SUMMARY

• Having 5 years of experience in IT industry as security analyst and penetration tester.
• Static Code Analysis during development phase. Penetration testing based on OWASP Top 10.
• Worked as an Information Security Test Consultant, involved in recommending security solutions of new applications incorporating secured SDLC, OWASP Top 10 based Vulnerability Assessment of various internets facing point of sale web applications.
• Experience in Threat Modelling during Requirement gathering and Design phases.
• Hands on Experience on vulnerability assessment and penetration testing using various tools like IBM Appscan, HP Fortify, Qualysguard, BurpSuite, Fiddler 2.0, DirBuster, OWASP ZAP Proxy, SQLmap, Nmap, Nessus, FileZilla, Gpg4win Kleopatra, Cain and Abel, Nitko, HP WebInspect, Metasploit, Accunetix.
• Penetration testing based on OWASP 10.
• Involved in implementing and validating the security principles of minimum attack surface area, least privilege, secure defaults, Defence in depth, Avoiding security by obscurity, Keep security simple, Fixing security issues correctly.
• Validate the false positives and report the issues.
• Quick Learner, Committed team player with interpersonal skills and enjoy challenging environment with scope to improve self and contribute to the cause of the organization.
• Excellent problem - solving and leadership abilities.

TECHNICAL SKILLS

Proxy Tools & Ad-Ons: BurpSuite, DirBuster, OWASP ZAP Proxy, Nmap, Live http header, Tamperdata.

Programming Languages: C, C++, PHP

Scripting Languages: Python, Basic shell Scripting

Web Technologies: HTML 4.0/5, XHTML, DHTML, CSS2/CSS3, JAVASCRIPT, JQUERY, AJAX, JSON and XML

Operating System: Linux/Unix (Red Hat Enterprise Linux, Debian, Ubuntu, Fedora, Santoku, Backtrack 2/3/4/5, Kali Linux), Windows.

Database: MySQL, Oracle, MSSQL

PROFESSIONAL EXPERIENCE

Penetration Tester

Confidential - Herndon, VA

Responsibilities:

• Conducted application penetration testing of 10+ business applications
• Conducted Vulnerability Assessment on Various Applications.
• Acquainted with various approaches to Grey & Black box security testing
• Proficient in understanding application level vulnerabilities like XSS, SQL Injection, CSRF, authentication bypass, weak cryptography, authentication flaws etc.
• Conducted security assessment of PKI Enabled Applications.
• Skilled using Burp Suite, Acunetix Automatic Scanner, NMAP, Havij, DirBuster for web application penetration tests.
• Generated and presented reports on Security Vulnerabilities to both internal and external customers.
• Security assessment of online applications to identify the vulnerabilities in different categories like Input and data Validation, Authentication, Authorization, Auditing & logging.
• Vulnerability Assessment of various web applications used in the organization using Paros Proxy, Burp Suite, and Web Scarab, YASCA, HP Web Inspect.
• Training the development team on the most common vulnerabilities and common code review issues and explaining the remediation.
• Follow up and ensure the closure of the raised vulnerabilities by revalidating and ensuring 100% Closure.
• Update with the new hackings and latest vulnerabilities to ensure no such loopholes are present in the existing System

Environment: Java, .NET, Oracle DBA

Application Penetration Tester

Confidential - Phoenix, AZ

Responsibilities:

• Pen testing on various application contacting PHI to ensure the company meets the compliance requirements
• Schedule the pen test, also make sure that all the applications are covered in the schedule and completed in the time frame.
• OWASP Top 10 Issues identifications like SQLi, CSRF, XSS
• Perform pen tests on different application a week.
• Created written reports, detailing assessment findings and recommendations.
• Found web site security issues (XSS, CSRF, session fixation, SQL injection, information leakage, application logic etc.) across various platforms.
• Performed risk assessments to ensure corporate compliance.
• Controls on session management like Server side session states, session termination, Session ID randomness, expiration, Unique tokens, concurrent logged in session, session fixation prevention.
• Executed daily vulnerability assessments, threat assessment, mitigation and reporting activities in order to safeguard information assets and ensure protection has been put in place on the systems
• Perform, review and analyze security vulnerability data to identify applicability and false positives
• Work closely with research and development teams for vulnerability remediation

Environment: Metasploit, Burp Suite, Fiddler 2.0, Splunk, Nessus, SQLmap, PHP, HTML, OWASP Mutillidae-II, Dirbuster, Microsoft Visual Studio, SFTP, FileZilla, Nmap, Nessus.

Security Consultant

Confidential - Northridge, LA

Responsibilities:

• Working as a Technical Security Consultant in the areas of application security highlighting the security controls needed at the design level.
• Understanding & implementation of security into SDLC via application risk assessment, requirements gathering, design review, application vulnerability assessment.
• Validate Input validations, sessions management, client protocol controls, cryptography, Logging, Information leakage.
• Perform thorough penetration testing on web applications.
• Perform both manual and automation vulnerability assessment using tools like burp suite, SQLMap.
• Ensure the issues identified are reported as per the reporting standards.
• Perform validation on design of features like authentication, authorization, accountability.
• Provide the report and explain the issues to the development team.
• Implement security solutions according to Security Policy and Practices established by the Client.
• Review of projects during the SDLC and make actionable recommendations to the project team, understand the technology and bring solutions based on them.
• Burpsuite, Dirbuster, HP Fortify, HP WebInspect, NMap tools on daily basis to complete the assessments.
• Manages risk by analysing the root cause of issues, impact to technology and required corrective actions leveraging advanced analytical skills.

Environment: JAVA, Asp.net, MySQL, Apache Kali Linux, Fiddler 2.0, Burp Suite, SQLmap,OWASP Mutillidae-II, Dirbuster, Microsoft Visual Studio, HP Fortify, HP WebInspect, SFTP, FileZilla, Nmap, Nessus, Wireshark.

Jr. Security Engineer

Confidential

Responsibilities:

• Perform threat modeling of the applications to identify the threats.
• Identify issues in the web applications in various categories like Cryptography, Exception Management.
• Risk assessment on the application by identifying the issues and prioritizing the issues based on risk level.
• In the team, main focus of work was to audit the application prior moving to production.
• Explanation of the security requirements to the design team in initial stages of SDLC to minimize the efforts to rework on issues identified during penetration tests.
• Providing remediation to the developers based on the issues identified.
• Revalidate the issues to ensure the closure of the vulnerabilities.
• Verify if the application has implemented the basic security mechanisms like Job rotation, Privilege escalations, Lease Privilege and Defense in depth.
• Using various add on in Mozilla to assess the application like Wappalyzer, Flagfox, Live HTTP Header, Tamper data.

UI Developer - Intern

Confidential

Responsibilities:

• Worked in Agile and Scrum development environments.
• Interacted with business system analyst to understand the technical requirements of the project.
• Coordinated with Photoshop designers to implement mock ups and the layouts of the application.
• Involved in developing the UI pages using HTML, DHTML, CSS, and JavaScript.
• Developed web pages with functionalities like login, register, forget password, Email, Filters using Java Script, jQuery and HTML.
• Used JavaScript to update a portion of a web page thus reducing bandwidth usage and load time in web pages to get user input and requests.
• Coded JavaScript for page functionality and Pop up Screens and used HTML to make dropdown menus on web pages and display part of a web page upon user request.
• Involved in writing SQL Queries, Stored Procedures.

Environment: HTML, CSS, JavaScript, DHTML, SQL, PL/SQL, MS Office