive Security Certified Professional ( OSCP )- Enrolled

TECHNICAL SKILLS

• Applied Cryptography, Risk Analysis, Social Engineering, Web Apps, Cross-site Scripting, SQL injection, Thread Modeling, NASM, Network Protocol, Penetration Testing, Hack with Python, SLDC, Vulnerability, Data Leakage, File integrity, Virus / Trojan, Malware, Ollydbg, Database, PEBrowser, Buffer Overflow, Fuzzing Techniques, Immunity Debugger, Shellcode, WordPress Hacking, Metasploit Framework, Software Security Testing
• SOAP, XML, WSDL, NIDS, HIDS, FTP, IPsec, SSH, Gray Box, White Box, Black Box
• Red Team, Blue Team, DNS, Encoding, Encryption, Hashing
• IBM AppScan, Windows Server, W3af, Wireshark, Kali Linux, SIEM, Nessus, Web Scarab, HP Fortify, Nmap, Burp Suite Pro, Mobile Apps, Paros Proxy, Splunk, Cobalt Strike, Web Applications, HP WebInspect, Android Tamer, OWASP, Hping, NSLookUp, Telnet, L0pht Crack, Protocols/Standards/Systems: TCP/IP, UDP, Apache server, SSL/TLS, LDAP, HTTP(S), DNS, RADIUS, EAP (TLS, TTLS, MD5), and STRIDE / DREAD threat models. Cyber Kill Chain, NIST SP 800, SOX Rapid7Nexpose, Veracode, Checkmarx

PROFESSIONAL EXPERIENCE

Confidential, Bridgewater, NJ

Penetration Tester SME - Web Apps Security

Responsibilities:

• Performed Dynamic and Static application security testing across multiple platforms
• Conducting internal penetration testing for various clients across the state
• Supervised a team of six employees offshore in India by supporting multiple applications
• Experience in information security technologies such as Splunk Enterprise Security, IDS/IPS, and McAfee Vulnerability management.
• Expertise in identifying OWASP Mobile and Web applications top 10 and SANS 25 vulnerabilities
• Providing customers with best practice guidelines and practical suggestions to protect against or mitigate threats; provided remediation recommendations as needed
• Performing Web application vulnerability assessments/ Network based security assessments
• Expertise in analyzing threats and categorizing them based on critical of the security vulnerability
• Involved in scoping, identification, analysis and evaluation of application security risk.
• Performed static code analysis for client using tools such as Veracode and Checkmarx
• Subject Matter Expert in Software development life cycle
• Analysis of code of different applications across the client platform
• Review source code in .Net, PHP, Java, J2EE, Internet-Web
• Help reduce the attack surface on client application and limit the number of vulnerabilities by finding software bugs early in the development life cycle well before the application goes to production
• Provide security code reviews using Veracode and Checkmarx and evaluate results for security vulnerabilities for banking applications
• Review vendors application code to remediate flaws inside the code
• Collaborate with other information security teams in the evaluation, development, implementation, communication, operation, monitoring and maintenance of security policies and procedure to promote a secure and innovative environment
• Identifying emerging vulnerabilities, risks and threats during design iterations and provide appropriate countermeasures.
• Performed vulnerability assessment & penetration-testing using automated tools on web applications and Mobile applications.
• Evaluated vulnerabilities identified due to configuration issues, patch management and third-party applications
• Led a team of 3 consultants to perform Vulnerability Assessment on the Web Based application.
• Involved in detection & classification of vulnerability based on OWASP Top Ten methodology.
• Work on common vulnerabilities such as directory traversal, parameter manipulation, information disclosure, web server vulnerabilities, buffer overflows, format string bugs, race conditions, weak authentication & authorization schemes, session management, cookie manipulation and forceful browsing.
• Installed, configured & customized Fortify Secure Code Analyzer to assist in Secure Development Process (Tools Usage - W3af, Paros, Metasploit, Social Engineer Toolkit,Kali Linux, Burp Suite & ZAP)

Confidential, Washington, DC

Cyber Security Analyst - Consultant

Responsibilities:

• Performed Unauthenticated / Authenticated web application scans using HP Webinspect. Worked closely with developer to mitigate vulnerability findings Gray Box &White box testing and manual penetration testing. Configuration Management on Assessment Management Platform (AMP). Execute HP Fortify Webinspect scans and verify reported vulnerabilities with Burp Proxy
• Performed vulnerability scanning using QualysGuard to identify potential security vulnerabilities, prepares reports on security risks and help determine the most appropriate corrective measures
• Conducted testing of Internet facing applications, as well as applications containing Personal Identifiable Information. Lead monthly conference call to discuss vulnerability reports with developer. Demonstrated experience in Web Application Security, Penetration testing. Found common web site security issues (XSS, CSRF, Session fixation, SQL injection, information leakage, application logic, etc.) across various platforms. Executed daily vulnerability assessments, threat assessment, and mitigation and reporting activities in order to safeguard information assets and ensure protection has been put in place on the systems.
• Conducted open security testing standards and projects, including OWASP secure coding practices and Top Ten testing framework, FISMA, NIST, OWASC. Serves as an IT security subject matter expert and establishes and implements formalized plans to address operational IT security issues
• Perform vulnerability scans using Nessus Security Center. Assigned roles and permissions to user and department staff. Conducts Pre-assessment and Post assessment activities for assigned systems.
• Maintain Google spreadsheet for all GSA Applications and Systems. Knowledge of common application vulnerabilities, current threat vectors and mitigations. Identify security risks, threats and vulnerabilities of networks, systems, applications and related components.
• Conducted vulnerability assessment on the application & underlining infrastructure.
• Performed Web Application Testing using IBM Rational AppScan, intrusive and non-intrusive techniques. (Tools Usage - IBM Rational AppScan, Paros, Qualys Guard, Burp Suite)

Confidential, McLean, VA

Penetration Tester SME

Responsibilities:

• Functioned as presales consultant role for the Security & Vulnerability Offering.
• Focused on presales, development of practice collateral, education & support of the marketing team. Worked on Avaya and Citrix Solutions.
• Conducted Web Application Security Testing (Black Box Testing) using automated tools and detailed manual testing looking for typical web application specific security holes like Cross-Site Scripting, SQL Injection, URL redirection as well as attempts to avert business logic of the application.
• Focused on OWASP Top 10 vulnerability assessment and test framework development.
• Customized report generated by Webinspect aligned to client requirements.
• Coordinated with developers in understanding & fixing of vulnerabilities as part of the QA process.
• Scanned financial database for Peace Corps for vulnerabilities based on the RESTful architectures. Conducted white / gray box penetration testing on the financial systems.
• Involved in Infrastructure Security Assessment based on OSSTMM methodology, Vulnerability Assessment and Penetration testing of infrastructure.
• Identified vulnerability mitigation techniques and OS hardening routines across platforms.
• (Tools Usage - IBM AppScan, Paros, sqlmap, Kali Linux, Cobalt Strike, Hping, Burp Suite)

Confidential

Technical Lead / Web Application Security Tester

Responsibilities:

• Assisted in managing Nessus Tenable Security Center across multiple platforms
• Involved in design & management of projects related to new security requirements & enhancements to the Internet infrastructure.
• Planned & developed secured information systems & network infrastructure to strategically support Internet infrastructure.
• Conducted penetration testing & vulnerability assessment for in-house applications followed by preparation of detailed reports
• Designed, implemented, administered & troubleshot NIDS, HIDS and Antivirus infrastructure
• Performed architectural review, security policy, firewall rule base analysis, application testing and general benchmarking using manual and automated penetration testing
• Helping customers manage cyber risk through a variety of services geared towards minimizing exposure and maximizing return on investment. Conducted network & application penetration testing, web application security reviews and source code security analysis for internal clients.
• Worked with developers and administrators to remediate identified vulnerabilities. Developed proof-of concept exploits and knowledge on risk rating methodology like CVSS scores. Assisted with clients to review policies and recommended adjustments.
• Knowledge about OWASP top 10 vulnerabilities with an understanding of Web based application vulnerabilities and SANS methodology. Performed on-site and remote penetration tests for diverse clients.

Confidential, Baton Rouge, LA

IT Security Consultant

Responsibilities:

• Worked on network security including implementation for perimeter security
• Security hardening of network infrastructure and monitoring
• Developed secure network architecture for new and existing environments.
• Performed Engineering applications install on workstations and providing customers with best practices guidelines and practical suggestions to protect against threats.
• Scanned networks servers and other resources for customers to validate compliance and security issues
• Created details reports containing prioritized findings, demonstration of exploits, explanation of compromise impacts, and recommendations for mitigation
• Responsible for configuring and maintaining communications including firewalls, Internet connections, virtual private networks, point to point connections and remote access
• Specialized in network security assessments, perimeter defenses log analysis, information security monitoring and risk analysis.

Confidential, Baton Rouge, LA

Technical Consultant & Security

Responsibilities:

• Involved in Infrastructure Security Assessment based on OSSTMM methodology, Vulnerability Assessment and Penetration Testing of Infrastructure
• Designed and installed Cisco routers, Cisco IP Phone 7940 G series with Call Manager Express.
• Coordinated the design and planned of Local Area Network expansion of the organization
• Developed & maintained Business Continuity Plan and Disaster Recovery plan.
• Implemented & troubleshot firewall based on Network & Security design.

Confidential, Emeryville, CA

Installation Engineer

Responsibilities:

• Installed remotely software Agent on client systems through GoToAssist - A remote support technology which included AIX, Linux, Exchange DR & MAPI, SharePoint, Oracle, WinXP, SQL, Solaris, HP-UX, iSeries AS/400
• Installed new computer systems and connecting them into the Local Area Network.
• Managed Vault for all clients using Confidential Director Software.
• Performed client backup and restores using Web Central Control & Window Central Control
• Provided support to off-site clients via telephone and E-mail on policies, procedures and best practices
• Performed backup and restores using Storage virtualization
• Conducted daily maintenance of user's security accounts in Windows 2008 including desktop & workstations