SUMMARY

• Over 7+ years of professional IT Experience in Application Security Testing particularly focused onperforming technical activities such as Vulnerability Analysis, Penetration testing, SecureApplication Testing based on OWASP.
• Had real time experience in SQL Injection protection, XSS Protection, Script Injection and major hacking protection techniques.
• Vulnerability Assessment includes analysis of bugs in various applications spread across N - tier on various domains by using both manual and Automation tools.
• Excellent knowledge in OWASP Top 10, and WASC THREAT CLASSIFICATION 2.0 methodologies.
• Working Knowledge in Windows/Linux, UNIX operating system configuration, utilities and programming.
• Involvement in various web application security testing tools like Acunetix,Metasploit, Burp Suite, SQL map, OWASP ZAP Proxy, Nessus, N-map,IBM App Scan and HP Fortify.
• Expertise in detecting various vulnerabilities comprised over authentication, authorization, input validation, session management, server configuration and information leakage areas.
• Sound knowledge and industry experience in Vulnerability Assessment and Penetration Testing on WEB based Applications, Mobile based application and Infrastructure penetration testing.
• Extensive experience working with Qualys Guard to conduct Network Security assessments.
• Capable of identifying flaws like Security Misconfiguration, Insecure direct object reference, Sensitive data exposure, Functional level access control, Invalidated redirects.
• Developed, implemented and enforced security policies through experience, in-depth knowledge of security software, involved in enhancing the security stature of the project by initiatives like Threat Modeling, Security awareness sessions.
• Excellent programming skills on JavaScript, Python Scripting and Ruby.
• Sound knowledge and industry experience in Vulnerability Assessment and Penetration Testing onMobile based application, WEB based Applications and Infrastructure penetration testing.
• Experienced in working on Patch Management, Vulnerability Scanners and Penetration Testing.
• Broad knowledge of hardware, software, and networking technologies to provide a powerful combination of analysis, implementation, and support.
• Having good experience in Source Code Analysis (Manual & Tools) on WEB based Applications.
• Led training programs on “Tool Based Solutions for Quality Deliverables” giving demos on various tools for Application Quality Analysis, Static Analysis, Security Analysis, Automation Build & Continuous Integration
• Having Good knowledge in gathering requirements from stakeholders, Constructing RFP/RFQs, devising and planning and strong technical understanding of vulnerabilities, and how attackers can exploit vulnerabilities to compromise systems.
• Having good experience in Secure SDLC and Source Code Analysis (Manual & Tools) on WEB based Applications.
• Good team player with excellent analytical, inter-personal, communication & written skills, problem-solving and trouble-shooting capabilities. Highly motivated and can adapt to work in any new environment.
• Good Experience in exploiting the recognized vulnerabilities.
• Experience in Threat Modeling during Requirement gathering and Design phases.
• Experience with Security Risk Management with TCP-based networking.

TECHNICAL SKILLS

Tools: Burp Suite, DirBuster, IBM AppScan, SQL Map, Acunetix Web Scanner, SQL Injection Tools, Havij, CSRF Tester and Kali Linux, HP Fortify

Language: C, Python, SQL, Java

Web Technologies: HTML, HTML5, CSS

Platforms: Windows NT, 2000, 2003, Windows XP, 7, 8.1, 10, MAC OSX

Web Server: Apache, IIS 6.0/7.0

Database: My SQL, MS SQL, Oracle

Packages: MS-Office

Network Tools: N-map, Wireshark, Nessus

PROFESSIONAL EXPERIENCE

Confidential, Portland OR

Information Security Analyst

Responsibilities:

• Working in collaboration of both networking and security teams.
• Scheduled a Penetration Testing Plan throughout the organization and completed all the tasks in the given time frame.
• Performed pen tests over different business applications and network devices of the organization.
• Conduct penetration tests on systems and applications using automated and manual techniques with tools such as Metasploit, Burp Suite, IBM App Scan, Kali Linux, and many other open source tools as needed. Work with support teams to address findings as a result of the tests.
• Performed vulnerability scanning using Nessus Security Center and maintained clear documentation for every report that is generated.
• Performed vulnerability analysis over wired and wireless networks.
• Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS Top 25 and prioritizing them based on the criticality.
• Update with the new hackings and latest vulnerabilities to ensure no such loopholes are present in the existing system.
• Performed static code reviews with the help of automation tools.
• Performed a threat analysis on the new requirements and features.
• Burp Suite, DirBuster, Hp Fortify, N-map, SQL Map tools were used as part of the penetration testing, on daily basis to complete the assessments.
• Establishing and improving the processes for privileged user access request.
• Promoted a new and cost effective Plan against Phishing Attacks and successfully reduced the volume of phishing mails up to 60%.
• Proactively conducted research, analyze, and report on trends in certain activities, vulnerabilities, reported attack methods and known exploits that could impact network and information assets.
• Conducted attack analysis on the IDS reports to detect the attacks and reported the analysis.
• Conducted security assessment of PKI Enabled Applications.
• Performed penetration testing over the enterprise systems to audit the standards to comply with ISO Standards.
• Conducted Pre-IAM Assessments and created detailed reports displaying prioritized findings, demonstration of exploits, and explanation of compromise impacts, and recommendations for mitigation.
• Executed live packet data capture using Wireshark to examine security flaws in the network devices.
• Given presentations to client over their security issues and potential solutions for those problems.
• Used CVSS Scores to create reports demonstrating the severity of the existing vulnerabilities and was helpful to prioritize the course of implementation depending on the severity of the vulnerabilities.
• Documented a Closure Document detailing my findings and recommendations for security improvement and patch management.

Environment: Metasploit, Burp Suite, SQL Map, Kali Linux, IBM App Scan, OWASP Top 10, and SANS Top 25, Wireshark, Nessus Security Center, IDS reports, CVSS Scores, Plan against Phishing Attacks, PKI enabled Applications, Network and Security.

Confidential, Atlanta GA

Information Security analyst

Responsibilities:

• Have worked with a team of individuals dedicated for conducting research, attack detection and build mitigation techniques for threats posed in network and application layers.
• Conducted application penetration testing over various business applications.
• Responsible for assessing the controls to identify gaps and to design and analyze segregation of duties, least privilege for that application.
• Performed functional testing of security solutions like RSA 2-factor Authentication, Novell Single Sign-on, Data Loss Prevention (DLP), etc.
• Enforced Password Cracking tests over the administrator and user accounts to evaluate the strength of passwords used.
• Used John the Ripper, RainbowCrack, Hydra, Ophcrack for Password cracking tests.
• Conducted testing over the applications to comply with PCI DSS Standards.
• Capturing and analyzing network traffic at all layers of OSI model.
• Built a Management Evaluation Environment utilized to address the business requirements and risks involved to mitigate or decrease the intensity of threat exploitation.
• Logging security incidents and conducting Root Cause Analysis.
• Performed Vulnerability Assessments using Paros Proxy, Burp Suite, WebScarab, SQL Map, Yasca, and Maltego.
• I have evaluated the Bank's requirements using various Scanning Tools both on-site and remote locations.
• Assisting in review of business solution architectures from security point of view which helps avoiding security related issues/threats at the early stage of project
• Effectively communicated the security issues with the security engineers and non-technical personnel from different domains.
• Re-evaluated the issues to ensure the closure of vulnerabilities addressed during analysis phase.
• Conducted analysis using Kali Linux environment and effectively neutralized DOS, DDOS, CSRF, XSS and SQL Injection Attacks.

Environment: RSA 2-factor Authentication, Novell Single Sign-on, Data Loss Prevention (DLP), John the Ripper, RainbowCrack, Hydra, Ophcrack, network traffic at all layers of OSI model, NIDS, Application Firewall, Paros Proxy, SQL Map, Burp Suite, WebScarab, Yasca, Maltego and Kali Linux.

Confidential

Information Security engineer

Responsibilities:

• Conducted Vulnerability Assessment on various applications.
• Acquainted with various approaches to Grey & Black box security testing.
• Conducted application Penetration testing of 30+ business applications.
• Proficient in understanding application level vulnerabilities like XSS, SQL Injection, CSRF, Authentication bypass, Weak Cryptography, Authentication flaws etc.
• Conducted security assessment of PKI Enabled Applications.
• Conducting Web Application Vulnerability Assessment & Threat Modeling, Gap Analysis, secure code review on the applications with respected to guidelines provided by Cisco.
• Skilled using Burp Suite, Acunetix Automatic Scanner, IBM App Scan, N-map, Havij, DirBuster for web application penetration tests.
• Generated and presented reports on Security vulnerabilities to both internal and external customers.
• Security assessment of online applications to identify the vulnerabilities in different categories like Input and data Validation, Authentication, Authorization, Auditing & logging.
• Vulnerability assessment of various web applications used in the organization using Paros Proxy, Burp Suite, and Web Scarab, Yasca, HP Web Inspect.
• Manual testing using Emulators and Handheld Devices.
• Assisting customer in understanding risk and threat level associated with vulnerability so that customer may or may not accept risk with respect to business criticality
• Assisting in review of business solution architectures from security point of view which helps avoiding security related issues/threats at the early stage of project
• Training the development team on the most common vulnerabilities and common code review issues and explaining the remediation.
• Follow up and ensure the closure of the raised vulnerabilities by revalidating and ensuring 100% Closure.
• Update with the new hackings and latest vulnerabilities to ensure no such loopholes are present in the existing System.

Environment: Vulnerability Assessment, Application level vulnerabilities, PKI Enabled Applications, Burp Suite, IBM App Scan, Acunetix Automatic Scanner, N-map, Havij, DirBuster, SQL Map, Paros Proxy, Web Scrab, Yasca, HP Web Inspect.

Confidential

Security Engineer

Responsibilities:

• Established vulnerability assessment practice, proactively ensuring safety of client-facing applications and minimizing client audit findings.
• Performing security analysis and identifying possible vulnerabilities in the key derivation function, create Vulnerability Assessment report detailing exposures that were identified, rate the severity of the system & suggestions to mitigate any exposures & testing known vulnerabilities.
• Having real time experience in DOS, DDOS, SQL Injection protection, XSS protection, script injection and major hacking protection techniques
• Supported to address and integrate Security in SDLC by following techniques like Threat Modeling, Risk Management, Logging, Penetration Testing, etc.
• Providing fixes & filtering false findings for the vulnerabilities reported in the scan reports.
• Adding new vulnerabilities to the Vulnerability Database for various platforms with proper exploits.
• Scan Networks, Servers, and other resources to validate compliance and security issues using numerous tools
• Assisting in preparation of plans to review software components through source code review or application security review
• Assist developers in remediating issues with Security Assessments with respect to OWASP standards.

Environment: DOS, DDOS, SQL Injection protection, XSS protection, script injection, major hacking protection techniques, Threat Modeling, Risk Management, Logging, Penetration Testing, and Application Security review, Security Assessments.