SUMMARY:

• Over all 12+ years of experience in IT profession within Information Security Engineer in various domains such as Web Application Vulnerability Assessment, penetration testing and report generation.
• Working knowledge of OWASP Top 10 and SANS Top 25 software guidelines, Federal Financial Institutions Examination Council's (FFIEC) regulations, including Payment Card Industry (PCI - DSS), Sarbanes-Oxley Section404 (SOX), The Penetration Testing Execution Standard methodologies and Open Source Security Testing Methodology Manual (OSSTMM)
• Knowledge of and experience with applying Common Weakness Enumeration (CWE), Common Vulnerability Scoring System (CVSS), Common Vulnerabilities and Exposures (CVE)
• In-depth knowledge of SAST and DAST for web applications and mobile applications. 
• Threat modeling of the Project by involving before development and improving the security at the initial phase. 
• Conducted security assessments for external and internal web applications including N-tier apps, single page web application (SPA), API and web services ( SOA )
• Experience in using various debuggers, fuzzers, scanners, analyzers, exploit frameworks and proxies to examine, identify vulnerabilities and known exploits in web application, mobile and networks.
• Extensive experience in detecting OWASP top 10 and SANS Top 25 including SQL injection, XML injection, XSS, Cross-Site Request Forgery (CSRF), weak cryptography, Buffer Overflow fuzzing as well as other techniques to obtain command prompts on the servers, PDF exploits, HTTP response splitting attacks, web services vulnerabilities, Cookie Tampering, Data tempering, business logic flaws and authentication flaws etc.
• Preformed security assessments through the usage of w ide variety of penetration tools including open source and commercial tools such as Kali-Linux distro tools, Wireshark, Lophtcrack, Snort, Cain and Abel, Nitko, Dirbuster, IBM Appscan, Hp Fortify, Nessus, Open Vas, W3AF, BeEF framework, Etthercap, Maltego, Acunetix, Metasploit, Burp Suite, Sqlmap, OWASP ZAP Proxy,Nmap, Znmap, Superscan. Browser plug ins and other tools.
• Experience in web application Input fuzzing, injection fuzzing and Buffer Fuzzing using tools of chioce Burp suite and OWASP ZAP Proxy
• Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS 25 and GSEC prioritizing them based on the criticality. 
• Validate and support vulnerability findings by identifying and dealing with false positives.
• Contributed as a peer to information security vulnerability management policies, procedures, and standards as needed.
• Familiarity with the use of and/or analysis of reports from various industry standard
• Experience in Threat Modeling during Requirement gathering and Design phases.
• Experience with Internet/Intranet Networking Protocols and Services.
• Worked as a key member in streamlining security processes, design and implement efficient security solutions achieving security efficiency.
• Excellent team player, enthusiastic initiator, and ability to learn the fundamental concepts effectively and efficiently.
• Good understanding of evading techniques for Web Application Firewall, IDS and IPS
• Conducted presentations to the upper management, project technical lead and information security lead.
• Having good experience in Secure SDLC and Source Code Analysis (Manual &Tools) on WEB based Applications.
• Participate in meetings with the developers, QA and the management team.

TECHNICAL SKILLS:

Platforms: Windows XP, Windows NT, 2000, 2003, Windows 7, Windows 8.1, Windows 10, MAC OS

Security Scanning and Penetration Testing Tools:   Metasploit community/Pro, SOAPUI, IBM App scanner, Nexpose Vulnerability Scanner,Appdetactive, Wireshark Network Packet Analyzer, Kali Linux, OpenVAS Vulnerability Scanner, Nessus Scanner, True Crypt, TCPDump, NETCAT, Hydra, Cain and abel, John the Ripper Password Cracker, Burp-suite Web Application Scanner, OWASP ZAP, NMAP/Zenmap Port Scanner, SQLMap, DirBuster, Kali Distro, Acunetix, core impact, Canvas, WATOBO,Maltego, Ettercap, Nikto, w3af, CORE Impact, Social Engineer ToolkitRetinaNetsparker, BeEF, Dradis, WebScarabNG, IronWASP, Mutational Fuzzers, Qualysguard , Wapiti, RFuzz The Web Destroyer, Appdetectivepro etc. As ability to use other tools not listed here. Mitigation Experience Toolkit, Secure Shell (SSH), Splunk. 

Web Servers : Apache Tomcat, Nginx, Jboss and JRun. IIS, websphere application server etc.

WORK EXPERIENCE:

Security Consultant/ Web Penetration Tester

Confidential

Responsibilities:

• Familiar with various approaches to Grey & Black box security testing.
• Finding effective ways of manipulating the vulnerable domains of the systems. 
• Maintaining high level of security of the information that is crucial for the business growth of the organization. 
• Experience in Threat Modeling during Requirement gathering and Design phases. 
• Utilized common security tools dynamic and static analysis to evaluate the security of target systems and applications.
• Experience in finding - SQL injection, XML injection, techniques to obtain command prompts on the servers, PDF exploits, HTTP response splitting attacks, LFI, RFI, CSRF and web services vulnerabilities using various tools ( commercial and open source ).
• Exploited the logic flow of web application and recommend mitigation to the findings.
• Identified issues on sessions management, Input validations, output encoding, Logging, Exceptions, Cookie attributes, Encryption, Privilege escalations.
• Brute force assessment to insure strong passwords requirement.
• Good Experience in exploiting the recognized vulnerabilities in web applications.
• Performed, reviewed and analyzed security vulnerability data to identify applicability and false positives 
• Used CVSS Scores to create reports demonstrating the severity of the existing vulnerabilities and was helpful to prioritize the course of implementation depending on the severity of the vulnerabilities. 
• Participated in the development of IT risk assessments for enterprise applications.
• Remediation planning and implementation
• Proficient in analyzing different security threats to organizations by identifying the indicators.
• Analyzing the enterprise's information security environment and recommending security measures to safeguard applications and information assets using threat modeling, OWASP, CWE. 
• Provide consultative support with implementation of remediation steps, standards, and best practices. 

Security Consultant/ Penetration Tester

Confidential

• Review of projects during the SDLC and make actionable recommendations to the project team, understand the technology and bring solutions based on them. 
• Performed Web Application Vulnerability Assessment & Threat Modeling, Gap Analysis, secure code review on the applications. 
• Performed penetration testing with Kali Linux.
• Performed port scanning of small and large networks.
• Performed wireless vulnerability assessments, including access point detection and WEP cracking 
• Responsible for vulnerability scanning with unknown tool for we applications to identify security threats and vulnerabilities.
• Have real time experience in SQL Injection protection, Script Injection, XSS Protection and major hacking protection techniques. 
• Vulnerability Assessment includes analysis of bugs in various applications spread across N-tier on various domains by using both manual and Automation tools.  .
• Manual validating vulnerability findings by identifying false positives.
• Develop and manage vulnerability assessments including development of risk mitigation strategies.
• Performed network Vulnerability Assessments using various network tools.
• Involved in the meetings with the developers regarding the awareness to minimize security risks. 
• Created written reports, detailing assessment findings and recommendations. 
• Provide both strategic analysis and near real-time auditing, analyzing, investigating, reporting, remediation, coordinating, and tracking of security-related activities for customer 

Independent consultant/ Front End Web development

Confidential

• Utilized HTML5, CSS3, and JavaScript to develop user interface for Web Applications.
• Converting designs into responsive, cross browser compatible Web Applications.
• Extensive knowledge of technical terminology, developments, and Interactive Media trends.
• Performed manual testing on different modules of the application.
• Uncommon design talents that enrich static web designs and user experiences into Interactive Media presentations for client involvement.
• Increased user satisfaction by 20% based on customer feedback/surveys.
• Testing for Mobile and Cross­browser Compatibility.
• Used Bootstrap 3, Foundation 5, HTML5 Boilerplate and other modern front end development frameworks to create responsive layouts for cross browsers.
• Used JavaScript Libraries, jQuery and jQuery UI to add functionality to web applications.
• Responsible for ensuring website cross­-browser compatibility (IE, Firefox, Chrome,Opera & Safari ), link integrity and overall quality.
• Design, code, test, and implement web and other applications using current standard.
• Perform security assessments and vulnerability scans.
• Analyze data and prepare reports that document vulnerabilities from network based attacks and recommends actions to prevent, repair, or mitigate these vulnerabilities 
• Mitigate security vulnerabilities and provide recommendation for client.
• Provide analysis and mitigation support during an active attack.