SUMMARY:

­­

• Security Testing Analyst who provides subject matter expertise in Penetration Testing for Web Applications, Infrastructure Network and Social Engineering. .
• Provides enhanced vulnerability analysis and contextual feedback to stakeholders for resolution of discovered vulnerabilities.
• Hands on experience in vulnerability assessment and penetration testing using various tools. Worked on Application Security Analysis for some of the major Clients using IBM App Scan &HP Fortify.
• Experience in Threat Modelling during Requirement gathering and Design phases.
• Generated and presented reports on Security Vulnerabilities to both internal and external customers.
• Highly self - motivated, with strong interpersonal, written, and oral communication skills.
• Having good experience in Secure SDLC and Source Code Analysis (Manual & Tools) on WEB based Applications. ­

TECHNICAL SKILLS:

Platforms: Windows, Kali Linux­­

Database Systems: MySQL, Oracle, MSSQL

Packages: MS Office

­­Languages: Java, C++, C, SQL, XML, JavaScript, PHP, .NET

­­Tools: Nessus, Meta-sploit, Burp Suite pro, Dir-Buster, Wappalyzer, Air cracking, SQL-map, Wireshark, Black Duck, Net-sparker, HP Fortify, Hydra, NMAP, NETCAT, Web Inspect, IBM App Scan and OWASP ZAP Proxy, Nikto, Splunk

PROFESSIONAL EXPERIENCE:

Confidential,CA

Penetration tester

Responsibilities:

• Performed manual security testing on critical client applications.
• Uncovered high vulnerabilities at the infrastructure level for internet facing websites.
• Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS 25 prioritizing them based on the criticality.
• Maintains network performance by performing network monitoring and analysis, performance tuning, troubleshooting network problems. Skilled using Burp Suite, Acunetix Automatic Scanner, NMAP, Dir-Buster, HP Fortify, Qualys-guard, Nessus, SQL Map for web application penetration tests and infrastructure testing.
• Security assessment of online applications to identify the vulnerabilities in different categories like Input and data Validation, Authentication, Authorization, Auditing & logging.
• Involved in Software Development Life cycle (SDLC) to ensure security controls are in place.
• Conducted Dynamic and Static Application Security Testing (SAST & DAST).
• Update with the new hackings and latest vulnerabilities to ensure no such loopholes are present in the existing system by performing Vulnerability assessment and pen testing for our clients.
• Experience in using Kali Linux to do web application assessment with tools like Dir-buster and NMAP.
• Proficient in understanding application level vulnerabilities like XSS, SQL Injection, authentication bypass, authentication flaws and exception management etc.
• Using various Firefox add-ons like Flag fox, Live HTTP Header to perform the pen test.
• Network scanning using tools like NMAP and Nessus.
• Threat modeling of the Project by involving before development and improving the security at the initial phase.
• Follow up and ensure the closure of the raised vulnerabilities by revalidating and ensuring 100% Closure.
• Security testing of APIs using SOAP UI.
• Manual Code review to find logic flaw which are not identify by Automated Tool.
• Reviewed source code and developed security filters within Appscan for critical applications.
• Provide remediation validation for clients in compliance with PCI Data Security Standards to provide a passing vulnerability scan.
• Training the development team on vulnerabilities, review issues, ease of exploitation, impact, security requirements and remedies for individual issues.
• Providing details of the issues identified and the remediation plan to the stake holders.
• Communicating and coordinating day-to-day project activities within the project team and assure that priorities are developed and known.
• Create Vulnerability Assessment report detailing exposures that were identified, rate the severity of the system, and suggestions to mitigate any exposures and testing known vulnerabilities
• Involved in report writing using standardized method for rating IT vulnerabilities and determining the urgency of response. (CVSSv2.0 Calculator.)

Confidential,VA

Security Tester

Responsibilities:

• Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top10 and SANS 25 prioritizing them based on the criticality.
• Acquainted with various approaches to Grey box & Black box security testing.
• Analyzed product requirements, outlined test plans and conducted tests.
• Identified vulnerabilities of applications by using proxies like Burp Suite to validate the server side validations.
• Worked extensively with software development teams to review the source code, triage the security vulnerabilities generated by IBM Appscan, HP Fortify, Burp Suite, HP Web inspect and eliminated false positives
• OWASP Top 10 Issues identifications like SQLi, CSRF, XSS, XML injection, Path traversal, IDOR, and file upload vulnerabilities.
• Executed different payloads to attack the system using XSS.
• Extensive Interaction with the customer in understanding the business issues, requirements, doing exhaustive analysis and providing end-to-end solutions.
• Experience in detecting - SQL injection, XML injection, techniques to obtain command prompts on the servers, PDF exploits, HTTP response splitting attacks, CSRF, web services vulnerabilities, Anonymity (TOR) traffic identification - DOS pattern identification using Artificial Intelligence algorithms etc.
• Implemented remote VPN access allowing users to use their active directory credentials to authenticate using Microsoft internet authentication server using RADIUS protocol.
• Assisting customer in understanding risk and threat level associated with vulnerability so that customer may or mayn't accept risk with respect to business criticality.
• Assisting in preparation of plans to review software components through source code review or application security review
• Played vital role in Vulnerability Management/Security position.
• Use Splunk to parse data from event and system logs. Use relevant data to identify attackers on compromised hosts.
• Utilized WhiteHat to also perform SAST and DAST on production applications.
• Responsible for performing security code reviews and application risk assessments for customer facing applications. Audited applications written in Java/JSP, VB.NET, ASP.NET, C#, C/C++ . Utilized OWASP and Ounce Labs formal methodology to conduct code reviews and risk assessments.
• Monitor, Analyze and respond to security incidents in the infrastructure. Investigate and resolve any security issues found in the infrastructure according to the security standards and procedures.
• Conduct external, internal, wireless, and segmentation penetration testing for clients in their Payment Card Industry (PCI) environments.
• DLP (Data Loss Prevention) - monitoring PHI, PII data travelling across the network in accordance with PCI and HIPAA compliance.
• Providing details of the issues identified and the remediation plan to the stake holders.
• Actively search for potential security issues and security gaps that are beyond the ability of detection by any security scanner tool. Initiate and develop new mechanisms to addresses unidentified security holes & challenges.
• Good knowledge of network and security technologies such as Firewalls, TCP/IP, LAN/WAN, IDS/IPS, Routing and Switching.

Confidential

Pen Tester/ Security Tester

Responsibilities:

• Conduct Business Impact Analysis & Risk Analysis, Business Continuity Drill and IT Contingency Plan testing.
• Worked on Application Security Analysis for some of the major Clients using IBM AppScan & HP Fortify
• Responsible for identifying and escalating vulnerability assessment and Penetration testing results.
• OWASP Top 10 Issues identifications like SQLi, CSRF, XSS
• Worked on Directory Traversal attacks manually.
• Performed Static and Dynamic Analysis and Security Testing (SAST and DAST) for various applications as per firm's security standards (i.e., OWASP, SANS 25).
• Implemented Agile Methodology to follow the work flow process.
• To address and integrate Security in SDLC by following techniques like Threat Modelling, Risk Management, Logging, Penetration Testing, etc.
• Implementing the CAPTCHA to prevent CSRF by specifying the user to re-authenticate.
• Identified hidden files using Dir-buster.
• Involved in the meetings with the developers regarding the awareness to minimize security risks.
• Re-test the application to check if the findings were fixed.
• Worked on DOM based XSS manually.
• Refined Management to highly sensitive Computer Security Controls to ensure appropriate system administrative actions, investigate and report on noted irregularities.
• Extensive Knowledge of Information Security technology / testing methodologies.
• Conducted backend-testing on database using SQL queries to ensure integrity and consistency of the data.
• Assist developers in remediating issues with Security Assessments with respect to OWASP standards.
• Providing fixes & filtering false findings for the vulnerabilities reported in the scan reports. Adding new vulnerabilities to the Vulnerability Database for various platforms with proper exploits.