PROFESSIONAL SUMMARY:

• Over 5 years of experience in Web Application Security, Penetration Testing, Mobile Application Security, Risk Assessments and Secure Software Development Life Cycle (secure SDLC).
• Involved in Software development Life cycle(SDLC) to ensure security controls are in place.
• Analyzed and monitored required measures to ensure the integrity of data network resources performance and security.
• Experience in vulnerability assessment and penetration testing using various tools like Burp Suite , OWASP ZAP proxy , Accunetix, NMAP, Nessus, HP Fortify, IBM App Scan enterprise, Kali Linux Metasploit .
• Work with global security teams performing application and IT infrastructure security assessments.
• In - depth knowledge of penetration testing for web and mobile (iOS and Android) applications.
• Have a good understanding of Web Application based attacks to include Denial-of-service attacks , MITM attacks, Local file inclusion( LFI ), Remote file inclusion( RFI ) and Buffer overflow.
• Have real time experience in SQL Injection, XSS (Cross site scripting), XML vulnerability, Script Injection, CSRF attacks and major hacking protection techniques.
• Extensive work experience in OWASP, SANS 25 based Vulnerability Assessment (Manual and automatic) of various internet facing point of web applications and Web services.
• Experience in securing webservers such as Apache http server, IIS.
• Experience with Security Risk Management with TCP-based networking. Good knowledge on TCP/IP, Firewalls, LAN/WAN, IDS/IPS.
• Experienced in Dynamic Application Security Testing (DAST) & Static Application Security Testing (SAST).
• Updated risk assessments business to reflect regulatory and business changes, as well as the impact of audit, compliance testing, and regulatory exam results on risk assessments.
• Perform periodic security assessments of mixed Windows/Unix environment including network devices, databases and applications using approved testing tools and procedures.
• Hands on experience in Cloud compliant and web application security using Qualys Guard .
• Excellent scripting and debugging skills on JavaScript, Python Scripting, PHP, HTML, CSS and Ruby.
• Exposure to IT Security Compliance frameworks such as PCI, SOX, ISO, HIPAA, NIST and Industrial Control Systems Risk assessments.
• Ability to handle multiple tasks and work independently as well as in a team.
• An efficient team player in challenging and creative environment with excellent capacity to adapt new technologies and skills.

TECHNICAL SKILLS:

Vulnerability Assessment Tools: Burp Suite Pro, OWASP ZAP Proxy, Paros proxy, IBM Appscan, Metasploit, Acunetix, HP Web inspect, HP Fortify, Dirbuster, Qualysguard, MobiSec, TCP Dump, Fiddler, Rapid7, Checkmark.

Network Auditing Tools/ Assessment: NMap, Nessus, Rapid7, Nexpose, Qualysguard, Wireshark.

Operating System: Kali Linux, GNU/Linux, Windows.

Programming Languages: C, Pearl, JAVA, C#, PowerShell, Python, PHP.

RDBMS: MySQL, Oracle 10g/11g, PL/SQL.

Scripting Languages: HTML5, CSS, XML, Python Script, JavaScript.

PROFESSIONAL EXPERIENCE:

Confidential, Dallas, TX

Application Security Engineer

• Perform Penetration Testing and Vulnerability Assessment in accordance with OWASP standards using manual techniques and automated tools.
• Perform in-depth assessment of Security Assessment Reports.
• Perform Vulnerability Assessment using IBM Appscan.
• Found common web site security issues (CSRF, XSS, applications logic, SQL injection, information leakage, session fixation etc.) across various platforms.
• Perform Manual Penetration Testing using Burp Suite Pro.
• Performed dynamic security testing for native mobile applications.
• Scanned Native-based Mobile applications using IBM Appscan Standard.
• Utilized NMap tools on daily basis to complete the assessments.
• Perform Server scans for both internal and external IP addresses using Rapid 7 Nexpose and Nessus.
• Scheduled and configured Security Scans for various EndPoints on Nessus Vulnerability Scanner.
• Manage day-to-day vulnerability assessment with Nessus.
• Perform, review and analyze security vulnerability data to identify applicability and false positives.
• Conducted Dynamic and Static Application Security Testing (SAST & DAST).
• Perform, review and analyze security vulnerability data to identify applicability and false positives.
• Utilized Kali Linux and Metasploit for exploiting the systems,
• Perform Static Application Security Testing using HP Fortify.
• Used SQLMap to dump the database data to the local folder.
• Analyzed the reports generated from Pen testing and document the risks to identify its potentiality, Probability and provide remediation’s to either mitigate or eliminate the threat.
• Generate and present reports on Security Vulnerabilities to both internal and external customers.
• Recommend remediation and mitigation strategies of security issues in web applications to customers.
• Perform Web Services Security testing using SOAP UI PRO and IBM Appscan.
• Regularly performed research to identify potential vulnerabilities in and threats to existing technologies, and provided timely, clear, technically accurate notification to management of the risk potential and options for remediation.
• Analyze data and prepared reports that document vulnerabilities from network-based attacks and recommended actions to prevent, repair or mitigate these vulnerabilities
• Perform remediation activities for Applications, OS, Database, Middleware, Digital Certificate, Layer Products, and Java.
• Identify issues on sessions management, Input validations, output encoding, Logging Exceptions, Cookie attributes, Encryption, Privilege escalations.
• Proactively identified system vulnerabilities to reduce or eliminate potential exploitation using Nessus Security Center and Passive Vulnerability Scanning.
• Work closely with all competency teams to effectively and efficiently remediate vulnerabilities.

Confidential, Indianapolis, IN

Penetration Tester

• Executed daily vulnerability assessments, threat assessment, and mitigation and reporting activities to safeguard information assets and ensure protection has been put in place on the systems.
• Consult with application developers, administrators and management to ensure that proper security controls are identified, implemented, and tested.
• Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and prioritizing them based on the criticality.
• Performed grey box, black box testing of the web applications. Create written reports, detailing assessment findings and recommendations.
• Developed threat modeling framework (STRIDE, DREAD) for critical applications to identify potential threats during the design phase of applications.
• OWASP Top 10 Issues identifications like XSS, SQL Injection, CSRF etc.
• Training the development team on the most common vulnerabilities and common code review issues and explaining the remediation.
• Worked on Data Center environments, Firewall, IPS, IDS, other threat detection and prevention products.
• Conducted security assessment of PKI Enabled Applications.
• Using various Firefox add-ons like Flag fox, Live HTTP Header, Tamper data to perform the pen testing.
• Provided and validated the controls on logging like Authentication logging, profile modification logging, logging details, log retention duration, log location, synchronizing time source, HTTP logging.
• Static Code analysis using HP Fortify to identify the vulnerabilities in the applications.
• Identification of different vulnerabilities of applications by using proxies like Burpsuite to validate the server-side validations
• Parsing information from IBM AppScan reports into meaningful data about application vulnerabilities.
• Extensively used HP Fortify, Nmap, Burp suite, Dirbuster tools on daily basis to complete the assessments.
• Execute and craft different payloads to test the vulnerability of system to execute XSS and XXE.
• Performed Redirection, review of code to the uses of direct and forward. Each use identifies whether the URL is included in any parameter values, So the target URL isn't validated against a whitelist.
• Follow up and ensure the closure of the raised vulnerabilities by revalidating and ensuring 100% Closure.
• Provide remediation validation for clients in compliance with PCI Data Security Standards to provide a passing vulnerability scan.
• Developed, implemented, and documented formal security programs and policies.
• Involved in report writing using standardized method for rating IT vulnerabilities and determining the urgency of response.
• Provided details of the issues identified and the remediation plan to the stake holders.

Confidential

Security Analysts

• Conducted white/gray box penetration testing on the financial systems using Kali Linux, Cobalt Strike for OWASP top 10 Vulnerabilities like XSS, SQL Injection, CSRF, Privileges Escalation and all the test-case of a web application security testing.
• Black box and Grey box pen testing on internet and intranet facing applications.
• Analyzed the reports generated from Pen testing and document the risks to identify its potentiality, Probity and provide remediation’s to either mitigate or eliminate the threat.
• Vulnerability Assessment of various web applications used in the organization using various tools like Burp Suite Pro and Web Inspect.
• OWASP Top 10 Issues identifications like XSS, SQL Injection, CSRF etc.
• Suggested the security requirements to the development team in various stages of SDLC to minimize the efforts to rework on issues identified during penetration tests
• Perform in-depth assessment of Security Assessment Reports.
• Creation of Generic Scripts for testing and reusability.
• Used LDAP injection techniques of exploiting Web applications that use client supplied data.
• Performed both defensive and adversarial perspective type of threat modelling of the applications for detection of various potential threats.
• Recommend and implement new tools and improvements for developing secure software.
• Providing details of the issues identified and the remediation plan to the stake holders.
• Provide assistance to IT staff and provide all security specifications for all vendor products and evaluate all requests for security architecture. Project Planning, Effort estimates, Proof of Concept (POC) and Resource management.
• Execute and craft different payloads to attack the system to execute XSS and different attacks.
• Used SQLMap to dump the database data to the local folder.
• Provided security implementation for authorization, controls like principle of lease privilege, Relinquishing privilege when not in use, Non-Guessable tokens, forced browsing.