Professional Summary
About ** years of IT industry experience as Web Application Security
Specialist, Network specialist with extensive experience in application
vulnerability assessments.
Technical Skills
Hardware Sun E450, HP ML Series, Dell, IBM, Cisco
3700/3600/2950, Cisco PIX, Cisco VPN Concentrator,
Cisco Voice Gateway VG200, Cisco IP Phones 7960
Series.
Operating Systems Sun Solaris 9, Linux 9, Windows Server
2003/2000/NT, Novell Netware 5.0, SCO Unix
Languages Unix Scripting, Perl Scripting
Databases Oracle Administration
GUI Microsoft Windows, Linux GNOME
Case Tools (Security) IBM App Scan Edition, Web Inspect, Nmap, Nessus
Scan, Ethereal Sniffer, Paros, WebScarab, Nikto,
WebInspect, TamperIE, IEWatch, Sleuth, Firebug,
Firecookie, Webscarab. Acunetix, Echo mirage,
Wireshark, Hex Editors
Web Related IIS, HTTPD
Firewalls Cisco PIX, Internet Security & Acceleration Server
2003, Checkpoint NG/AI
Domain Knowledge Banking, Financial Web Applications.
Certifications
CeH - Certified Ethical Hacker by EC-Council
CCNA - Cisco Certified Network Associate
CSPFA - Cisco PIX Firewall Advanced
SECUR - Cisco Securing IOS Networks
Preparing for CISSP for September 2010
Projects Profile
1. Project Name: Application Vulnerability Assessments,
Citigroup Global and its Affiliates
Client Citigroup, Fort Lauderdale, USA
Role Lead Security Analyst
Duration From April 2009 - Till date
Team Size Project : 19 Module : 1
Project Description
Perform vulnerability assessments for Citigroup Inc. on web and web based
application covering the following:
I- Configuration Management (Common server/device configuration issues)
Ensure systems have been properly hardened. Detecting
unnecessary/unauthorized services, which increase potential attack surface
of the overall system. Detect misconfigured services that represent weak
entry points of attack or could ease other means of attacks. E.g. Excessive
services running, default configuration, test/debug material, default
accounts.
II- Access Control Issues (Authentication / Authorization / Accounting)
Ensure robust mechanisms are in place to keep unauthenticated users from
accessing protected resources, ensure effective authorization checks are in
place to keep users from performing unauthorized actions, and verify
existence of proper accounting "Logging" mechanism. E.g. Sensitive
information available without authentication, default/mis-configured
management points, network devices relying on local authentication,
account/credential management practices, key management, excessive rights
granted.
III- Security Architecture Issues
Ensure the overall network and system design follow sound security
architecture practices. Validates primarily the effectiveness of preventive
and detective security controls. E.g. insufficient network segmentation,
critical service protection, end to end encryption, egress filtering,
centralized security.
IV- Patch management
Ensure systems have been properly patched against known vulnerabilities.
V- Cryptography
Systems ability to properly use recommended encryption standards to protect
sensitive information from disclosure to unauthorized parties. Violations
of ISTG encryption standards. E.g. Sensitive Information unencrypted during
client/server communication, weak encryption keys used, vulnerable
encryption protocols, restricted/authentication information unencrypted in
storage
VI- Information Gathering
System's ability to keep sensitive user information as well as
infrastructure related information from being disclosed. Verbose error
messages, unexpected application behavior reveals infrastructure
information/source code, sensitive information cached to disk/browser,
cross frame scripting.
VII- Application Specific: Input Validation, Session Management, Exception
Management
Application interfaces ability to stand common application attacks, e.g.
information/source code disclosure, SQL Injection, XSS, Session Hijacking,
etc.
Contribution
- Perform vulnerability assessment testing on all Citibank websites;
also performed VAs on think client, Citrix based applications and
PDA/Mobile applications.
- Perform detailed manual testing which covers Information gathering,
authentication, authorization, session management, privilege
escalations, siteminder (SSO) security issues, Citrix based loop holes
and many more
- Perform automated testing with tools like Appscan and Webinspect
- Used tools like Paros, Burp suite, Webscarab and many firefox addons
- Training new team members on board
- Handle escalations and recommending solutions to patch security holes
across various businesses in Citigroup.
2. Project Name: Vulnerability Assessment Management (Consumer
and Corporate Site).
Client Citicards, Jacksonville, USA - www.citicards.com
Role Team Lead
Duration From May 2007 - Apr 2009
Team Size Project : 4 Module : 1
Project Description
To manage and facilitate Vulnerability Assessment with external vendors on
all CITI Cards websites.
Contribution
Managing the Vulnerability Assessment program for Citicards eBusiness in
Jacksonville, USA
- Scheduling Vulnerability Assessments on Citicards (www.citicards.com)
and Retail Private Label applications an aggregate of 243
applications.
- Managing VAs on monthly release projects. Have to understand the
technology/infrastructure used, identify the functionality that is
going to be introduced and determine if VA is required or not
- Participating business meetings to give an overview of Citi Security
Policy and Citi Website Standards and giving best practices to
Business Analysts and Interaction Designers to prevent introducing any
new vulnerability in the upcoming projects
- Conducting meetings with development teams to discuss identified
Vulnerabilities on new and existing projects (compliance). Giving them
recommendations to resolve issues identified
- Proactive Vulnerability Scanning using Watchfire AppScan Enterprise
Edition to identify vulnerabilities and report the development team
for resolution. This helps Citi to limit the cost spent on external
vulnerability assessments.
3. Project Name: Vulnerability Assessment for Internet banking
(Retail and Corporate Site).
Client State Bank of India, www.onlinesbi.com
Role Team Lead
Duration From August 2006 - May 2007
Team Size Project :1 Module : 1
Environment Software
Network Security Webinspect
, Acunetix
Nikto,
Paros,
WebScarab,
IETamper,
Sleuth,
Ethreal,
Nmap
Project Description
To find out vulnerabilities of Retail and Corporate Internet banking site
for State Bank of India.
Contribution
Took the ownership of all the process related in securing the web
application.
Job involves discovering application security flaws and reporting to
application development team. Performed automated scans with SPI Dynamics
WebInspect also performed manual testing to identify business logic based
vulnerabilities. Tested both commercial as well as consumer online
applications. Reporting the vulnerabilities to the development teams and
giving them recommendations on how to fix the findings.
1. Created best practices based on OWASP Standards (Open Web
Application Security)
a. Authorization
b. Authentication
c. Session management.
d. Securing Web Services
e. Web Application Vulnerabilities
f. In place security for websites which requires secure login
2. Vulnerability Assessment of www.onlinesbi.com
a. Tools : SPI Dynamics WebInspect, Acunetix, Webscarab, Paros,
Nessus, Ethreal, Nmap, IETamper, Sleuth, IE Frame Analyzer.
3. Java source code review using open source tools PMD & Jalopy
PMD & Jalopy scans Java source code and looks for potential
problems like:
a. Possible bugs - empty try/catch/finally/switch statements
b. Dead code - unused local variables, parameters and private
methods
c. Suboptimal code - wasteful String/String Buffer usage
d. Overcomplicated expressions - unnecessary if statements, for
loops that could be while loops
e. Duplicate code - copied/pasted code means copied/pasted bugs.
4. Project Name: Vulnerability Assessment for Intranet site.
Client Satyam Computer Services Limited, quest.satyam.com
Role Team Lead
Duration 2 weeks
Team Size Project :1 Module : 1
Environment Software
Network Security Nikto,
Paros,
WebInspect
Project Description
To find out vulnerabilities in an intranet site quest.satyam.com
Contribution
Self
Recommended the following for the development team:
1.Hardening the server on latest service packs in which the web
application service is running and also on the database server
2.Hardening the firewall so that it should check for the content and allow
the packets
3. Hardening web application server for rejecting cross site scripting,
brute force attack, and remote code execution.
4. Hardening database server for rejecting SQL Injection and blind SQL
injection.
5. Directory Traversal Techniques were used Check if any of the files /
folders out of the document root of the web server could be accessed by
appending any of the following to any URL in the application.
6. Hidden Field Manipulation is used to check to see if any state-related
or sensitive information is stored in hidden fields.
7. URL Manipulation used to check if any state-related or sensitive
information is stored in hidden fields.
8. Cookie Manipulation ensures that no sensitive information is stored
directly in cookies.
9. Checked for format strings, this is used for C/C++ based applications if
the form field of a page accepts large chunk of data check for the
existence of buffer overflow
10. Checked for Race conditions to see if all shared resources/variables
are locked before access and released after access. For example, in a Java
program, ensure all accesses to shared variables are enclosed in a
'synchronized' block.
.
4. Project Name : Security Support Desk
Client Sun Micro Systems (formerly StorageTek Inc.), Toulouse,
Frankfurt, Singapore, Kula Lumpur
Role Team Lead
Duration (07/2004) - (02/2006)
Team Size Project :15 Module : 1
Environment Software
Network Security Sun
Solaris,
Linux
Hardware Cisco PIX, Cisco VPN Concentrator, Cisco Router
2600
Project Description
To Manage and Maintain the security infrastructure of Sun Microsystems
(formerly StorageTek Inc.). The security infrastructure comprises of
managing devices includes Cisco PIX, Cisco VPN Concentrators etc and
Microsoft firewalls.
Contribution
Lead the team of 15. Handle escalations, Design and deploy security
services across Europe and Asia Pacific.
As a team lead, was responsible for
. Design & Deploy security services for all the sites across Europe/Asia
Pacific
. Handle Escalations
. Also managed the application vulnerability assessment team.
. Recommendation of new products
. Responsible for overseeing the Quality procedures related to the project.
. Client site visit for implementations.
5. Project Name : Bank Network/Information Security
Client Bank Muscat, Oman
Role Security Administrator
Duration (05/2004) - (07/2004)
Team Size Project :5 Module : 1
Environment Software
Network Security Checkpint
NG/AI, Sun
Solaris
Hardware Nokia firewall
Project Description
To Manage and Maintain the multi-layered security infrastructure of Bank
Muscat.
Contribution
Worked as a Security Administrator for the bank. Responsible for the rule
base, Handle all escalations, Review of security policy and recommend
changes to the policy and procedures. Review of new applications and
technologies to be implemented in the bank for security.
As an administrator, was responsible for
. Plan secure messaging architecture including deployment of PKI and PGP
mechanisms.
. Installation and maintenance of Checkpoint Firewall/VPN and MS-ISA
Server.
. Configuration of RealSecure Network Intrusion Detection System.
. Installation, management and fine-tuning of Websense URL Filtering
software and Symantec web security for Microsoft ISA Proxy Service.
. Create OS hardening guidelines and scripts of automating the hardening
process.
. Maintain necessary documentation for External, IT and Security audits.
. Design, co-ordinate and implement VPN solutions.
. Design, co-ordinate and implement security products for various needs.
6. Project Name : IMS
Client GAVS Information Services (P) Ltd..
Role Network/Security Administrator
Duration (04/2003) - (05/2004)
Team Size Project :5 Module : 1
Environment Software
Network Security Linux
FreeS/Wan
Hardware Cisco Pix 515E, Cisco 3700 Series, Cisco 1700
Voice Gateway
Project Description
To Manage and Maintain the entire in-house WAN & Security infrastructure of
the firm.
Contribution
Worked as a Network/Security Administrator for GAVS. Responsible for the
rule base, Handle all escalations, Review of security policy and recommend
changes to the policy and procedures.
As an administrator, was responsible for
. Installed Linux FreeS/WAN, all VPN tunnels to Client and other office
locations are built. Is was cost effective and very stable
installation. The kernel has been rebuild to accept only IPSec packets
from external networks.
. Installation and maintenance of Checkpoint Firewall/VPN and MS-ISA
Server.
. Installation, management and fine-tuning of Websense URL Filtering
software and Symantec web security for Microsoft ISA Proxy Service.
. Create OS hardening guidelines and scripts of automating the hardening
process.
. Maintain necessary documentation for External, IT and Security audits.
. Design, co-ordinate and implement VPN solutions.
. Design, co-ordinate and implement security products for various needs.
7. Project Name : IMS
Client First Flight Couriers Limited
Role Contract Maintenance - First Flight Network Infrastructure
Duration (07/1999) - (04/2003)
Team Size Project :1 Module : 1
Environment Software
Network Security Linux, MS
Windows
NT/2000
Hardware Cisco 800 Series
Project Description
To Manage and Maintain the entire in-house WAN infrastructure for First
Flight, Tamilnadu region.
Contribution
Worked as a Network/Security Administrator for the client First Flight
Couriers Ltd.. Responsible for the rule base, Handle all escalations.
As an administrator, was responsible for
. Deployed the Windows NT Server user accounts for their Tamilnadu work
locations. Setup PDCs and BDCs server infrastructure.
. Installation and maintenance of Cisco 800 Series routers to connect
their offices across Tamilnadu.
. Setup the ISA proxy server for internet access for the users.
Education
Degree University
Master of Computer University of Madras,
Applications India
B.S (Computer Science) University of Madras,
India