SUMMARY

• Overall 6+ years of experience as Security Engineer and Vulnerability Management Engineer.
• Have good experience in Vulnerability Scanner Nexpose and Insight VM dashboard.
• Experience with Risk Assessment on systems, applications and Active Directory.
• Experience with Windows/Linux OS, Database Policy Compliance and configuration with CIS.
• Experience with IT - Governance (GRC) risk tool Digital Manager 360 (Modulo) and reporting tool Nexpose.
• I seek to utilize these skills in improving the security posture of information systems and network by detecting threats and vulnerabilities in target systems, and applications by conducting systems, network testing.
• Responsible for managing all aspects of the Vulnerability Risk Management Program including vulnerability identification, analysis, remediation coordination and reporting.
• Experience with VM identification, analysis, metrics, as well as processes enabling proper governance, risk and compliance (GRC).
• Progressive experience in Enterprise Vulnerability Management, Risk Assessment, penetration testing, generating reports, SQL Injection XSS and major hacking protection techniques.
• Experience in testing using various tools like Burp Suite, DirBuster, NMap, OpenVAS, Nexpose, Nessus, HP Fortify, HP WebInspect, Confidential AppScan enterprise, Kali Linux, Metasploit and Jira.
• Good knowledge on OWASP Top 10 based Vulnerability assessment of web applications.
• Coordinate with dev team to report vulnerabilities by explaining the exploitation and the impact of the issue
• Reporting the identified issues in the industry standard framework.
• Experience with Security Risk Management with TCP-based networking.
• Domain knowledge in Retail, Banking and Financial Services, Health Care.
• Knowledge in detecting vulnerabilities over authentication, authorization, input validation, session management.
• Involved in Security Development Life Cycle (SDLC) to ensure security controls are in place.
• Having good experience SAST and DAST applications using different tools HP Fortify and Confidential AppScan.
• Capable of identifying flaws like Security Misconfiguration, Insecure direct object reference, Sensitive data Exposure, Functional level access control and Invalidated redirects.
• Ability to develop and maintain metrics and reports on vulnerability findings and remediation compliance.
• Knowledge on STIG Validation in support of DISA, CIS and proactive vulnerability detection.
• Having good Knowledge on Jira, Root Kit, IP Spoofing, Virtual Box, SELinux, Software Hardening concepts and SIEM.
• Good Knowledge on HTTP, HTTPS, Web application firewalls, checking logs, SSL and TLS.
• Good knowledge on SQL and programming skills in Java. Experience with Windows and Linux environments.
• Vulnerability Assessment includes analysis of bugs in various applications by using manual and Automation tools.
• Knowledge on network security such as Firewalls, TCP/IP, IDS/IPS, Routing Active Directory and IOS devices.
• Good team player and ability to learn the concepts effectively and efficiently.
• Ability to work in large and small teams as well as independently.

TECHNICAL SKILLS

Tools: BurpSuite, DirBuster, SQL Map, Kali Linux, OpenVAS, DirBuster, HP WebInspect, HP FortifyIBM AppScan

Network Tools: N-map, Nessus, Rapid7 Nexpose, InsightVM, Qualys

Policy and standards: NIST, PCI DSS, CIS, ISO, FISMA, DISASTIG

Risk Assessment Tools: SAI Digital Manager 360 (Modulo), RSA Archer

Language: C, C++, Java

Web Technologies: HTML, CSS, JavaScript

Platforms: Windows XP, 10, Linux

Web Server: Apache, IIS 6.0/7.0

Database: MS SQL, Oracle

Packages: MS-Office (Excel, Word, PP), MS Visio

PROFESSIONAL EXPERIENCE

Confidential

Vulnerability Management Engineer

Responsibilities:

• Experience with tools such as Rapid7 Nexpose and InsightVM vulnerability scanner.
• Generate the reports on daily basis and executing the daily tasks. Managing and adapting the scan schedule.
• Managing permissions and access to the product. Performing authenticated and unauthenticated vulnerability scanning. Troubleshooting and debugging scans.
• Assisting teams with vulnerability resolution, including providing assistance researching vulnerabilities solutions and addressing false positives to reduce system workloads, performing confirmation scans when appropriate, meeting regularly with remediation team, and building reports to provide teams with necessary data.
• Assisting teams with tracking remediation approaches within InsightVM or Excel.
• Review and advise on existing reports and suggest reports that would solve current business use cases as well as factor the relevant metrics to track Vulnerability Management program.
• Experience with vulnerability management metrics as per Organization standards.
• Experience with Firewall Rule Requests (Ports, Protocols and Services)
• Handled Baseline Configurations, vulnerability exceptions and Compliance exceptions. Update, create and adjust custom policies, standards and procedures. Manages Policy Compliance scans to configure the settings.
• Design, Configure and adjust Vulnerability and Compliance scanning operation.
• Assist with routine compliance and audit functions to ensure regulatory scanning requirements are satisfied.
• Perform vulnerability, configuration and compliance scan with Nexpose to detect deficiencies and validate compliance of information systems configuration with organization's policies and standards such as Center for Internet Security (CIS) Benchmarks.
• Analyze vulnerabilities to determine remediation measures and rule out false positive using resources such as National Vulnerability Database (NVD), US-CERT and CIS
• Develop Vulnerability Assessment Report (VAR) to document findings and recommend remediation measures Risk management framework knowledge /Risk assessments security awareness
• Brief System Administrators on the vulnerability report and the recommended remediation
• Assist in the planning of remediation strategies. Work with client to provide advice Remediation, Scanning and projects. Coordinate with team members to provide guidance related to requirements
• Experience with SAI Digital Manager 360 (Modulo) to do the risk assessment of systems and applications.
• Assist in the implementation of Risk Management Framework(RMF), through the required government policy and participate fully in documentation process
• Performed security analyses to validate established risk on systems and applications.
• Develop Authorize to Operate(ATO) document to amend the deficiency is system operation as required
• Document Assessment result and Authorized technical activities and coordinate system security plan(SSP)
• Periodically conduct a complete review of each system audits and monitor for corrective action

Environment: Rapid7 Nexpose, InsightVM, Vulnerability Management, Risk Assessment, Modulo, Vulnerability Scanning, PCI, Basic Network Troubleshooting, Policy Compliance

Confidential, Bellevue, WA

Security Analyst

Responsibilities:

• Provided comprehensive report on vulnerabilities and action plan to mitigate the identified vulnerabilities.
• Utilizing various logs, rules, and indicators of compromise to correlate events for the purposes of exploit prevention and incident response.
• Researching, identifying and implementing best security practices for all systems and service deployments.
• Monitoring common vulnerability exposure databases (CVE) and identifying vulnerabilities to prevent exposure to all known and potential threats.
• Using research and analysis of vulnerabilities to identify relevant threats and recommend corrective actions based on summarized reporting results.
• Developing methods for addressing vulnerabilities that include system patching
• Managing the tracking and remediation of vulnerabilities by leveraging agreed-upon action plans and timelines with responsible technology teams.
• Prepare combined reports of level of risks, their trend and frequency to the client.
• Preparing detailed documentary to the development team which consists of vulnerability lists, their causes and mitigation or suggestions to over each of them.
• Executed Network Penetration vulnerability assessment on internal network to check out for the various vulnerabilities in the existing network and ensured to communicate the correct mitigation for the existing vulnerabilities to the client.
• Scanned and analyzed port scan results, manually verified the vulnerabilities related to the ports of the system.
• Provided comprehensive report on findings and action items to fix the identified vulnerabilities
• Informed security vulnerabilities identified and recommendations proposed to fix the same: FTP related vulnerabilities, information disclosure, default username/passwords etc.

Confidential

Security Engineer

Responsibilities:

• Performed Manual Penetration Testing on projects in web applications.
• Manage and perform Confidential AppScan scans before all production releases and analyze vulnerabilities and report to all stakeholders.
• Performed Static Application Security Testing (SAST) using tools such as HP Fortify.
• Performed Dynamic Application Security Testing (DAST) using tools such as Confidential AppScan.
• Perform manual security testing for OWASP Top 10 vulnerabilities like SQL Injection attacks, XSS, CSRF, Session Management etc.
• Performing the manual code review to remove the False Positives and also identify the False Negatives.
• Prepared comprehensive security report detailing identifications, risk description and recommendations with the code snippets for the Vulnerabilities.
• Used Burp suite to identify issues like sql injection, XSS, CSRF etc.
• Performed security design review, threat modeling and architectural/system security assessments.
• Static Code analysis using HP Fortify to identify the vulnerabilities in the applications.
• Manual penetration testing of the applications and APIs to identify the OWASP Top 10 vulnerabilities.
• Performed a threat analysis on the new requirements and features.
• Conducted Web Application Vulnerability Assessment & Threat Modeling, secure code review on the applications.
• Conduct re-assessment after mitigating the vulnerabilities found in the assessment phase.
• Provide Security requirements to project teams during design phase.
• Security test planning and security test execution on Web platform projects.
• Train QA Team to identify and acknowledge security issues in their projects.

Environment: SQL Injection, XSS, Threat Modeling, Application Security review, Security Assessments, Manual Testing