SUMMARY:

• An IT professional with 7+years of experience in Information Security
• Experience in implementing security in every phase of SDLC. Have hands - on experience in application security, vulnerability assessments and OWASP along with different security testing tools.
• Experience as an Information Security Analyst, involved in OWASP Top 10 based Vulnerability Assessment of various internet facing point of sale web applications and Web services.
• Capable of identifying flaws like Injection, XSS, Insecure direct object reference, Security Misconfiguration, Sensitive data exposure, Functional level access control, CSRF, Invalidated redirects.
• Experience in different web application security testing tools like Acunetix, Metasploit, Burp Suite, SQLmap, OWASP ZAP Proxy and HP Fortify.
• As a Security Consultant involved in enhancing the security stature of the project by initiatives like Threat Modelling, Security awareness sessions.
• Experience in reverse Engineering of Native Mobile Application and Network scanners.
• Exploring local Storage and hard coded information and file structure of Native Application.
• Reporting the identified issues in the industry standard framework.
• Simulate how an attacker would exploit the vulnerabilities identified during the dynamic analysis phase.
• Experience in software Licensing audit and Tenable network security
• Hands on experience in conducting Web Application Security scan, Ethical Hacking using commercial and non-commercial applications and methodologies such as SANS Web application assessment, OWASP Top 10 and CVSS Scoring using IBM App Scan.
• Good experience in Web technologies like HTTP, HTML, CSS, Forms, Database Connectivity.
• Experience using   automated vulnerability assessment tools Qualys, nmap, Retina, Nessus, Nexpose and IBM z-Series mainframe.
• Knowledge in Cyber Security and Vulnerability Management and ITIL.
• Experience in using threat modeling and HIPAA Security .
• Hands on experience with McAfee IPS .
• Perform security tests on different static application security testing, dynamic application security testing and manual penetration testing of applications.
• Hands on experience building Automation frameworks related to Application Security

TECHNICAL SKILLS:

• IBM AppScan Standard Edition
• HP Web Inspect
• OWASP Top 10 and SANS Top 25
• Vulnerability Assessment
• Paros Proxy
• Wappalyzer
• Live HTTP Header
• Tamper data
• Flag fox
• Burp Suite
• Web Scarab
• SOAPUI
• DirBuster
• YASCA
• Sqlmap
• Nikto
• McAfee IPS
• Metasploit
• Kali Linux
• Qualys
• Tenable network security.

PROFESSIONAL EXPERIENCE:

Confidential, Wilmington, DE

Security Tester

Responsibilities:

• Black box penetration testing on internet and intranet facing applications.
• Responsible for Vulnerability Assessment and Security Testing.
• Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and prioritizing them based on the criticality.
• Security assessment on web application to identify vulnerabilities in different categories like Authentication, Authorizing and Input data validation.
• Vulnerability assessment for applications used in the organization using Burp Suite, HP Web Inspect.
• Preparation of risk registry for the various projects and coordination with the development team to ensure the reported vulnerabilities is taken care of.
• Security Testing of API’s using SOAP UI
• Experience in using Kali Linux to do web application assessment with tools like Dirbuster, Nikto, NMap, IBM App Scan and McAfee IPS .
• Hands on experience with HIPAA Security 
• IBM z-Series mainframe
• Execute and craft different payloads to attack the system to execute XSS and different attacks
• Identified issues on sessions management, Input validations, output encoding, Logging, Exceptions, Cookie attributes, Encryption, Privilege escalations
• Provided and validated the controls on logging like Authentication logging, profile modification logging, logging details, log retention duration, log location, synchronizing time source, HTTP logging.
• Good experience in static application security testing, dynamic application security testing and manual penetration testing of applications.
• Providing details of the issues identified and the remediation plan to the stake holders.
• Verified the existing controls for least privilege, separation of duties and job rotation.
• Collaborating on cross-team and cross product technical issues with a variety of resources including development to document software defects and customer suggestions.
• Participate in documentation and product review process for new product introductions.
• Contributing to the knowledge base by authoring and editing articles to share current information with team members.

Confidential, San Jose.CA

Security Engineer

Responsibilities:

• Performed security research, analysis and design for all client computing systems and the network infrastructure.
• Security assessment of online applications to identify the vulnerabilities in different categories like Input and data Validation, Authentication, Authorization, Auditing & logging.
• Vulnerability Assessment of various web applications used in the organization using Paros Proxy, Burp Suite, and Web Scarab, YASCA, HP Web Inspect, Qualys .
• Coordinate with dev team to ensure closure of reported vulnerabilities by explaining the ease of exploitation and the impact of the issue.
• Security testing of APIs using SOAP UI, OWASP Mobile Top Ten vulnerabilities.
• Experience in reverse Engineering of Native Mobile Application.
• Exploring local Storage and hard coded information and file structure of Native Application.
• Experience in using Kali Linux to do web application assessment with tools like Dirbuster, Nikto, and NMap.
• Good knowledge on IBM AppScan to enhance the web application security.
• Perform security code review of JAVA, .Net, PHP code using static code analysis tools e.g. HP Fortify and IBM AppScan. Help team to remediate security issues with sample code.
• Good knowledge on Tenable network security
• User ID reconciliation on quarterly basis.
• Update with the new hackings and latest vulnerabilities to ensure no such loopholes are present in the existing system.
• Threat modelling of the Project by involving before development and improving the security at the initial phase.
• STRIDE assessment of the applications during the design phase, identifying the threats possible and providing security requirements.
• Training the development team on the most common vulnerabilities and common code review issues and explaining the remediation’s.
• Good knowledge in programming and scripting in .net, Java.
• Follow up and ensure the closure of the raised vulnerabilities by revalidating and ensuring 100% Closure.
• Good experience in Web technologies like HTTP, HTML, CSS, Forms, Database Connectivity.
• Ensuring SDLC to be a Secure SDLC.
•   Manual (DAST) security testing on the web applications against OWASP top 10 standards and ASVS checklist.

Confidential, San Jose.CA

Security Engineer

Responsibilities:

• Perform security tests on different application a week
• Automated Scan of 5 different projects on weekly basis using Acunetix to ensure the changes does not reflect any new vulnerability.
• Static Code analysis using HP Fortify to identify the vulnerabilities in the applications.
• Manual Security testing of the applications and APIs to identify the OWASP Top 10 vulnerabilities and SANS 25.
• Access control check to identify the privilege escalation issues on various roles and ensuring the closure by overall framework implementation.
• Burp suite to identify issues like sql injection, XSS, CSRF, Qualys etc.
• Penetration testing of various applications to identify issues in various categories likes Configuration Management, Session Management, Sensitive data handling.
• Provide the report and explain the issues to the development team
• Provide remediation steps to the team and follow up
• Retest the fixed issues and ensure the closure
• Perform secure code review of the code base.
• Train the development team on explaining the security vulnerabilities in the form of security awareness sessions by explaining the security requirements prior to development.
• Good knowledge on IBM AppScan to enhance the web application security.

Confidential,

Information Security Consultant

Responsibilities:

• Consulting client in their 3rd party security audit for entire organization.
• Developed solutions to mitigate security vulnerabilities.
• Provide guidance to different teams for closing critical infrastructure, network and application security vulnerabilities reported in 3rd party security audit.
• Perform security tests on different application a week.
• Preparation of security testing checklist to the company.
• Ensure all the controls are covered in the checklist.
• Good experience in Web technologies like HTTP, HTML, CSS, Forms, Database Connectivity.
• Updating of the checklist on weekly basis to ensure all the test cases are up to date as per the attacks happening in the market.
• Design and implement security policies on client network.

Confidential

Application Security Analyst

Responsibilities:

• Black box pen testing on internet and intranet facing applications.
• In the team, main focus of work was to audit the application prior moving to production.
• Explanation of the security requirements to the design team in initial stages of SDLC to minimize the efforts to rework on issues identified during penetration tests.
• Perform threat modelling of the applications to identify the threats.
• Identify issues in the web applications in various categories like Cryptography, Exception Management.
• Verify if the application has implemented the basic security mechanisms like Job rotation, Privilege escalations, Lease Privilege and Defence in depth.
• Using various add on in Mozilla to assess the application like Wappalyzer, Flag fox, Live HTTP Header, Tamper data.
• Risk assessment on the application by identifying the issues and prioritizing the issues based on risk level.
• Providing remediation to the developers based on the issues identified.
• Revalidate the issues to ensure the closure of the vulnerabilities.