PROFESSIONAL SUMMARY:

• Having 10+ years of experience in financial and insurance industries, specialized in API Security, Network Security Architecture & Design, Security Operations (SOC), Security Information and Event Management (ArcSight SIEM, Splunk), Compliance Assessment & Risk Management, Penetration Testing, Secure Coding, Mobile Security, Security Controls and Validation, IT Security Risk Assessments, Regulatory Compliance.
• Working knowledge of OWASP Top 10 and SANS Top 25 software guidelines, Federal Financial Institutions Examination Council's (FFIEC) regulations, including Payment Card Industry (PCI - DSS), HIPAA/HITECH and Sarbanes-Oxley Section404 (SOX).
• Implementation experience in OAuth2.0, SAML, SSO, OpenID.
• Hands on with HP ArcSight ESM, L ogger and Express installation, configuration and content development.
• Experience with Splunk in investigating various events related to security incidents.
• Knowledge of Penetration Testing, DAST, SAST and manual ethical hacking.
• Experience in conducting IT Security Risk Assessments in accordance to NIST and FFIEC framework.
• Performed security design and architecture reviews for web and mobile applications
• Hands-on experience in developing threat models, security controls, threat analysis, creation of risk control matrices and risk mitigation strategies.
• Worked in Agile model, Conducting Daily Scrum/Stand ups, Backlog Grooming, Sprint Planning Sprint Review
• Working knowledge of AWS Cloud Security in implementing Web Application Firewalls (WAF).
• Working knowledge on cloud security engineering and administrating for SaaS, PaaS, and IaaS (including AWS and Azure)
• Ability to handle multiple tasks and work independently as well as in a team.
• Possess strong technical aptitude with strong analytical, work ethic, problem solving and communication skills.

TECHNICAL SKILLS :

Security Tools : AppDetect, AppRador, JHijack, Metasploit Pro, ZED attack proxy, SQLMAP, Wireshark, WebScarab, Paros, Nmap, BMC BladeLogic, Nessus, Rapid7 Nexpose, Tripwire, Symantec Vontu, DBProtect, ArcSight SIEM, Logger, Express, e-DMZ Password Auto Repository (PAR), Varonis, Amazon Web Services (AWS) Cloud security.

SIEM : HP ArcSight ESM, Logger, SmartConnectors, Express, Splunk

Networking : Symantc Vontu DLP, Checkpoint, Palo Alto, Check Point, Cisco, IDS/IPS, Anti-virus, BMC BladeLogic, Remedy.

Operating Systems : Oracle Solaris UNIX, RedHat LINUX 4/5, Windows Server2003/2008.

DAST and SAST tools : IBM AppScan Enterprise (ASE), Standard & Source editions, HP WebInspect, QualysGuard, BurpSuite Pro, Acunetix, GWT,YUI Fortify SCA, SQLMAP

Java & J2EE Technology : Spring Framework, EJBs, Struts2, Servlets, JavaServerPages (JSPs), JMS, Java Mail API, JQuery, JNDI, LDAP, JDBC, JTS, RMI, AWT, Swing, Socket Programming, IONA Orbix CORBA.

Application Servers : Weblogic Server, iPlanet, Netscape Application Server and Microsoft IIS.

Languages : Java, C/C++, C#.NET, Perl, UML.

Scripting Languages : Python, AngularJS, XML, XSLT, XPath, HTML/JavaScript/JQuery, AJAX, Azure, PowerShell, ADFS

Middleware : TIBCO EMS, SharePoint, IBM WebSphere MQ, JMS

Databases : Oracle, MS SQL Server, Sybase.

Web Services : RESTFul/SOAP, SOA, UDDI, WSDL.

Web Servers : Apache Tomcat, Netscape Enterprise Server3.5, Jboss and JRun.

PROFESSIONAL EXPERIENCE:

Confidential, NY

Lead Security Engineer

Responsibilities: 

• Developed security requirements for both infrastructure and applications (web and mobile) and worked with Infrastructure engineering, application development, DBAs, SysAdmin teams and made sure the requirements are incorporated into the systems during the design and architecture phase of the delivery life cycle.
• Implemented authentication solutions for various types of applications using OAuth2.0, SAML and OpenID.
• Managed security assessments to ensure compliance to firm’s security standards (i.e., OWASP Top 10, SANS25). Specifically, security testing has been performed to identify XML External Entity (XXE), Cross-Site Scripting, Cookie Poising, Session Management/Hijacking, and SQL Injection related attacks within the code.
• Good understanding of web application attacks including SQLi, XSS, CSRF, and other common security issues beyond the OWASP Top 10.
• Designed security architecture for web and mobile apps. Reviewed Solution overview Documents (SODs) to identify security anomalies in the system architecture and design, and provided recommendations to address data security and privacy concerns.
• Developed threat modeling framework (STRIDE, DREAD) for critical applications to identify potential threats during the design phase of applications.
• Implemented CA API Management (CA APIM) to support identity federation and Single Sign-on (SSO).
• Rolled out IBM AppScan products such as AppScan Enterprise (ASE), Standard, Source, Developer plug-ins to various development teams across the business lines.
• Worked extensively with software development teams to review the source code, triage the security vulnerabilities generated by IBM AppScan, BurpSuite, Imperva WAF HP WebInspect, HP Fortify and eliminated false positives.
• Participated in the development of IT security risk assessments for enterprise applications. The NIST framework has been utilized for IT risk assessments. This included leading the data discovery meetings, identification of existing controls and validates them against the expected controls. The control gaps or non-compliance to security policies were presented to the stake holders for remediation.
• Working knowledge of Splunk in developing search queries including, knowledge objects such as Event Types, Tags, Database Queries etc.,
• Configured SafeNet ProtectDB to enable column level encryption for securing confidential customer data.
• Implemented file system security by applying hashing techniques for protecting data stored in files on the file servers.
• Performed the API security testing of web services including SOAP, REST, and JSON/XML.
• Performed penetration testing for mobile applications
• Implemented authentication for applications using web application vulnerability scanning tools ( IBM AppScan, IBM AppScan Source, HP Fortify, HP WebInspect, BurpSuite, ZAP, Kali Linux, etc.)
• Implemented SSO for AzureAD & Mobile applications
• Good configuration Knowledge with SSO, Fortify, Checkmarx, AppScan, Cenzic for Web and Mobile Applications and remediation of issues
• Strong knowledge of web application security, web-related protocols (HTTP, HTTP/2, SSL, WebSockets, etc.)
• Administered cryptography, public and private key management and implemented dual keys to address segregation of duties issue between DBAs and security admins.
• Generated executive audit summary reports showing the security assessments results, recommendations and risk mitigation plans and presented them to the respective business sponsors and senior management.
• Worked with DevOps teams to automate security scanning into the build process.
• Participated in the implementation of AWS Cloud security for applications being deployed in the Cloud. Developed WACLS and configured to rules and conditions to detect security vulnerabilities in the Cloud Front.
• Developed security best practices for the applications and infrastructure deployed in AWS.
• Analyzed security incidents originated from various network/application monitoring devices (e.g., Symantec Vontu DLP) and coordinated with Engineering teams for tracking and problem escalation, root cause analysis, including remediation.
• Performed the penetration testing of mobile (Android and iOS) applications, specifically, APK reverse engineering, traffic analysis and manipulation, dynamic runtime analysis.

Confidential, Warren, NJ

Sr. Infrastructure Security Engineer

Responsibilities:

• Developed and enhanced ArcSight SIEM rules, queries, filters, dashboards, reports, channels, and custom active lists.
• Implemented HP ArcSight ESM including, correlation rules, data-monitors, reports, event annotation stages, case customization, active lists, and pattern discovery. 
• Supported the integration of ArcSight with other operational applications.
• Installed and configured ArcSight ESM console. Developed search filters, rules and lists.
• C onfiguration and troubleshooting of build tools such as CruiseControl, Jenkins, Ant, Maven.
• Created Active Channels and Field Sets.
• Generated ad-hoc reports as well as scheduled on the calendars for automatic generation.
• Administered ArcSight users and groups.
• Configured ArcSight Smart and Flex Connectors and new data feed ingestion.
• Performed the maintenance, monitoring, troubleshooting and restoration of the ArcSight platform
• Performed pen testing of both internal and external networks as per PCI-DSS standards. The pen testing scope included O/S (Windows and Linux) and external facing web apps and database servers that store credit card information.
• Implemented Tripwire to detect unauthorized access to confidential data files in production environment. Installed and configured Splunk and set up search filters, tags and help security teams in investigating security incidents.
• Implemented authentication for applications using OAuth and SAML frameworks.
• Reviewed security vulnerability reports for applications and databases, analyzed and worked extensively with the development teams for the implementation of mitigating controls.
• Implemented authentication for applications using web application vulnerability scanning tools ( IBM AppScan, IBM AppScan Source,   WebInspect. HP Fortify, HP WebInspect, BurpSuite, ZAP, Kali Linux, etc.)
• Implemented IBM AppScan standard, source editions, HP WebInspect and QualysGuard web application scanners. In addition, the security tools Metasploit and BurpSuite were utilized for manual penetration testing.
• Performed security assessments for the client-facing apps. The associated IT infrastructure such as database management systems, middleware systems, web services (SOA) were also included in the security assessments.
• Conducted pen testing for the Web Services (SOA) used by various travel agency partners to connect to Wyndham for booking and reservations.
• Reported security findings, recommendations and presented to the business users, executive committee and Compliance departments.
• Experience with Identity and Access Management (IAM) and development of user roles and policies for user access management.
• Conducted workshops and user awareness training on security policies, procedures and baselines.
• Worked with software development teams, DB/Unix administrators and solution architects as a subject matter expert related to security compliance with PCI DSS and industry standards.
• Worked with Internet Engineering team in the design and configuration of BlueCoat Internet proxy. Implemented WebFilter database for URL content Filtering.
• Developed security policies and baselines for mobile and web applications. Performed compliance audits to ensure security policies and baselines have been adequately implemented.
• Participated in the implementation of SafeNet product for encrypting customer credit card information using Public Key Infrastructure (PKI).
• Developed correlation rules for Security Incident and Event Management (SIEM) system. Reviewed the solution implemented for “log forwarding” from various network devices to ArcSight central logging for alerting and security monitoring.
• Performed PCI pre-assessment audit for the entire network as well as the related applications in preparation for the annual external PCI compliance audit.

Confidential, Framingham, MA

Information Security Engineer

Responsibilities:

• Participated in the deployment of Security Incident and Event Management (SIEM) system. Reviewed technical specifications for SIEM, logging and proposed recommendations to improve the overall deployment of the solution.
• Hands on experience in installation, configuration, maintenance and administration of Checkpoint Firewall R55 up to R77.20, Secure Platform Installation, VPN, DMZ, clustering, and HA.
• Administered Maintained, and Deployed Imperva web application firewall, Checkpoint IPS & VPN systems, and McAfee network based Data Loss Prevention (DLP) devices.
• Developed security compliance programs for IT infrastructure supporting various business lines to facilitate end-to-end compliance with Global as well as HIPAA/HITECH regulations.
• Managed Telecommunications security audit mission covering Voice over IP (VoIP) infrastructure implemented in the firm.
• Conducted security compliance audits covering Disaster Recovery (DR) simulations and its adherence to security policies and standards (SOX, FFIEC, SysTrust, SSAE 16).
• Performed penetration testing for external facing web applications. Security areas covering DMZ architecture, threat modeling, secure coding practices (i.e., OWASP standards) and vulnerability analysis were assessed.
• Conducted security assessments for various applications supporting various businesses. The web application infrastructure such as IBM WebSphere, Apache Tomcat, and IIS web/application servers were reviewed for compliance to firm’s security baselines.
• Managed security assessments for various types of Operating Systems (O/S) used by the firm. The security audits of RedHat Linux, SharePoint, Oracle Solaris, Windows (including Active Directory) and IBM AIX were conducted. Several control enhancements, specifically, on the patch management process, were recommended.
• Executed database management system assessments across all business lines and entities in North America hub. Database servers such as, Oracle, SQL Server and Sybase were reviewed for compliance to global and local security standards.
• Participated in the integrated security design reviews. Mainly responsible for the review of input/output security, data completeness and accuracy of data reconciliations and timely processing of security batch jobs.
• Proficient in excellent communication, relationship building & interfacing skills, systematic approach and ability to work effectively with s takeholders in fast paced environments.

Confidential

Java Developer

Responsibilities: 

• Designed and developed a suite of applications used by the internal audit department, including BPlanner, OATS, and Time tracking systems.
• Developed server side business components using Java Servlets, JSPs, and Enterprise Java Beans (EJBs)
• Automated code deployment to production environment by creating tasks using ANT deployment tool.
• Developed stored procedures, views and triggers using Oracle PL/SQL.
• Design and implementation of RESTful Web services.
• Developed application presentation layer, which is based on Spring MVC framework involving JSP, Servlets and HTML, CSS
• Developed this web application to store all system information in a central location. This was developed using Spring MVC, jQuery, JSP, Servlet, Oracle 10g, HTML and CSS
• Developed Servlets and Utilized Node.js to create a fast and efficient chat server.
• Implemented the Scrum Agile methodology for iterative development of the application.
• Involved in system design, enterprise application development using object-oriented analysis in Java/JEE6.
• Used Spring Framework for Dependency injection and integrated with the Hibernate framework for interacting with the Oracle database.
• Analyzed performance issues in the application, related system configuration and developed solutions for improvement.
• Involved in WebLogic and Tomcat application server installation and configuration in production, development and QA environments.
• Conducted training sessions to the rest of the development team on advanced technologies, code reviews and discussion sessions to ensure that coding standards are followed.