PROFESSIONAL SUMMARY:

• An Information Security Professional with experience of 6 years in penetration testing and vulnerability assessments on various applications in different domains. Involved in secure Software Development Life Cycle (SDLC) to ensure security controls are in place.
• Experienced in developing and implementing of Information Security Policies and Guidelines as per OWASP (Open Web Application Security Project), SANS Secure Coding guidelines.
• Hands - on experience on vulnerability assessment and penetration testing using various tools like Burp Suite, Fiddler, ZAP Proxy.
• Having valuable experience in Secure SDLC and Source Code Analysis (Manual & Tools) on WEB based Applications with tools such as HP WebInspect, Checkmarx, HP Fortify.
• Experience using a wide variety of security tools to include Kali-Linux, Wireshark, Nessus, Qualys Guard.
• Experience in identifying SQL injection. Script injection, XSS, Phishing and CSRF attacks.
• Verify if the application has implemented the basic security mechanisms like Job rotation, Privilege escalations, Least Privilege and Defense in depth.
• Create detailed assessment reports with remediation, recommendations and present findings to clients and re-testing the security issues.
• Vulnerability Assessment includes analysis of bugs in various applications on various domains by using both manual and automation tools.
• Excellent oral and written communication, interpersonal, negotiation, judgement, decision-making, analysis and problem-solving skills.
• Worked independently and within a team environment.

TECHNICAL SKILLS:

Tools: and Add-ons: OWASP ZAP, NMAP, Fiddler, WireShark, Nessus, Qualys Guard, Kali-Linux, Acunetix, Metasploit.

Web Technologies: HTML, CSS3, XML, SOAP, AJAX

Tracking Tools: BugZilla, Team Forge

Database: MS SQL SERVER 2015/2008/2012

SAST/Code Review: Veracode, Checkmarx, HP Fortify, SonarQube

Web Application Scanners: Burp Suite Pro, Acunetix, IBM AppScan, HP Web Inspect

Languages: C, C++, PHP, Java, .NET, Python, Perl

PROFESSIONAL EXPERIENCE:

Confidential, Reston, VA

Web Application Penetration Tester

Responsibilities:

• Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS 25 and prioritizing them based on the criticality.
• Define vulnerabilities that are susceptible to attack and exploitation, while identifying and eliminating false positives
• Performing code analysis using open-source and commercial tools across SDLC .
• Assess the physical security using various social engineering tactics
• Performed research, analysis and testing of network and application vulnerabilities
• Exploited web application vulnerabilities such as cross-site scripting, SQL injection, directory traversal, man-in-the-middle attacks, authentication bypass, and command injection
• Generated custom doc/pdf files that tests for the existence of vulnerability.
• Vulnerability Assessment of various web applications used in the organization using OWASP ZAP, Burp Suite and HP Web Inspect.
• Coordinate with dev team to ensure closure of reported vulnerabilities by explaining the ease of exploitation and the impact of the issue.
• Security testing of APIs using SOAP UI.
• Update with the new hackings and latest vulnerabilities to ensure no such loopholes are present in the existing system.
• Training the development team on the most common vulnerabilities and common code review issues and explaining the remediation's.
• Follow up/triage and ensure the closure of the raised vulnerabilities by revalidating and ensuring 100% Closure.
• Assisted clients with questions regarding vulnerabilities and proposed mitigations.

Environment: OWASP ZAP, Burp Suite, HP WebInspect, SOAP, Java, NMAP, Windows, Linux

Confidential, Seattle, WA

IT Security Analyst

Responsibilities:

• Responsible to assess the controls to identify gaps and to design and analyze segregation of duties, least privilege for that application.
• Performed manual Penetration Testing to verify false positives.
• Verified regulatory violations in web applications by performing manual testing.
• Used Burp suite, HP Fortify on daily basis to complete vulnerability assessments.
• Ensure the issues identified are reported as per the reporting standards.
• Found common web site security issues (XSS, CSRF, session fixation, SQL injection, information leakage, application logic etc.) across various platforms. used automated tools for exploiting vulnerabilities and formal tests on web-based applications on a regular basis
• Directed research pertaining to the latest vulnerabilities, tools and the latest technological advances in combating unauthorized access to information.
• Provide the report and explain the issues to the development team.
• Responsible for leading in the research, mitigation and co-ordination of actions designed to reduce information security risk across internet facing presence.
• Provide information security guidance and consulting to business partners and system staff.
• Exhibited client facing skills and capability to articulate technical concepts to a variety of technical and non-technical audiences.

Environment: ASP.NET, Kali Linux, Nessus, NMAP, HP Fortify, HP WebInspect

Confidential

IT Security Analyst

Responsibilities:

• Addressed and integrate Security in SDLC by following techniques like Threat Modeling, Risk Management, Logging, Penetration Testing etc.
• Proficient in understanding application level vulnerabilities like XSS, SQL Injection, CSRF, Authentication bypass, Weak Cryptography, Authentication flaws etc.
• Conducting Web Application Vulnerability Assessment, secure code review on the applications.
• Skilled using Burp Suite, Fiddler, Fortify SCA, IBM App Scan, SQLMAP, NMAP for web application penetration tests.
• Generated and presented reports on Security vulnerabilities to both internal and external customers.
• Security assessment of online applications to identify the vulnerabilities in various categories like Input and data Validation, Authentication, Authorization & logging.
• Interface directly with customers in the creation, deletion, and ongoing management of user accounts in complex operational support system network environments.
• Having review meetings on daily basis, Weekly & Monthly basis for software development i.e., relying on agile scrum development model.
• Generated and presented reports on Security Vulnerabilities to both internal and external customers.
• Proposed remediation strategies for remediating system vulnerabilities.
• Capturing and analyzing network traffic at all layers of the OSI model.
• Providing fixes & filtering false findings for the vulnerabilities reported in the scan reports.
• Res­­­­­­­ponded to Access Management related inquiries, incidents, and service requests via the company's internal service management software.
• Added, modified, and removed user account access/security on a daily basis.
• Conducted onsite penetration tests from an insider threat perspective.
• Involve actively in the release management process to ensure all the changes of the application had gone to security assessment.
• Discovered and communicated two reflective cross-site scripting vulnerabilities and two unprotected directories while performing an external web security assessment.

Environment: Fortify, Burp Suite Pro, IBM App Scan, NMAP, SonarQube, Fiddler2