SUMMARY:

Over 9+ years of experience in application security, mobile & data security, risk assessments, cryptography, secure coding, security architecture and design, and software development in diverse industries, including financial, healthcare and high - tech.

EXPERTISE AREA:

Application/Software Security, Security Architecture, Vulnerability/Risk Management, Third Party/Vendor Security, Threat Modeling, Source Code Review, Secure Software Development Life Cycle (SDLC), Penetration Testing, Mobile Security (iOS and Android), Advertising Tech Security, Application Security Monitoring, AWS Cloud Security, Security Audits, Security Research, Thought Leadership, Incident Response.

TECHNICAL SKILLS:

Languages: Java, J2EE/JEE, C/C++, C#, PHP, Python, CGI/Perl, SQL, ASP.net, Shell Scripting

Operating Systems: Linux, UNIX (Solaris, AIX), Windows, iOS, Android

Security Tools: IBM AppScan, Burp, WebScarab, Zap, HP Fortify, HP WebInspect, Veracode, DBprotect, AppDetective, Checkmarx, Nessus, Nexpose, Nmap, Wireshark, tcpDump, Metasploit Kali Linux.

Database Servers: Oracle, MySql, SQL Server

Protocols: HTTP, HTTPS, SSL/TLS, SSH, SMTP, IPSec, DNS, TCP/IP, PKI, VPN, Digital Certificates, HIDS/NIDS, Cryptography, Firewalls, ModSecurity, AppSensor

Web Servers and Development Environment: Apache, IIS, NGinx, iPlanet, JBoss, WebLogic, WebSphere, MFA, HTML, SSO, SAML, oAuth, OpenID, JavaScript, AJAX, XML, JQuery, JSON, CSS, ANT, Maven, SVN, Git, RCS, Eclipse, Visual Studio, REST, SOAP, WSDL, MVC, Spring, SOA, Struts, Hibernate, Shrepoint.

PROFESSIONAL EXPERIENCE:

Confidential, Pittsburgh, PA

Sr. Information Security Engineer/Architect

Responsibilities:

• Worked extensively with software development teams to review the source code, triage the security vulnerabilities generated by IBM AppScan, BurpSuite, HP WebInspect, HP Fortify and eliminated false positives.
• Managed security assessments to ensure compliance to firm’s security standards (i.e., OWASP Top 10, SANS25). Specifically, security testing has been performed to identify XML External Entity (XXE), Cross-Site Scripting, ClickJacking, and SQL Injection related attacks within the code.
• Developed Application Security program (DAST and SAST) at the enterprise level to identify, report and remediate security vulnerabilities from applications deployed in DEV, PRE-PROD and PROD environments.
• Reviewed source code (Java/J2EE/Spring/JavaScript) and developed security filters within IBM AppScan for critical applications.
• Configured SafeNet ProtectDB to enable column level encryption for securing confidential customer data.
• Designed security architecture for web and mobile apps. Reviewed Solution overview Documents (SODs) to identify security anomalies in the system architecture and design, and provided recommendations to address data security and privacy concerns.
• Developed threat modeling framework (STRIDE, DREAD) for critical applications to identify potential threats during the design phase of applications.
• Implemented file system security by applying hashing techniques for protecting data stored in files on the file servers.
• Conducted security audits of web and mobile applications and recommended secure coding practices to the developers. Played the role of an SME for secure coding guidelines for enterprise applications across the business lines.
• Administered cryptography, certificate management and implemented dual keys to address segregation of duties issue between DBAs and security admins.
• Participated in the development of IT risk assessments for enterprise applications. The NIST framework has been utilized for IT risk assessments.
• Rolled out IBM AppScan products such as AppScan Enterprise (ASE), Standard, Source, Developer plug-ins to various development teams across the business lines.
• Worked extensively with software development teams to review the source code, triage the security vulnerabilities generated by IBM AppScan, BurpSuite, HP WebInspect, HP Fortify, Checkmarx and eliminated false positives.
• Generated executive summary reports showing the security assessments results, recommendations (CWE, CVE) and risk mitigation plans and presented them to the respective business sponsors and senior management.
• Conducted monthly developer workshops to educate and train developers on secureSDLC, scan source code using IBM AppScan Source, triage and resolve the security vulnerabilities.
• Participated in the implementation of AWS Cloud security for applications being deployed in the Cloud. Developed WACLS and configured to rules and conditions to detect security vulnerabilities in the Cloud Front.
• Worked with DevOps teams to automate security scanning into the build process.
• Reviewed Android and iOS mobile source code manually and recommended code fixes.
• Participated in the Proof of Concept (POC) in implementing Arxan application protection software for Mobile apps.
• Analyzed security incidents originated from various network/application monitoring devices (e.g., Symantec Vontu DLP) and coordinated with Engineering teams for tracking and problem escalation, including remediation.
• Performed the penetration testing of mobile (Android and iOS) applications, specifically, APK reverse engineering, traffic analysis and manipulation, dynamic runtime analysis.
• Developed secureSDLC policies and standards for Web and Mobile apps.

Confidential, Sterling, VA

Sr. Security Engineer

Responsibilities:

• Performed security assessments (asset inventory, scanning, manual code reviews, penetration tests) of applications for compliance with policies, standards and best practices and worked with stakeholders on vulnerability mitigation.
• Participated in the implementation of SafeNet product for encrypting customer credit card information using Public Key Infrastructure (PKI).
• Developed correlation rules for Security Incident and Event Management (SIEM) system. Reviewed the solution implemented for “log forwarding” from various network devices to ArcSight central logging for alerting and security monitoring.
• Collaborated with global Network, Platform, Engineering, and Dev teams around architecture design and review.
• Implemented application security program and provided subject matter expertise on code reviews, threat intelligence, third party/vendor security, compliance & policy and training.
• Experience with Identity and Access Management (IAM) and development of user roles and policies for user access management.
• Prepared technical documentation which included vulnerability reports, checklists, metrics, enrollment forms, DAST & SAST play books and user guides.
• Worked with Internet Engineering team in the design and configuration of BlueCoat Internet proxy. Implemented WebFilter database for URL content Filtering.
• Researched, initiated and drove the evaluation of tools, technologies, processes, policies, controls, standards to maintain and enhance the security of applications.

Confidential, Chicago, IL

Security Engineer

Responsibilities:

• Enacted application security program and performed security assessments (threat modeling, code reviews, penetration tests) of applications/infrastructure for compliance with policies, standards and best practices and worked with teams concerned on vulnerability mitigation.
• Developed secure standard control libraries for use by development teams transversely across the organization using Java, .NET.
• Researched, initiated and drove the evaluation of tools/technologies/processes to maintain and enhance the security of applications.
• Designed, implemented, documented, and managed Penetration Tests & Audits of Applications & Databases for Security & Compliance and explained security risks in common terms to assist system owners in prioritizing system enhancements.
• Prepared technical documentation which included release notes, change requests, vulnerability reports, checklists and user guides.
• Reviewed and evaluated 3rd party security assessments.

Confidential

Java/J2ee developer

Responsibilities:

• Developed company's principal Website, the lead generation mechanism for selling insurance over the Internet.
• Developed complete front & back end using JSPs & Servlets.
• Designed and developed effective internal Web applications, relational database and stored procedures to analyze and monitor all activities related to Web-based sales.
• Developed application presentation layer, which is based on Spring MVC framework involving JSP, Servlets and HTML, CSS.
• Developed this web application to store all system information in a central location. This was developed using Spring MVC, jQuery, JSP, Servlet, Oracle 10g, HTML and CSS.
• Automated sales monitoring and credit/identity verification application processes, decreasing costs and improving quality.
• Created documents related to System Development Life Cycle (SDLC) deliverables.
• Assisted in business process design and documentation as needed for new technology solution implementations.