PROFESSIONAL SUMMARY:

• An IT security professional with 8+ years of expertise in penetration testing and vulnerability assessments on various applications in different domains.
• Experience in implementing security in every phase of SDLC. Excellent knowledge in OWASP Top 10 2010, and WASC THREAT CLASSIFICATION 2.0 methodologies.
• Broad knowledge of hardware, software, and networking technologies to provide a powerful combination of analysis, implementation, and support.
• Proficient in understanding application level vulnerabilities like XSS, SQL Injection, CSRF, authentication bypass, weak cryptography, authentication flaws etc.
• Experience using a wide variety of security tools to include Kali - Linux, Wireshark, Lophtcrack, Snort, Cain and Abel, Nitko, Dirbuster, IBM App scan, Nessus, Open Vas, W3AF, BeEF, Etthercap, Maltego, Experience with scheduling firewall policy provisioning and user interaction to identify connectivity related issues.
• Experience in different web application security testing tools like Acunetix, Metasploit, Burp Suite, Sqlmap, OWASP ZAP Proxy, Nessus, Nmap and HP Fortify.
• Sound knowledge and industry experience in Vulnerability Assessment and Penetration Testing on WEB based Applications, Mobile based application and Infrastructure penetration testing.
• Extensive experience working with Qualys Guard to conduct Network Security assessments.
• Capable of identifying flaws like Injection, XSS, Insecure direct object reference, Security Misconfiguration, Sensitive data exposure, Functional level access control, CSRF, Invalidated redirects.
• As a Security Consultant involved in enhancing the security stature of the project by initiatives like Threat Modeling, Security awareness sessions.
• Excellent programming skills on JavaScript, Python Scripting and Ruby.
• Knowledge in Windows/Linux operating system configuration, utilities and programming
• Broad knowledge of hardware, software, and networking technologies to provide a powerful combination of analysis, implementation, and support.
• Hands on Experience working with LAN and WAN topologies, TCP/IP protocol, routers, switches, and firewalls in Internet, Intranet and Extranet environments.
• Excellent team player, enthusiastic initiator, and ability to learn the fundamental concepts effectively and efficiently.
• Performed software Licensing audit.
• Having good experience in Secure SDLC and Source Code Analysis (Manual & Tools) on WEB based Applications.

TECHNICAL SKILLS:

Tools: IBM AppScan Standard Edition, HP Web Inspect, Acunetix, Burp proxy, Parosproxy, Wire shark, OWASP, Web Scarab, map, Metasploit, Burp Suite, SQLmap, OWASP ZAP Proxy and HP Fortify,DIR-Buster, Acunetix Web Scanner, SQL Injection Tools, Havij, CSRFTester AND Kali Linux, Fortify, veracoad, Webgoat SSL implementation, RSA implementation, PKI (Public key infrastructure) Encryption algorithms

Platforms: Windows 98/2000/XP/Vista/Windows 7, Windows Server 2000/2003/2008

Database: My SQL 5.0

Packages: MSOffice

Network Tools: NMap, Wire Shark, Nessus, Qualys Guard

Network Enumeration: Maltego, Google Hacking, DNS, SMB, LDAP.

Port/Vulnerability Scanning: Nmap/Nmap Scripting Engine (NSE), Netcat, Nessus

Sniffing/ManintheMiddle: Wireshark, Ettercap, Cain

Web Application Vulnerability Scanning: Nessus, OpenVas, Vega, Acunetix, HP Web inspect, IBM AppScan.

Server/ClientSide Exploitation: Metasploit, Social Engineering Toolkit (SET).

Password Cracking: Hydra, Rainbow Crack, 0phcrack, John the Ripper, Pyrit

Web Application: Manual SQL Injection, Manual Cross Site Scritping(XSS), Cross site request forgery(CSRF), SQLmap

Debuggers: Ollydbg, WinDBG.

Wireless: Aircrack-NG Suite and Kismet

WORK EXPERIENCE:

Confidential, Reston, VA

Web Application Penetration Testing/Vulnerability/Security Tester

Responsibilities:

• Conducted application penetration testing of 50+ business applications
• Conducted Vulnerability Assessment of Web Applications
• Performed functional testing of security solutions like RSA two factor authentication, Novel single sign on, DLP and SIEM
• Worked on various business development activities like drafting response to RFP's and preparing SOW's documents
• Acquainted with various approaches to Grey & Black box security testing
• Proficient in understanding application level vulnerabilities like XSS, SQL Injection, CSRF, authentication bypass, cryptographic attacks, authentication flaws etc.
• Conducted security assessment of PKI Enabled Applications
• Skilled using Burp Suite, Acunetix Automatic Scanner, NMAP, Dirbuster, Qualysguard, Qualys VM and WAS, Nessus, SQLMap for web application penetration tests and infrastructure testing.
• Performing onsite & remote security consulting including penetration testing, application testing, web application security assessment, onsite internet security assessment, social engineering, wireless assessment, and IDS/IPS hardware deployment.
• Capturing and analyzing network traffic at all layers of the OSI model.
• Monitor the Security of Critical System (e.g. e-mail servers, database servers, Web Servers, Application Servers, etc.).
• Change Management to highly sensitive Computer Security Controls to ensure appropriate system administrative actions, investigate and report on noted irregularities.
• Conduct network Vulnerability Assessments using tools to evaluate attack vectors, Identify System Vulnerabilities and develop remediation plans and Security Procedures.
• Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS 25 and prioritizing them based on the criticality.
• The experience has enabled me to find and address security issues effectively, implement new technologies and efficiently resolve security problems. With having strong Network Communications, Systems & Application Security (software) background looking forward for implementing, creating, managing and maintaining information security frameworks for large scale challenging environments.

Confidential, Simpsonville, SC

Web Application Penetration Testing/Vulnerability/Security Tester

Responsibilities:

• Performed security research, analysis and design for all client computing systems and the network infrastructure.
• Security assessment of online applications to identify the vulnerabilities in different categories like Input and data Validation, Authentication, Authorization, Auditing & logging.
• Vulnerability Assessment of various web applications used in the organization using Paros Proxy, Burp Suite, and Web Scarab, YASCA, HP Webinspect.
• Coordinate with dev team to ensure closure of reported vulnerabilities by explaining the ease of exploitation and the impact of the issue.
• Security testing of APIs using SOAP UI.
• Experience in using Kali Linux to do web application assessment with tools like Dirbuster, Nikto, and Nmap.
• Good knowledge on IBM Appscan to enhance the web application security.
• User ID reconciliation on quarterly basis.
• Update with the new hackings and latest vulnerabilities to ensure no such loopholes are present in the existing system.
• Threat modeling of the Project by involving before development and improving the security at the initial phase.
• STRIDE assessment of the applications during the design phase, identifying the threats possible and providing security requirements.
• Training the development team on the most common vulnerabilities and common code review issues and explaining the remediation.
• Good knowledge in programming and scripting in .net, Java.
• Follow up and ensure the closure of the raised vulnerabilities by revalidating and ensuring 100% Closure.
• Good experience in Web technologies like HTTP, HTML, CSS, Forms, Database Connectivity.

Confidential, Charlotte, NC

Web Application Penetration Testing/Vulnerability/Security Tester

Responsibilities:

• Conducted application penetration testing of 10+ business applications
• Conducted Vulnerability Assessment on Various Applications.
• Acquainted with various approaches to Grey & Black box security testing
• Proficient in understanding application level vulnerabilities like XSS, SQL Injection, CSRF, authentication bypass, weak cryptography, authentication flaws etc.
• Conducted security assessment of PKI Enabled Applications.
• Skilled using Burp Suite, Acunetix Automatic Scanner, NMAP, Havij, DirBuster for web application penetration tests.
• Generated and presented reports on Security Vulnerabilities to both internal and external customers.
• Security assessment of online applications to identify the vulnerabilities in different categories like Input and data Validation, Authentication, Authorization, Auditing & logging.
• Vulnerability Assessment of various web applications used in the organization using Paros Proxy, Burp Suite, and Web Scarab, YASCA, HP Web Inspect.
• Training the development team on the most common vulnerabilities and common code review issues and explaining the remediation.
• Follow up and ensure the closure of the raised vulnerabilities by revalidating and ensuring 100% closure.
• Update with the new hackings and latest vulnerabilities to ensure no such loopholes are present in the existing System.

Confidential, Woodbridge, VA

Web Application Penetration Testing/Vulnerability/Security Tester

Responsibilities:

• Planning, Conducting and reporting Vulnerability and risk assessment of applications. Risk associated with vulnerability explained to the project team for better understanding and guiding project team towards its closure / remediation.
• Performed vulnerability testing, application security, database security and penetration testing against various technologies like Ajax, Flash and Web services.
• Identification of Injection, Business logic, Authentication, Session Management, etc... related flaws in applications and encasing attack scenarios and associated risk to business.
• Providing preventive, mitigating, and compensating controls to ensure the appropriate level of protection and adherence to the goals of the overall information security strategy.
• Assisting customer in understanding risk and threat level associated with vulnerability so that customer may or may not accept risk with respect to business criticality
• Assisting in review of business solution architectures from security point of view which helps avoiding security related issues/threats at the early stage of project
• Ensuring compliance with legal and regulatory requirements.

Confidential

Jr. Security Engineer

Responsibilities:

• Perform threat modeling of the applications to identify the threats.
• Identify issues in the web applications in various categories like Cryptography, Exception Management.
• Risk assessment on the application by identifying the issues and prioritizing the issues based on risk level.
• In the team, main focus of work was to audit the application prior moving to production.
• Explanation of the security requirements to the design team in initial stages of SDLC to minimize the efforts to rework on issues identified during penetration tests.
• Providing remediation to the developers based on the issues identified.
• Revalidate the issues to ensure the closure of the vulnerabilities.
• Verify if the application has implemented the basic security mechanisms like Job rotation, Privilege escalations, Lease Privilege and Defense in depth.
• Using various add on in Mozilla to assess the application like Wappalyzer, Flagfox, Live HTTP Header, Tamper data.