PROFESSIONAL SUMMARY:

• More than 7 years of experience in Web Application Security, Logging and Alerting, Security Design, Penetration Testing, Secure Coding, Mobile Application Security, Application Security Controls and Validation, Risk Assessments, Regulatory Compliance and Secure Software Development Life Cycle (secure SDLC).
• Hands - on experience in developing threat models, security controls, threat analysis, creation of risk control matrices and risk mitigation strategies.
• Hands-on with Penetration Testing, DAST, SAST and manual ethical hacking.
• Experience in conducting IT Security Risk Assessments in accordance to NIST and FFIEC framework.
• Experience in vulnerability assessment and penetration testing using various tools like Burp Suite, Dir-Buster, OWASP ZAP proxy, Accunetix, NMAP, Nessus, Nikto, web scanner, w3af, HP Fortify, IBM App Scan enterprise, Kali Linux.
• Work with global security teams performing application and IT infrastructure security assessments.
• In-depth knowledge of penetration testing for web and mobile (iOS and Android) applications.
• Have a good understanding of Web Application based attacks to include Denial-of-service attacks, MITM attacks, Local file inclusion(LFI), Remote file inclusion(RFI) and Buffer overflow.
• Performed security design and architecture reviews for web and mobile applications.
• Working knowledge of AWS Cloud Security in implementing Web Application Firewalls (WAF).
• Hands on Experience working with LAN and WAN topologies, TCP/IP protocol, routers, switches, and firewalls in Internet, Intranet and Extranet environments.
• Security assessment based on OSSTMM methodology and OWASP framework. 
• Worked with Cloud compliant and web application security using Qualys Guard.
• Excellent scripting and debugging skills on JavaScript, Python Scripting, Php and Ruby.
• Working knowledge of OWASP Top 10 and SANS Top 25 software guidelines, Federal Financial Institutions Examination Council's (FFIEC) regulations, including Payment Card Industry (PCI-DSS), HIPAA/HITECH and Sarbanes-Oxley Section404 (SOX).
• Experience in implementing Security Incident and Event Management System (SIEM) using HP ArcSight.
• Ability to handle multiple tasks and work independently as well as in a team.
• An efficient team player in challenging and creative environment with excellent capacity to adapt new technologies and skills.

TECHNICAL SKILLS:

Standards & Framework: OWASP, OSSTMM, PCI DSS, NIST,FEDramp

Application Scanners: IBM Appscan,Checkmarks, Veracode and HP Fortify

Network Security Tools: Nessus, NMap 

Proxies/Sniffers Tools: Burp Suite, Web scarab, Wireshark, DirBuster 

Operating Systems: Windows, RHEL, Kali Linux 

Databases: MySQL, MS SQL, Oracle 

Penetration:  Testing Wireshark, Metasploit Framework 

Programming Languages: C, C#, Java, python, JavaScript,Ruby,Swift, Obj-C 

PROFESSIONAL EXPERIENCE:

Confidential, Arlington, VA

Penetration tester

Responsibilities:

• Performing security analysis and identifying possible vulnerabilities in the key derivation function, create Vulnerability Assessment report detailing exposures that were identified, rate the severity of the system & suggestions to mitigate any exposures & testing known vulnerabilities. 
• OWASP Top 10 Issues identifications like SQLi, CSRF, XSS, Path Manipulation. 
• Perform pen tests on different application a week.
• Perform grey box, black box testing of the web applications.  
• Create written reports, detailing assessment findings and recommendations.
• Found web site security issues (XSS, CSRF, session fixation, SQL injection, information leakage, application logic etc.) across various platforms. 
• Perform risk assessments to ensure corporate compliance. 
• Controls on session management like Server-side session states, session termination, Session ID randomness, expiration, Unique tokens, concurrent logged in session, session fixation prevention. 
• Perform Static assessment of various applications by Static code analyzers like  HP   Fortify
• Perform Dynamic assessment of applications by  HP Fortify and verify false positives.
• Develop threat modeling framework (STRIDE, DREAD) for critical applications to identify potential threats during the design phase of applications.
• Performed static code reviews with the help of automation tools Veracode and checkmarx. 
• Perform the penetration testing of mobile (Android and iOS) applications, specifically, APK reverse engineering, traffic analysis and manipulation, dynamic runtime analysis.
• Execute daily vulnerability assessments, threat assessment, mitigation and reporting activities to safeguard information assets and ensure protection has been put in place on the systems. 
• Perform, review and analyze security vulnerability data to identify applicability and false positives. 
• Work closely with research and development teams for vulnerability remediation.
• Analyze and assessed risk in the environment.
• Identify issues in the web applications in various categories like Cryptography, Exception Management.
• Work with software development teams, DB/Unix administrators and solution architects as a subject matter expert related to security compliance with PCI DSS and industry standards.
• Analyze parsed data from Qualys, Nessus for Vulnerability Remediation.
• Work on Vendor based Applications, Middleware and layer products 
• Provide both strategic analysis and near real-time auditing, investigating, reporting, remediation, coordinating and tracking of security-related activities for customer 
• Analyze data and prepared reports that document vulnerabilities from network based attacks and recommended actions to prevent, repair or mitigate these vulnerabilities 
• Skilled using tools like Automatic Scanner, NMAP, Dirbuster, Qualysguard, Nessus, HP Fortify, HP Webinspect, IBM appscan for web application penetration tests and infrastructure testing. 
• Perform remediation activities for Applications, OS, Database, Middleware, Digital Certificate, Layer Products, Java. 
• Identify issues on sessions management, Input validations, output encoding, Logging Exceptions, Cookie attributes, Encryption, Privilege escalations. 
• Proactively identified system vulnerabilities to reduce or eliminate potential exploitation using Nessus Security Center and Passive Vulnerability Scanning. 
• Work on Enterprise Release Management and Governance activities. 
• Work closely with all competency teams to effectively and efficiently remediate vulnerabilities. 
• Use Qualys, SPI, Remedy and various other tools in remediation effort.
• Performed Scanning, analyzed data and took remediation steps. 

Confidential, Richmond, VA

Application security engineer

• Developed Application Security program (DAST and SAST) at the enterprise level to identify, report and remediate security vulnerabilities from applications deployed in development and production environments.
• Performed manual and automated source code reviews (Java/J2EE/Spring/.NET/JavaScript) using IBM AppScan.
• Configured SafeNet ProtectDB to enable column level encryption for securing confidential customer credit card data.
• Designed security architecture for web and mobile apps. Reviewed Solution Overview Documents (SODs) to identify security anomalies in the system architecture and design, and provided recommendations to address data security and privacy concerns.
• Managed security assessments to ensure compliance to firm’s security standards (i.e., OWASP Top 10, SANS25). Specifically, security testing has been performed to identify XML External Entity (XXE), Cross-Site Scripting and SQL Injection related attacks within the code.
• Implemented file system security by applying hashing techniques for protecting data stored in files on the file servers.
• Administered certificate management, key configuration and implemented dual keys to address segregation of duties issue between DBAs and security admins.
• Participated in the development of IT risk assessments for enterprise applications. The NIST framework has been utilized for IT risk assessments.
• Rolled out IBM AppScan products such as AppScan Enterprise (ASE), Standard, Source, Developer plug-ins to various development teams across the business lines.
• Worked extensively with software development teams to review the source code, triage the security vulnerabilities generated by IBM AppScan, BurpSuite, HP WebInspect, HP Fortify and eliminated false positives.
• Produced executive summary reports showing the security assessments results, recommendations and risk mitigation plans and presented them to the respective business sponsors and senior management.
• Conducted monthly developer workshops to educate and train developers on secureSDLC, scan source code using IBM AppScan Source, triage and resolve the security vulnerabilities.
• Participated in the implementation of AWS Cloud security for applications being deployed in the Cloud. Developed WACLS and configured rules and conditions to detect security vulnerabilities in the Cloud Front.
• Worked with DevOps teams to automate security scanning into the build process.
• Reviewed Android and iOS mobile source code manually and recommended code fixes.
• Participated in the Proof of Concept (POC) in implementing Arxan application protection software for Mobile apps.
• Analyzed security incidents originated from various network/application monitoring devices (e.g., Symantec Vontu DLP) and coordinated with engineering teams for tracking and problem escalation, including remediation.
• Developed secure SDLC policies and standards for Web and Mobile apps.

Confidential, Indianapolis, IN

Penetration tester

• Performed security reviews of application designs, source code and deployments as required, covering all types of applications (web application, web services, mobile applications, SaaS) 
• Acquainted with various approaches to Grey & Black box security testing
• In-depth internal and external network penetration tests
• Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS 25 prioritizing them based on the criticality. 
• Maintained network performance by performing network monitoring and analysis, performance tuning, troubleshooting network problems. Skilled using Burp Suite, Acunetix Automatic Scanner, NMAP, Dir-Buster, HP Fortify, Qualys-guard, Nessus, SQL Map for web application penetration tests and infrastructure testing. 
• Played vital role in Vulnerability Management/Security position. 
• Threat modeling of the Project by involving before development and improving the security at the initial phase. 
• Performed functional testing of security solutions like RSA two factor authentication, Novel single sign on, DLP and SIEM.
• Training the development team on the most common vulnerabilities and common code review issues and explaining the remediation. 
• Follow up and ensure the closure of the raised vulnerabilities by revalidating and ensuring 100% Closure. 
• Conducted Dynamic and Static Application Security Testing (SAST & DAST). 
• Conduct external, internal, wireless, and segmentation penetration testing for clients in their Payment Card Industry (PCI) environments. 
• Provide remediation validation for clients in compliance with PCI Data Security Standards to provide a passing vulnerability scan.
•  Developed, implemented, and documented formal security programs and policies. 
• Involved in report writing using standardized method for rating IT vulnerabilities and determining the urgency of response. (CVSSv2.0 Calculator.) 
• Providing details of the issues identified and the remediation plan to the stake holders. 
• The experience has allowed me to find and address security issues effectively, implement new technologies and efficiently resolve security problems with having strong Application Security(software) & Network Communications, Systems background looking forward for implementing, creating, managing and maintaining information security frameworks for large scale challenging environments.

Confidential

Jr. Penetration tester

• Conducted white/gray box penetration testing on the financial systems using Kali Linux, Cobalt Strike for OWASP top 10 Vulnerabilities like XSS, SQL Injection, CSRF, Privilege Escalation and all the test-case of a web application security testing.
• Responsible to assess the controls to identify gaps and to design and analyze segregation of duties, least privilege for that application.
• Skilled using Burp Suite, Acunetix Automatic Scanner, NMAP, DirBuster for web application Penetration  tests. 
• Conducted Vulnerability Assessment on various applications. 
• Strong written and oral communication skills with the ability to explain technical ideas to non-technical individuals at any level.
• Proficient in understanding application level vulnerabilities like XSS, SQL Injection, CSRF, Authentication bypass, Weak Cryptography, Authentication flaws etc. 
• Identify issues on Session Management, Access Control, Cryptographic practices.
• Collaborating on cross-team and cross product technical issues with a variety of resources including development to document software defects and customer suggestions.
• Conducted security assessment of PKI Enabled Applications.
• Provided security implementation for authorization, by controls like principle of lease privilege, Relinquishing privilege when not in use, Non-Guessable tokens, forced browsing.
• Perform vulnerability assessment on the web applications to identify the issues and prioritizing them based on risk level.
• Security assessment of online applications to identify the vulnerabilities in different categories like Input and data Validation, Authentication, Authorization, Auditing & logging. 
• Training the development team on the most common vulnerabilities and common code review issues and explaining the remediation. 
• Follow up and ensure the closure of the raised vulnerabilities by revalidating and ensure their closure.