­­­­­­

SUMMARY

• Working as aSecurity Professional with over 5+Years of experience in Vulnerability Assessment&Penetration Testing on Web Applications, Mobile, Web Services, Cloud and Network platforms.
• Experience in Developing and Implementing of Information Security Policies and Guidelines as per OWASP (Open Web Application Security Projects), SANS Secure Coding guidelines.
• Hands on Experience on vulnerability assessment and penetration testing using various tools like Burp Suite, Fiddler, ZAP Proxy, SQL map, HP Web Inspect, Acunetix, IBM AppScan, checkmarx and HP fortify.
• Having experience in identifying SQL Injection, Script Injection, XSS, Phishing and CSRF attacks.
• Involved in Secure Software Development Life Cycle (secure SDLC) process.
• Possesses substantial understanding and experience on the SSDLC, which has been effectively translated across several consulting engagements.
• Hands - on with DAST, SAST and manual ethical hacking.
• Good knowledge and hands-on experience of scripting languages like JavaScript, Python and Ruby.
• Created documentation and provided training for proper computer security procedures, including systemhardening, in a secure environment.
• Created security guide lines and security beast practices for JAVA, .NET, JavaScript, NodeJS and Angular JS frame works.
• Ability to intercept Object Oriented Programming concept and technologies including, but not limited to: HTML, Java, JavaScript and XML
• Create detailed assessment reports with remediation, recommendations, and present findings to clients and re-testing the security issues.
• Vulnerability Assessment includes analysis of bugs in various applications spread across N-tier on various domains by using both manual and Automation tools.
• Worked extensively with software development teams to review the source code, triage the security vulnerabilities generated by Security tools and eliminated false positives.
• Implemented security frameworks ISO 27002, NIST,PCI.
• Experience in REST/SOAP API Security Testing.
• Performed Industry standard vulnerability severity and risk ranking using CWE, CVSS.
• Automating SDLC and CI/ CD process to enforce security controls.
• Understand security requirements: areas of the application which deal with PII information in consultation with the business user/client and baseline the requirements.
• Reverse engineered third party applications and developed proof of concept exploits. Assist developers in remediation efforts.
• Excellent exposure to Database, VPN technologies, and Firewall.
• Good understanding of network protocols TCP/IP, SSH, SSL HTTP and HTTPS.
• Have conducted training on Application Security for my Enterprise Security team and I have trained many freshers in my previous projects.
• Excellent oral and written communications, interpersonal, negotiation, judgment, decision-making, analysis and problem-solving skills.

PROFESSIONAL EXPERIENCE

Confidential

Security Specialist/Penetration Tester

Responsibilities:

• Performing Grey/White box testing.
• Perform Security Testing on all projects in Web Platform. This includes Web applications, web services, backend processes and Thick clients.
• Manage and perform IBM AppScan and Acunetix scans before all production releases and analyze vulnerabilities and report to all stakeholders.
• Perform manual security testing for OWASP Top 10 and WASC vulnerabilities like Injection attacks, XSS, CSRF, Session Management etc.
• Performing the manual code review to remove the False Positives and identify the False Negatives.
• Prepared comprehensive security report detailing identifications, risk description and recommendations with the code snippets for the Vulnerabilities.
• Conduct re-assessment after mitigating the vulnerabilities found in the assessment phase.
• Provide Security requirements to project teams during design phase.
• Write security test cases from project requirements and help QA teams to incorporate security testing in Scrum Backlog.
• Security test planning and security test execution on Web platform projects.
• Train QA Team to identify and acknowledge security issues in their projects.

Environment: Burp Suite Pro, Acunetix, Nmap, Metasploit, HP Fortify, IBM App Scan, Kali Linux for Penetration testing, SharePoint Project Tracker.

Confidential, Washington, DC

Application Security Engineer / Penetration Tester

Responsibilities:

• Performing Black/White/Grey Box testing on Web Applications.
• Assisted client's in determining the compliance level with applicable regulation and standards such as PCI DSS.
• Expertise in identifying OWASP Mobile top 10 and SANS 25 vulnerabilities.
• Prepare risk-based test plans and perform the security testing (tool-based testing, manual penetration testing, source code review, etc.) on the different layers of those information systems in support of the Certification & Accreditation;
• Understand the trend of application security and work with teams to remediate any vulnerabilities identified during the security testing.
• Review the security architecture evaluation of new systems and create security test plans based on existing and planned controls and recommendations.
• Performing security analysis of the different layers of the systems (application, operating systems and database layers) by performing manual testing and automated system vulnerability assessment scans using various web, application, operating systems, source code and database vulnerability scanners.
• Reviewing scanner result reports and work with the application development community to remediate issues following a risk-based approach.
• Performing manual vulnerability assessment and penetration testing of applications, produce reports and walk development team through issues.
• Perform source code reviews to identify security vulnerabilities in source code (static analysis) when needed.
• Perform mobile application security testing (both native and web based mobile applications) on different mobile platforms (iOS and Android).

Environment: HP Fortify, Checkmarx, IBM Appscan, BurpSuite Pro, OWASP ZAP Proxy, Nmap, Nessus, Windows, Linux for Penetration Testing, BugTracker.

Confidential

Application Security Consultant

Responsibilities:

• Established vulnerability assessment practice, proactively ensuring safety of client-facing applications and minimizing client audit findings.
• Performed security analysis and identifying possible vulnerabilities in the key derivation function, create Vulnerability Assessment report detailing exposures that were identified, rate the severity of the system & suggestions to mitigate any exposures & testing known vulnerabilities.
• Experience in XSS protection, Sql Injection protection, script injection and major hacking protection techniques.
• Providing fixes & filtering false findings for the vulnerabilities reported in the scan reports.
• Experience adding new vulnerabilities to the Vulnerability Database for various platforms with proper exploits.
• Experience in Scanning Networks, Servers, and other resources to validate compliance and security issues using numerous tools.
• Assisting in preparation of plans to review software components through source code review or application security review.
• Assist developers in remediating issues with Security Assessments with respect to OSWASP standards

Environment: HP Fortify, HP Web inspect, BurpSuite Pro, OWASP ZAP Proxy, Nmap, Metasploit Pro,Nessus, Kali Linux for Penetration Testing, SharePoint Project Tracker.

Confidential

Web Application Security Engineer

Responsibilities:

• PerformedVulnerability Assessment on Web Applications.
• OWASP Top 10 Issues identifications like SQLi, CSRF, XSS.
• Conducted research, and coordination of actions designed to reduce information security risk across internet facing presence.
• Providing details of the issues identified and the remediation plan to the stake holders.
• Verified the existing controls for least privilege, separation of duties and job rotation.
• Involved in a major merger activity of the company and provided insights in separation of different client data.
• Identification of different vulnerabilities of applications by using proxies like Burpsuite to validate the server-side validations.
• Execute and craft different payloads to attack he system to execute XSS and different attacks.
• SQLMap to dump the database data to the local folder. Experience adding new vulnerabilities to the Vulnerability Database for various platforms with proper exploits.
• Worked on security guidelines/bestpratices for Java based applications to develop the code.

Environment: BurpSuite Pro, OWASP ZAP Proxy, Nessus, Acunetix, Nessus, Kali Linux for Vulnerability Assessment, JIRA Bug Tracking.