SUMMARY:

• Professional with 6+years of progressive experience in IT with extensive experience in Information Security, Application Security, Network Security and Penetration testing.
• Experience in application security, vulnerability assessments and OWASP along with different security testing tools like Burp Suite, Dir Buster, OWASP ZAP Proxy, Nmap, Nessus, Kali Linux, Metasploit, HP Web inspect and IBM App scan.
• Experience as an Information Security Analyst, involved in OWASP Top 10 based Vulnerability Assessment of various internet facing point of sale web applications and Web services.
• Experience with Dynamic Analysis (DAST) and practical knowledge on Static Analysis (SAST).
• Having good experience in Secure SDLC and Source Code Analysis (Manual & Tools) on WEB based Applications.
• Hands on experience in SQL Injection protection, XSS Protection, Script Injection and major hacking protection techniques
• Involved in web application development with UI technologies like CSS, HTML, JavaScript.
• Hands - on experience in reviewing and defining requirements for information security solutions.
• Performed application security and penetration testing using Rational Appscan
• Performed host, network, and web application penetration tests
• Performed application and infrastructure penetration tests along with physical security reviews
• Worked on improvements for security services and provide feedback and verification about existing security issues knowledge on protocols such as TCP/IP, UDP, IPSEC, HTTP, HTTPS, routing protocols and operating systems like Windows/Linux, databases, application security and secure remote access
• Ability to develop and maintain metrics and reports on vulnerability findings and remediation compliance.
• Knowledge on DISA STIG, CIS, CVSS, HIPPA and proactive vulnerability detection.
• Good knowledge of Cloud security models and controls Amazon Web Services (AWS).
• Proficiency in scripting, Unix operating systems and windows
• Having Good knowledge in gathering requirements from stakeholders, Constructing RFP/RFQs, devising and planning and strong technical understanding of vulnerabilities, and how attackers can exploit vulnerabilities to compromise systems.
• Ability to exploit recognized vulnerabilities.
• Good team player with excellent analytical, inter-personal, communication & written skills, problem-solving and trouble-shooting capabilities. Highly motivated and can adapt to work in any new environment.

TECHNICAL SKILLS:

Tools: BurpSuite, DirBuster, SQLMap, Kali Linux, OpenVAS, HPWebInspect, IBM AppScan, HPFortify, Checkmarx, OWASP, SANS Top 25, ZAP, SCA, Checkmarx

Network Tools: N-map, Tenable Nessus, Rapid7 Nexpose, InsightVM, Qualys

Policy and standards: NIST, PCI DSS, CIS, HIPPA, FDCC

Risk Assessment Tools: Digital Manager 360 (Modulo), RSA Archer

Language: C, C++, Java

Web Technologies: HTML, CSS, JavaScript

Platforms: Windows XP, 10, Linux

Web Server: Apache, IIS 6.0/7.0

Database: MS SQL, Oracle, MySQL

Packages: MS-Office (Word, Excel, Pivot Tables), MS Visio

PROFESSIONAL EXPERIENCE:

Confidential, Reston, VA

Information Security Analyst

Responsibilities:

• Perform manual and automated dynamic grey-box security testing and remediation testing on a wide range of web and native mobile-based applications hosted in multiple pre-prod environments using tools like IBM App Scan Standard, Burp suite and check marx.
• Used security tools like Nessus, Nmap to identify, malicious code, vulnerabilities of operating system, open IP ports on internal systems and external boundary devices.
• Responsible for giving remedies for security vulnerabilities reported by fortify like Cross-Site Request Forgery (CSRF), Cross-Site Scripting (XSS), SQL injection, Header Manipulation and Session Timeout.
• Conducted security assessment by creating test cases and test scenarios against Session management, Cryptography, Sensitive data, Auditing and logging.
• Performed manual and automated testing and provided detail reports to the development team and provided necessary remediation for individual findings.
• Used SAST and DAST tools for checking potentiality of the application and used SAST for white box testing.
• Executed application scanning using penetration testing tools such as IBM Appscan, OWASP top 10.
• Used Web inspect for performing Automated scans of online applications in production followed by report presentation.
• Used Kali Linux for conducting host based security which identifies various services and ports running and identified vulnerabilities using NMAP script engine.
• Responsible for performing application scan using penetration testing tools such as OWASP top 10.
• Used SOAP UI for performing web service testing for analyzing the vulnerabilities.
• Used SQL Map for dumping the data in database to the local older.
• Used automation tools for performing static code reviews.
• Used different Firefox add-ons like Live HTTP Header, Tamper data, Flag Fox for performing pen test.
• Conducted Automated scanning for dynamic assessment using HP Webinspect.

Environment:Windows, Nessus, IBM AppScan Standard, QRadar, Burpsuite, IBMAppScan source.

Confidential, Chicago, IL

Application Security Analyst

Responsibilities:

• Worked as Application Security Analyst for maintaining necessary security controls required at the design level.
• Worked with software development team for reviewing source code and find vulnerabilities generated by HP Fortify, IBM App scan HP Web inspect and eliminated false positives.
• Used static code analysis tools like IBM Appscan, HP Fortify for conducting security code review of .Net, Java, PP code.
• Documented reports based on Network and Application Vulnerability scan alerts and assisted development teams in remediating vulnerabilities by prioritizing the level of severity.
• Used OWASP Top 10 and SANS 25 for identifying vulnerabilities and prioritizing them based on severity.
• Performed penetration testing on applications and systems using manual and automated testing using tools like Kali Linux, Burp suite.
• Explained security requirements in initial stages of Software Development Life Cycle to design team for minimizing the issues identified during penetration testing.
• Have experience in web development tools like HTML, CSS, HTTP, Database connectivity.
• Responsible for identifying how an attacker exploits vulnerabilities during dynamic analysis phase.
• Performed through penetration testing on web applications.
• Performed SAST and DAST security testing on production applications.
• Used N-map and Nessus tools to perform network scanning.

Client: Fannie Mae, Reston, VA

Security Engineer

Responsibilities:

• Established vulnerability assessment practice, proactively ensuring safety of client-facing applications and minimizing client audit findings.
• Performing security analysis and identifying possible vulnerabilities in the key derivation function, create Vulnerability Assessment report detailing exposures that were identified, rate the severity of the system & suggestions to mitigate any exposures & testing known vulnerabilities.
• Having real time experience in DOS, DDOS, SQL Injection protection, XSS protection, script injection and major hacking protection techniques
• Supported to address and integrate Security in SDLC by following techniques like Threat Modeling, Risk Management, Logging, Penetration Testing, etc.
• Providing fixes & filtering false findings for the vulnerabilities reported in the scan reports.
• Adding new vulnerabilities to the Vulnerability Database for various platforms with proper exploits.
• Scan Networks, Servers, and other resources to validate compliance and security issues using numerous tools
• Assisting in preparation of plans to review software components through source code review or application security review
• Assist developers in remediating issues with Security Assessments with respect to OWASP standards.

Environment: DOS, DDOS, SQL Injection protection, XSS protection, script injection, major hacking protection techniques,Threat Modeling, Risk Management, Qualys Guard, Nessus Logging, Penetration Testing, and Application Security review, Security Assessments.

Confidential

Penetration Tester

Responsibilities:

• Experience with manual penetration testing on web applications.
• Good understanding and experience for testing vulnerabilities based on OWASP Top 10.
• Experience with Intrusion detection system (IDS) system that performs automatically the process of intrusion Detection and Intrusion prevention system (IPS) system that has an ambition to detect intrusions.
• Capable of identifying flaws like SQL Injection, XSS, Insecure direct object reference, Security Misconfiguration Sensitive data exposure, Functional level access control, CSRF, Invalidated redirects.
• Familiar with BurpSuite tool to identify the vulnerabilities manually.
• Executed Network Penetration vulnerability assessment on internal network to check out for the various vulnerabilities in the existing network and ensured to communicate the correct mitigation for the existing vulnerabilities to the client.
• Performed Dynamic Application Security Testing (DAST) using tools such as HPFortify, IBMAppScan.
• Prepared comprehensive security report detailing identifications, risk description and recommendations for the Vulnerabilities.
• Coordinate with team members to provide guidance related to requirements.
• Experience with tools such as Tenable Nessus vulnerability scanner.
• Provided comprehensive report on vulnerabilities and action plan to mitigate the identified vulnerabilities.
• Utilizing various logs, rules, and indicators of compromise to correlate events for the purposes of exploit prevention and incident response.
• Researching, identifying and implementing best security practices for all systems and service deployments.

Environment: Application Security, Security Assessments, Manual Testing, Vulnerability Management, OWASP TOP 10