SUMMARY

• Over 7+ years’ experiencein web application security end - to-end as per SSDLC phases including Security Source Code Review, Secure Design Review, Penetration Testing, Vulnerability Assessment, Threat Modeling and its Attack vectors for further analysis in Security Design Review.
• Good in finding Vulnerabilities in Source Code Review & Exploiting threats in Design Reviews.
• Good in Myappsecurity Threat Modeler and MS SDL tool for SSDLC threat modeling.
• Hands on Experience in conducting Penetration testing with various security tools.
• Conduct Penetration Testing against different technological domains including, but not limited to, web applications, windows applications, web services, databases, flash applications and wireless network environments.
• Strong in different security testing Methodologies in both automation & manual.
• Worked with OWASP Top 10 Vulnerabilities like SQL Injection, Cross Site Scripting (XSS), CSRF, Session Fixation, Session Hijack etc.
• Experienced with Code review tools like HP Fortify, Checkmarx, IBM Appscan, Veracode and also different Hacking Tools like Cenzic Hailstorm, HP WebInspect, IBMAppscan, Paros, Burp Suite and Various Proxy tools.
• Having good experience in Mobile Security Testing methodologies and good experience on iOS, Android and Blackberry Applications Mobile Static Security Analysis.
• Having good experience in Web Services Testing using with SOAPUI tool for Security issues and also have good knowledge on RESTful Services and AWS Amazon Web Services.
• Strong knowledge of writing SQL Queries, Stored Procedures, Functions, Packages and Triggers in SQL Server.
• Worked on Different Operating Systems LINUX and Windows NT/98/2000/XP/2008 R2 Server.
• Prior to Web Application Security, I have good experience in .NET Development, Java Programming and PHP scripting.
• Good Insight into the Certification and Accreditation process for applications.
• Good knowledge of NIST, FIPS-199 and OMB standards
• Self-starter with very good logical skills suitable for process design, data modeling and development.

TECHNICAL SKILLS

Mobile Security Code Review: iOS, Android, Blackberry applications

Network Auditing/ITGRC Assessment: Nessus, GFILAN Guard, NMAP and Sysinternal Tools, Symantec ESM

Web Application: Acunetix Web Vulnerability Scanner, IBM Appscan, Zap, HP Web Inspect, Paros, Fiddler2,Brup suite, Hailstorm, FortyDB

Servers and Databases: MSSQL, Oracle

Web Services Testing: Soap UI tool and SOA Test tools for web services security

Tracking tools: Bugzilla, QC Trac, Team Forge

Web Technologies: HTML, Web services, XML

Languages: C, Java, Python Scripting

PROFESSIONAL EXPERIENCE

Application Security Engineer

Confidential, Washington, DC

Responsibilities:

• Security Code Review and Penetration Testing for all Internal &External Applications of the Confidential applications.
• Follow up with Development teams to get recent functionality changes, their security analysis scheduling and coordinating with my team to sync with the project changes.
• Evaluating the business requirements, Application Functionality with the Project teams to do assessment.
• Security support for Enterprise Architecture(EA) team to support Secure SDLC implementation
• Analyze the application for Security Assessment by both manual & automation.
• Perform validation and verification. Recommend process improvements.
• Define the timelines to the given application & Conduct the security assessments and Report out the vulnerability findings with remediation process to the development team.
• Retesting the application for the found vulnerabilities & Post production support.
• Provided leadership and guidance to the vulnerability assessment team to significantly improve the process and subsequently quicker turnaround time for scanning NRCS applications.
• Involved in the client discussions from the RFP to Project Signoff.
• Conducted studies of new security technologies to provide more efficient and cost effective security solutions.

Security Analyst

Confidential, Blue Bell, PA

Responsibilities:

• Evaluating all my Offshore Team members’ deliverables as per project plan and with good quality.
• Maintaining Share Point Issue Tracker, Projects Tracker, Trending Analysis for projects, JiRA issue status etc.
• Follow up with Development teams to get recent functionality changes, their security analysis scheduling and coordinating with Offshore to sync with the account project changes.
• Working on all internal & external applications of Confidential containing Web, WebServices& Flash applications.
• Evaluating the business requirements, Application Functionality with the Project teams to do assessment.
• Analyze the application for Security Assessment both manual & automation.
• Perform validation and verification. Recommend process improvements.
• Define the timelines to the given application & Conduct the security assessments and Report out the vulnerability findings with remediation process to the development team.
• Escalate to appropriate management, and provide timely, relevant updates and periodic reports as needed.
• Retesting the application for the found vulnerabilities & Post production support.
• Conducting security training to new hires & required development teams.
• Standards: OWASP Top 10, CWE, STREAD and DREAD threat models for Security Design Review

Environment: JiRA bug tracking, SharePoint, Jenkins, Fortify SSC, Fortify 360 Audit Work bench etc.

Penetration Tester

Confidential

Responsibilities:

• Perform penetration tests on different applications a week.
• Preparation of security testing checklist to the company.
• Ensure all the security controls are covered in the checklist.
• Good experience in Web technologies like HTTP, HTML, CSS, Forms, Database Connectivity.
• Updating of the checklist on weekly basis to ensure all the test cases are up to date as per the attacks happening in the market.
• Information gathering of the application using websites like Shodan, ReverseDNS, Hackertarget.com
• Using various Firefox add-ons like Flag fox, Wappalyzer, Live HTTP Header, Tamper data to perform the pen test.
• Network scanning using tools like NMap and Nessus Metasploit to exploit the systems
• Initiative to stream line the access control mechanism of various applications.

Security Analyst

Confidential

Responsibilities:

• Performed Web Application Security /Penetration Testing in accordance with OWASP standards using manual techniques and also automated tools.
• Recommend Best Practices for securing the Application.
• Communicating and coordinating day-to-day project activities within the project team and assure that priorities are developed and known.
• Provide assistance to IT staff and provide all security specifications for all vendor products and evaluate all requests for security architecture.
• Assess all risk and evaluate all impact for technology changes in processes and maintain knowledge of all security systems and deploy all required infrastructure.
• Vulnerability assessment using Nessus and other monitoring tools like ESM for asset management.
• Manage all repeated threats to all systems and perform vulnerability tests.
• Evaluate all system and recommend all application patches and suggest appropriate security products and perform regular audit on systems and ensure compliance to all standards and policies.