PROFESSIONAL SUMMARY:

• A senior web application security professional over 6 years of experience in information technology assurance, web application Penetration Testing, secure coding, application security controls and validation, risk assessment, regulatory compliance and Secure Software Development Life Cycle (secure SDLC).
• Having experience in SQL Injection protection, Script Injection, XSS Protection and major hacking protection techniques.
• Having experience in Secure SDLC and Source Code Analysis (Manual & Tools) on WEB based Applications. 
• Hands - on with DAST, SAST and manual ethical hacking.
• Expertise in working on Penetration Testing and Vulnerability Scanners. 
• Vulnerability Assessment includes analysis of bugs in various applications spread across N-tier on various domains by using both manual and Automation tools.
• Worked with global security teams performing IT infrastructure and application security assessments.
• Excellent knowledge and industry experience in Vulnerability Assessment and Penetration Testing on Web based Applications.
• Hands-on experience in developing threat models, security controls, threat analysis, creating risk control matrices and risk mitigation strategies.

TECHNICAL SKILLS:

DAST Tools: IBM Appscan Enterprise (ASE), HP Webinspect, OWASP Zap, Burpsuite,

SAST Tools: HP Fortify (SCA), Checkmarx, Coverty.

Operating Systems: Oracle Solaris UNIX, RedHat LINUX 4/5, Windows Server2003/2008.

Web Servers: Apache Tomcat, Netscape Enterprise Server3.5, Jboss and JRun.

Application Servers: Weblogic Server, iPlanet, Netscape Application Server.

Middleware: TIBCO EMS, IBM WebSphere MQ, JMS

Databases: Oracle, MS SQL Server, Sybase.

Scripting Languages: AngularJS, XML, XSLT, XPath, XQuery, HTML/JavaScript/JQuery, AJAX.

Web Services: REST/SOAP, SOA, UDDI, WSDL.

Audit Tools: Audit Command Language (ACL), Teammate.

PROFESSIONAL EXPERIENCE:

Confidential, VIRGINIA

Security Consultant

Responsibilities:

• Implemented Application Security program (DAST and SAST) at the enterprise level to identify, report and remediate security vulnerabilities from applications.
• Used Hp Fortify source code analyzer for analyzing the Static Code, Used Hp Webinspect for Dynamic Code and for eliminating the False Positives.
• Conducted security assessment to ensure compliance to firm’s security standards (i.e., OWASP Top 10). Specifically, manual testing has been performed to identify Cross-Site Scripting and SQL Injection related attacks during the code review.
• Security assessment of online applications to identify the vulnerabilities in different categories like Input and data Validation, Authentication, Authorization, Auditing & logging. 
• Performed security assessment of PKI Enabled Applications. 
• Worked extensively with software development teams to review the source code, triage the security vulnerabilities generated by HP Fortify and eliminated false positives by manual testing using Burpsuite.
• Developed secure SDLC guidelines for Web applications.
• Generated executive summary and plan of action & mile stone (POA & M) reports showing the security assessments results, recommendations and risk mitigation plans and presented them to the respective business sponsors and senior management.

Confidential, Mountain View, California

Penetration Tester

• Performed security assessments for the client-facing apps. The associated IT infrastructure such as database management systems, middleware systems, web services (SOAP) were also included in the security assessments.
• Experience in using BurpSuite, OWASP ZAP and Nessus for web application penetration tests.
• Implemented Secure Software Development Life Cycle (S-SDLC) processes; developed secure coding practices for web applications.
• Reviewed security vulnerability reports for applications and databases, analyzed and worked extensively with the development teams for the implementation of mitigating controls.
• Implemented QualysGuard vulnerability manage tool for enterprise.
• Used security tools Metasploit and BurpSuite for manual testing.
• Black box pen testing on internet and intranet facing applications. 
• Providing fixes & filtering false findings for the vulnerabilities reported in the scan reports. 
• Performed Static and Dynamic Analysis and Security Testing (SAST and DAST) for various applications as per firm’s security standards (i.e., OWASP TOP 10 ).
• Developed security policies and baselines for web applications. Performed compliance audits to ensure security policies and baselines have been adequately implemented.
• Documented security findings, recommendations and presented to the business users, executive committee and Compliance departments.

Confidential

Security Consultant

• OWASP Top 10 Issues identifications like SQLi, CSRF, XSS.
• Preparation of risk registry for the various projects in the client.
• Involved in a major merger activity of the company and provided insights in separation of different client data and securing PII.
• Performed manual and auto source code reviews using IBM Appscan.
• Identification of different vulnerabilities of applications by using proxies like Burpsuite to validate the server side validations.
• Execute and craft different payloads to attack the system to execute XSS and different attacks.
• Identified issues on sessions management, Input validations, output encoding, Logging, Exceptions, Cookie attributes, Encryption, Privilege escalations.
• Provided and validated the controls on logging like Authentication logging, profile modification logging, logging details, log retention duration, log location, synchronizing time source, HTTP logging.

Confidential

Penetration Tester

• Perform pen tests on different application a week.
• Preparation of security testing checklist to the company.
• OWASP Top 10 Issues identifications like SQLi, CSRF, XSS.
• Implemented OWASP Zap scanner for indentifying the flaws in Application
• Ensure all the controls are covered in the checklist.
• Identified attacks like SQLi, XSS, CSRF, RFI/LFI, logical issues.
• Updating of the checklist on weekly basis to ensure all the test cases are up to date as per the attacks happening in the market.
• Information gathering of the application using websites like Shodan, ReverseDNS, Hackertarget.com.
• Using various Firefox add-ons like Flag fox, Live HTTP Header and Tamper data to perform the pen test.
• Network scanning using tools like NMap and Nessus.
• Metasploit to exploit the systems.