SUMMARY:

• Over 8+ years of experience as a Technical Security Analyst.
• Excellent knowledge in OWASP Top 10 2010, and WASC THREAT CLASSIFICATION 2.0 methodologies.
• Hands on experience with SAST and DAST using tools like HP Fortify, HP Web Inspect, Check Marx and IBM Appscan.
• Led Application Security Analysis for some of the major Clients using HP Fortify & IBM AppScan.
• Worked extensively with software development teams to review the source code, triage the security vulnerabilities generated by HP Fortify, HP WebInspect, IBM AppScan, andBurpSuite, and eliminated false positives.
• Expert level of understanding on Regulatory & Compliance Standards like PCI DSS, HIPAA and Implementation knowledge at various Customer locations.
• Sound knowledge and industry experience in Vulnerability Assessment and Penetration Testing on Web based Applications, Mobile based application and Infrastructure penetration testing.
• Vulnerability Assessment includes analysis of bugs in various applications spread across N - tier on various domains by using both manual and Automation tools.
• Experience in vulnerability assessment using various tools like Burp Suite, Charles Proxy, OWASP ZAP Proxy, DirBuster, Kali Linux, Metasploit, Accunetix.
• Hands-on experience in developing Threat models, security controls, threat analysis, and creation of Vulnerability control matrices and corresponding mitigation strategies.
• Creating security testing pipeline in Jenkins for code review and penetration testing.
• Experience with Network scanning using tools like NMap, Nessus and Wireshark.
• Experience in Threat Modelling during Requirement gathering and Design phases.
• Involved in implementing and validating the security principles of minimum attack surface area, least privilege, secure defaults, Defense in depth, avoiding security by obscurity, keep security simple, Fixing security issues correctly.
• Implemented Application Security program (DAST and SAST) at the enterprise level to identify, report and remediate security vulnerabilities from applications deployed in DEV, PRE-PROD and PROD environments.
• Performed Dynamic Application Security Testing and Exploitation (UI and Web Services) on web applications using IBM AppScan Enterprise Premium 9.0, Burp Suite Pro, HP Fortify SCA 4.0 and Netsparker utilizing OWASP and WAHH Testing Methodology.
• Involved in Software Development Life Cycle (SDLC) to ensure security controls are in place.
• Broad knowledge of hardware, software, and networking technologies to provide a powerful combination of analysis, implementation, and support.
• Diverse Knowledge in Windows, Linux, Unix Operating System configuration, Utilities and programming.
• Good skills on Security Information and Event Management (SIEM), Intrusion Detection & Prevention (IDS / IPS), Data Leakage Prevention (DLP), forensics, sniffers and malware analysis tools.
• Experienced in Waterfall, Agile/Scrum, Lean and most recently Continuous Integration (CI) and Continuous Deployment (CD) practices.
• Implemented and Deployed IBM AppScan Enterprise and IBM Security AppScan Source for Analysis, Development and Automation ver. 9.0 across multiple client environments.
• Working on vulnerability tracking system tools like VTS.
• Having good experience in Secure SDLC and Source Code Analysis (Manual & Tools) on WEB based Applications.
• Extensive experience in preparing Test Plans, writing Test Cases, Test Execution and follow up efforts.
• Ability to handle multiple tasks and work independently as well as in a team.

TECHNICAL SKILLS:

Programming languages: Java, Python, .Net, C, C++

Source Code Analysis Tools: HP Fortify, IBM App Scan Source, Vera code, Check Marx

Dynamic Analysis Tools: IBM App Scan, HP Web Inspect, Retina, Acunetix

DevOps Tools: Jenkins and Docker containers

Penetration Testing: Kali Linux

Proxy Tools: Burp Suite, ZAP, Paros

Operating System: RedHat Linux, Windows, CentOS

Databases: Oracle, SQL

Network security tools: Nmap, Wire shark, Metasploit, Nessus, Qualys GuardSSLDigger, SSLSmart, SSLScan

Bug Tracking Tools: JIRA, ServiceNow

PROFESSIONAL EXPERIENCE:

Confidential, Round Rock, TX

Application Security Engineer

Responsibilities:

• Support the application development process group and the SDLC processes related to identifying security vulnerabilities within the application development process.
• Perform HP Fortify application and infrastructure penetration tests, as well as physical security review and social engineering tests for our global clients.
• Provide software security support related to Fortify, Web inspect and remediation guidance to dev teams.
• Performed Automated Dynamic Scans for java and .net applications using IBM AppScan.
• Provided Intermediate and Advanced IBM AppScan Enterprise and IBM Security AppScan Source Ver 9.0 End-User training.
• Developed threat modeling framework (STRIDE, DREAD) for critical applications to identify Potential threats during the design phase of applications.
• Performed IDS/IPS mitigation/response and vulnerability scanning in support of internal and HIPAA requirements.
• Conducted Dynamic, Static, Mobile and Manual application security testing using IBM AppScan Enterprise, IBM Security AppScan Source and Burp Suite Pro.
• Review and analyze vulnerabilities from SCA report to determine business impacts and eliminate false positives.
• Report the identified issues to development teams and follow up on the fixes.
• Comprehensive and thorough Static, Dynamic & Forensics analysis for Android and IOS platforms.
• Mapping security test suite for web and mobile based applications.
• Manage and maintain Jenkins integration jobs to support application security automation.
• Identified issues on sessions management, Input validations, output encoding, Exceptions, Cookie attributes, Encryption.
• As a security Focal point, coordinated with multiple teams and reduced vulnerabilities by 90% in the first year of work and maintained a steady decrease.
• Involved in secured design and solution for newly proposed applications during designing phase of SDLC.
• Performed manual penetration testing using Burp suite of the applications to identify the OWASP Top 10 vulnerabilities and SANS 25.
• Prepared comprehensive security report detailing identifications, risk description and recommendations with the code snippets for the Vulnerabilities
• Based on the publicly disclosed vulnerabilities determine the patching priority and notify the stakeholders. Review the applied patch by scanning the disclosed vulnerabilities.
• Conduct re-assessment after mitigating the vulnerabilities found in the assessment phase
• Perform input validation test, session management, brute force attacks, log monitoring, and information leakage, data breaches.
• Developed the documentation for strategies, plans, designs, standards, policies, and manuals for Client

Confidential, Austin, Texas

Penetration Tester

Responsibilities:

• Implementing manual and automated static code analysis using HP Fortify &Check Marx and checked the compatibility and connectivity issues across multiple operating systems.
• Integration of HP Fortify tool with Jenkins in agile development process for static analysis security testing.
• Prepare risk-based test plans and perform the security testing (tool-based testing, manual penetration testing, source code review, etc.) on the different layers of those information systems.
• Conduct IBM AppScan Enterprise and IBM Security AppScan Source for Analysis DAST and SAST testing on WWB Applications.
• Understand the trend of application security and work with teams to remediate any vulnerabilities identified during the security testing.
• Classify the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and prioritizing them based on the criticality.
• Provide oral briefings to leadership and technical staff, as necessary.
• Perform dynamic scans using IBM Appscan and provide the report of issues identified to development teams.
• Performed IDS/IPS mitigation/response and vulnerability scanning in support of internal and HIPAA requirements.
• Conducted Mobile Application Security Assessment including Android & iOS platforms.
• Performed port/SSL version scans using Nmap and SSLScan respectively.
• Responsible to assess the controls to identify gaps and to design and analyze segregation of duties, least privilege for that application.
• Worked with software development teams to review the vulnerabilities generated by IBM Appscan and eliminated false positives.
• Perform security analysis of the different layers of the systems (application, operating systems and database layers) by performing manual testing and automated system vulnerability assessment scans using various web, application, operation
• Made use of DB protect tool and Dir buster to validate Database layer vulnerabilities
• Performed penetration testing on OS layers (UNIX, Windows, Linux) using Nessus and Nmap tools.
• Develop IBM AppScan Enterprise and IBM AppScan Source for Analysis Implementation, Secure Coding Program, Work Breakdown Structure (WBS)
• Role Based Access Architect with Qualys to ensure data loss prevention.

Confidential, Los Angeles, CA

Security Analyst

Responsibilities:

• Performed Vulnerability Assessments to the web applications used in the organization using the tools Burp suite, HP Fortify also performed Data Classification.
• Performed Static Application Security Testing (SAST) using tools such as HP Fortify and Dynamic Application Security Testing (DAST) using tools such as IBM AppScan.
• Experience with Burp Suite, SQL Map, NMap, and Nessus.
• Provide the report and explain the remediation steps to the team and follow up with fixed issues and ensure the closure and perform secure code review of the code base.
• Conducted onsite penetration tests from an insider threat perspective
• Involved actively in the release management process to ensure all the changes of the application had gone to security assessment.
• Execute and craft different payloads to attack the system to execute XSS and different attacks.
• Ensured accuracy in creating information security documents in compliance with NIST standards.
• Conducted backend-testing on database using SQL queries to ensure integrity and consistency of the data.
• Verified the existing controls for least privilege, separation of duties and job rotation.
• Identify malicious or anomalous activity based on event data from firewalls, WAF, IPS, and other sources.
• Performed Authentication bypass and account takeover in process of testing the applications
• Explanation of the security requirements to the design team in initial stages of SDLC to minimize the efforts to rework on issues identified during penetration tests.
• Performed Network Penetration testing using Qualys Guard, Nessus etc.
• Performed Mobile Application Security Assessment including Android & iOS platforms.
• Implemented and Integrated IBM AppScan Security Source for Analysis, Remediation, Developer and Automation into Continuous Build Integration for SAST. (Maven, TFS and Jenkins)

Confidential

Security Analyst

Responsibilities:

• Planning, Conducting and reporting Vulnerability and risk assessment of applications. Risk associated with vulnerability explained to the project team for better understanding and guiding project team towards its closure / remediation.
• Identification of different vulnerabilities of applications by using proxies like Burp suite to validate the server-side validations. OWASP Top 10 Issues identifications like SQLI, CSRF, XSS.
• Monitor Intrusion Detection System for compromised internal networks and follow up with investigation.
• Analyzed test data to verify results were in accordance with the requirements specification.
• Assist in vulnerability remediation efforts across various projects by proposing remediation strategies and Plan of Actions.
• Solve security related issues regarding User profile and permissions in Active Directory, proxy functions, new systems/applications added to enterprise's network, physical access permissions and mobile security.
• Researched and analyzed known hack
• Identification of Injection, Business logic, Authentication, Session Management, etc., Related flaws in applications and encasing attack scenarios and associated risk to business.
• Used various add on in Mozilla to assess the application like Wappalyzer, Flagfox, Live HTTP Header, cookie manager, Tamper data.

Confidential

Security Test Engineer

Responsibilities:

• Perform threat modelling of the applications to identify the threats.
• Identify issues in the web applications in various categories like Cryptography, Exception Management.
• Integration of SAST and DAST tools with Jenkins in agile development process.
• Creating security testing pipeline in Jenkins for code review and penetration testing
• Risk assessment on the application by identifying the issues and prioritizing the issues based on risk level.
• Providing remediation to the developers based on the issues identified.
• Revalidate the issues to ensure the closure of the vulnerabilities
• Explanation of the security requirements to the design team in initial stages of SDLC to minimize the efforts to rework on issues identified during penetration tests.
• Verify if the application has implemented the basic security mechanisms like Job rotation, Privilege escalations, Lease Privilege and Defense in depth.
• Using various add on in Mozilla to assess the application like Wappalyzer, Firebug, Live HTTP Header, Tamper data, Cookies Manager.