Experience Summary:

• More than 5 years of experience in financial and Telecom industries, specialized in Web Application Security, Logging and Alerting, Security Architecture & Design, Penetration Testing, Secure Coding, Mobile Application Security, Application Security Controls and Validation, Risk Assessments and Regulatory Compliance.
• Hands - on experience in developing threat models, security controls, threat analysis, creation of risk control matrices and risk mitigation strategies .
• Hands-on with Penetration Testing , DAST, SAST and manual ethical hacking.
• Experience in conducting IT Security Risk Assessments in accordance to NIST and FFIEC framework.
• Worked with global security teams performing application and IT infrastructure security assessments.
• In-depth knowledge of penetration testing for web and mobile (iOS and Android) applications .
• Performed security design and architecture reviews for web and mobile applications
• Working knowledge of OWASP Top 10 software guidelines, Federal Financial Institutions Examination Council's (FFIEC) regulations, including Payment Card Industry (PCI-DSS) and HIPAA .
• Ability to handle multiple tasks and work independently as well as in a team.
• An efficient team player in challenging and creative environment with excellent capacity to adapt new technologies and skills.
• Possess strong technical aptitude with strong analytical, work ethic, problem solving and communication skills.

Technical Skills :

Security Tools : AppDetect, AppRador, Oracle Identity Manager, Oracle Access Manager,JHijack, ZED attack proxy, SQLMAP, Wireshark, WebScarab, Paros, Nmap, Nessus, Rapid7 Nexpose, Tripwire, Symantec Vontu, DBProtect, ArcSight SIEM, Varonis, Amazon Web Services (AWS) Cloud security.

DAST and SAST tools : IBM AppScan Enterprise (ASE), Standard & Source editions, HP WebInspect, BurpSuite Pro, Acunetix, Fortify SCA, SQLMAP

Operating Systems : Oracle Solaris UNIX, RedHat LINUX 4/5, Windows Server2003/2008.

Application Servers : Weblogic Server, Netscape Application Server and Microsoft IIS.

Languages : Java, Python, C/C++, C#.NET, UML.

Scripting Languages : AngularJS, XML, XSLT, XPath, XQuery, HTML/JavaScript/JQuery, AJAX.

Databases : Oracle, MS SQL Server.

Web Services : RESTFul/SOAP, SOA, UDDI, WSDL.

Web Servers : Apache Tomcat, Netscape Enterprise Server3.5, Jboss and JRun.

Professional Experience:

Confidential,  Chicago, IL

Application security Analyst

Responsibilities: 

• Developed Application Security program (DAST and SAST) at the enterprise level to identify, report and remediate security vulnerabilities from applications deployed in DEV, PRE-PROD and PROD environments.
• Reviewed source code (Java/J2EE/Spring/FTL/JavaScript) and developed security filters within IBM AppScan for critical applications.
• Managed security assessments to ensure compliance to firm’s security standards (i.e., OWASP Top 10, SANS25). Specifically, security testing has been performed to identify XML External Entity (XXE), Cross-Site Scripting and SQL Injection related attacks within the code.
• Developed threat modeling framework (STRIDE, DREAD) for critical applications to identify potential threats during the design phase of applications.
• Implemented file system security by applying hashing techniques for protecting data stored in files on the file servers.
• Rolled out IBM AppScan products such as AppScan Enterprise (ASE), Standard, Source, Developer plug-ins to various development teams across the business lines.
• Worked extensively with software development teams to review the source code, triage the security vulnerabilities generated by IBM AppScan, BurpSuite, HP WebInspect, HP Fortify and eliminated false positives.
• Generated executive summary reports showing the security assessments results, recommendations and risk mitigation plans and presented them to the respective business sponsors and senior management.
• Worked with DevOps teams to automate security scanning into the build process.
• Reviewed Android and iOS mobile source code manually and recommended code fixes.
• Participated in the Proof of Concept (POC) in implementing Arxan application protection software for Mobile apps.
• Analyzed security incidents originated from various network/application monitoring devices (e.g., Symantec Vontu DLP) and coordinated with Engineering teams for tracking and problem escalation, including remediation.
• Performed the penetration testing of mobile (Android and iOS) applications, specifically, APK reverse engineering, traffic analysis and manipulation, dynamic runtime analysis.

Confidential

Security Tester

Responsibilities : 

• Performed pen testing of both internal and external networks as per PCI-DSS standards. The pen testing scope included O/S (Windows and Linux) and external facing web apps and database servers that store credit card information.
• Reviewed security vulnerability reports for applications and databases, analyzed and worked extensively with the development teams for the implementation of mitigating controls.
• Implemented IBM AppScan standard, source editions, HP WebInspect, Nessus, and QualysGuard web application scanners. In addition, the security tools Metasploit and BurpSuite were utilized for manual penetration testing.
• Implemented Secure Software Development Life Cycle (S-SDLC) processes; developed secure coding practices for web, mobile applications, including database and middleware systems.
• Implemented HP ArcSight ESM including, correlation rules, data-monitors, reports, event annotation stages, case customization, active lists, and pattern discovery. 
• Conducted pen testing for the Web Services (SOA) used by various travel agency partners to connect to Wyndham for booking and reservations.
• Reported security findings, recommendations and presented to the business users, executive committee and Compliance departments.
• Performed Static and Dynamic Analysis and Security Testing (SAST and DAST) for various applications as per firm’s security standards (i.e., OWASP, SANS 25).
• Developed security policies and baselines for mobile and web applications. Performed compliance audits to ensure security policies and baselines have been adequately implemented.

Confidential

Application Security Engineer

Responsibilities:

• Developed security audit programs for IT infrastructure supporting Corporate and Investment Banking (CIB) department to facilitate end-to-end compliance with Global as well as Federal Financial Institutions Examination Council (FFIEC) guidelines and controls.
• Managed Telecommunications audit mission covering Voice over IP (VoIP) infrastructure implemented in the firm.
• Performed penetration testing for external facing web applications. Security areas covering DMZ architecture, threat modeling, secure coding practices (i.e., OWASP standards) and vulnerability analysis were assessed.
• Conducted security assessments for various applications supporting Corporate & Investment Banking, Loan, Treasury, Equities and FI businesses. The web application infrastructure such as IBM WebSphere, Apache Tomcat, and IIS web/application servers were reviewed for compliance to firm’s security baselines.
• Managed security assessments for various types of Operating Systems (O/S) used by the firm. The security audits of RedHat Linux, Oracle Solaris, Windows (including Active Directory) and IBM AIX were conducted. Several control enhancements, specifically, on the patch management process, were recommended.

Confidential

Java developer

Responsibilities:

• Designed and developed a suite of applications used by the internal audit department, including BPlanner, OATS, and Time tracking systems.
• Developed server side business components using Java Servlets, JSPs, and Enterprise Java Beans (EJBs)
• Automated code deployment to production environment by creating tasks using ANT deployment tool.
• Developed stored procedures, views and triggers using Oracle PL/SQL.
• Design and implementation of RESTful Web services.
• Developed application presentation layer, which is based on Spring MVC framework involving JSP, Servlets and HTML, CSS
• Developed this web application to store all system information in a central location. This was developed using Spring MVC, jQuery, JSP, Servlet, Oracle 10g, HTML and CSS
• Developed Servlets and Utilized Node.js to create a fast and efficient chat server.
• Implemented the Scrum Agile methodology for iterative development of the application.
• Involved in system design, enterprise application development using object-oriented analysis in Java/JEE6.
• Used Spring Framework for Dependency injection and integrated with the Hibernate framework for interacting with the Oracle database.
• Analyzed performance issues in the application, related system configuration and developed solutions for improvement.
• Involved in WebLogic and Tomcat application server installation and configuration in production, development and QA environments.
• Conducted training sessions to the rest of the development team on advanced technologies, code reviews and discussion sessions to ensure that coding standards are followed.

Confidential 

Intern - Network analyst

Responsibilities:

• As an Intern, major duties were to assist the network administrator with troubleshooting the internal network issues.
• Managed and maintained the Active Directory Infrastructure and respective group policy management.
• Imported, modified and exported network configuration files, Network Security groups and implemented Access Control Lists. Assisted the network engineer with network design and implementation.
• Monitored & understood, the packet flow, TCP windowing, port numbers, design of WLAN, subnetting, NAT, VLAN.
• Monitored and responded to the customers’ tickets on the IT helpdesk service.
• Documented and organized the issues and the steps taken to resolve them.
• Assisted Systems specialist in creating VPN remote access support for the entire Confidential chain.