Post Job Free
Sign in

Project Security

Location:
Pompano Beach, FL, 33069
Posted:
November 10, 2010

Contact this candidate

Resume:

Professional Summary

About ** years of IT industry experience as Web Application Security

Specialist, Network specialist with extensive experience in application

vulnerability assessments.

Technical Skills

Hardware Sun E450, HP ML Series, Dell, IBM, Cisco

3700/3600/2950, Cisco PIX, Cisco VPN Concentrator,

Cisco Voice Gateway VG200, Cisco IP Phones 7960

Series.

Operating Systems Sun Solaris 9, Linux 9, Windows Server

2003/2000/NT, Novell Netware 5.0, SCO Unix

Languages Unix Scripting, Perl Scripting

Databases Oracle Administration

GUI Microsoft Windows, Linux GNOME

Case Tools (Security) IBM App Scan Edition, Web Inspect, Nmap, Nessus

Scan, Ethereal Sniffer, Paros, WebScarab, Nikto,

WebInspect, TamperIE, IEWatch, Sleuth, Firebug,

Firecookie, Webscarab. Acunetix, Echo mirage,

Wireshark, Hex Editors

Web Related IIS, HTTPD

Firewalls Cisco PIX, Internet Security & Acceleration Server

2003, Checkpoint NG/AI

Domain Knowledge Banking, Financial Web Applications.

Certifications

CeH - Certified Ethical Hacker by EC-Council

CCNA - Cisco Certified Network Associate

CSPFA - Cisco PIX Firewall Advanced

SECUR - Cisco Securing IOS Networks

Preparing for CISSP for September 2010

Projects Profile

1. Project Name: Application Vulnerability Assessments,

Citigroup Global and its Affiliates

Client Citigroup, Fort Lauderdale, USA

Role Lead Security Analyst

Duration From April 2009 - Till date

Team Size Project : 19 Module : 1

Project Description

Perform vulnerability assessments for Citigroup Inc. on web and web based

application covering the following:

I- Configuration Management (Common server/device configuration issues)

Ensure systems have been properly hardened. Detecting

unnecessary/unauthorized services, which increase potential attack surface

of the overall system. Detect misconfigured services that represent weak

entry points of attack or could ease other means of attacks. E.g. Excessive

services running, default configuration, test/debug material, default

accounts.

II- Access Control Issues (Authentication / Authorization / Accounting)

Ensure robust mechanisms are in place to keep unauthenticated users from

accessing protected resources, ensure effective authorization checks are in

place to keep users from performing unauthorized actions, and verify

existence of proper accounting "Logging" mechanism. E.g. Sensitive

information available without authentication, default/mis-configured

management points, network devices relying on local authentication,

account/credential management practices, key management, excessive rights

granted.

III- Security Architecture Issues

Ensure the overall network and system design follow sound security

architecture practices. Validates primarily the effectiveness of preventive

and detective security controls. E.g. insufficient network segmentation,

critical service protection, end to end encryption, egress filtering,

centralized security.

IV- Patch management

Ensure systems have been properly patched against known vulnerabilities.

V- Cryptography

Systems ability to properly use recommended encryption standards to protect

sensitive information from disclosure to unauthorized parties. Violations

of ISTG encryption standards. E.g. Sensitive Information unencrypted during

client/server communication, weak encryption keys used, vulnerable

encryption protocols, restricted/authentication information unencrypted in

storage

VI- Information Gathering

System's ability to keep sensitive user information as well as

infrastructure related information from being disclosed. Verbose error

messages, unexpected application behavior reveals infrastructure

information/source code, sensitive information cached to disk/browser,

cross frame scripting.

VII- Application Specific: Input Validation, Session Management, Exception

Management

Application interfaces ability to stand common application attacks, e.g.

information/source code disclosure, SQL Injection, XSS, Session Hijacking,

etc.

Contribution

- Perform vulnerability assessment testing on all Citibank websites;

also performed VAs on think client, Citrix based applications and

PDA/Mobile applications.

- Perform detailed manual testing which covers Information gathering,

authentication, authorization, session management, privilege

escalations, siteminder (SSO) security issues, Citrix based loop holes

and many more

- Perform automated testing with tools like Appscan and Webinspect

- Used tools like Paros, Burp suite, Webscarab and many firefox addons

- Training new team members on board

- Handle escalations and recommending solutions to patch security holes

across various businesses in Citigroup.

2. Project Name: Vulnerability Assessment Management (Consumer

and Corporate Site).

Client Citicards, Jacksonville, USA - www.citicards.com

Role Team Lead

Duration From May 2007 - Apr 2009

Team Size Project : 4 Module : 1

Project Description

To manage and facilitate Vulnerability Assessment with external vendors on

all CITI Cards websites.

Contribution

Managing the Vulnerability Assessment program for Citicards eBusiness in

Jacksonville, USA

- Scheduling Vulnerability Assessments on Citicards (www.citicards.com)

and Retail Private Label applications an aggregate of 243

applications.

- Managing VAs on monthly release projects. Have to understand the

technology/infrastructure used, identify the functionality that is

going to be introduced and determine if VA is required or not

- Participating business meetings to give an overview of Citi Security

Policy and Citi Website Standards and giving best practices to

Business Analysts and Interaction Designers to prevent introducing any

new vulnerability in the upcoming projects

- Conducting meetings with development teams to discuss identified

Vulnerabilities on new and existing projects (compliance). Giving them

recommendations to resolve issues identified

- Proactive Vulnerability Scanning using Watchfire AppScan Enterprise

Edition to identify vulnerabilities and report the development team

for resolution. This helps Citi to limit the cost spent on external

vulnerability assessments.

3. Project Name: Vulnerability Assessment for Internet banking

(Retail and Corporate Site).

Client State Bank of India, www.onlinesbi.com

Role Team Lead

Duration From August 2006 - May 2007

Team Size Project :1 Module : 1

Environment Software

Network Security Webinspect

, Acunetix

Nikto,

Paros,

WebScarab,

IETamper,

Sleuth,

Ethreal,

Nmap

Project Description

To find out vulnerabilities of Retail and Corporate Internet banking site

for State Bank of India.

Contribution

Took the ownership of all the process related in securing the web

application.

Job involves discovering application security flaws and reporting to

application development team. Performed automated scans with SPI Dynamics

WebInspect also performed manual testing to identify business logic based

vulnerabilities. Tested both commercial as well as consumer online

applications. Reporting the vulnerabilities to the development teams and

giving them recommendations on how to fix the findings.

1. Created best practices based on OWASP Standards (Open Web

Application Security)

a. Authorization

b. Authentication

c. Session management.

d. Securing Web Services

e. Web Application Vulnerabilities

f. In place security for websites which requires secure login

2. Vulnerability Assessment of www.onlinesbi.com

a. Tools : SPI Dynamics WebInspect, Acunetix, Webscarab, Paros,

Nessus, Ethreal, Nmap, IETamper, Sleuth, IE Frame Analyzer.

3. Java source code review using open source tools PMD & Jalopy

PMD & Jalopy scans Java source code and looks for potential

problems like:

a. Possible bugs - empty try/catch/finally/switch statements

b. Dead code - unused local variables, parameters and private

methods

c. Suboptimal code - wasteful String/String Buffer usage

d. Overcomplicated expressions - unnecessary if statements, for

loops that could be while loops

e. Duplicate code - copied/pasted code means copied/pasted bugs.

4. Project Name: Vulnerability Assessment for Intranet site.

Client Satyam Computer Services Limited, quest.satyam.com

Role Team Lead

Duration 2 weeks

Team Size Project :1 Module : 1

Environment Software

Network Security Nikto,

Paros,

WebInspect

Project Description

To find out vulnerabilities in an intranet site quest.satyam.com

Contribution

Self

Recommended the following for the development team:

1.Hardening the server on latest service packs in which the web

application service is running and also on the database server

2.Hardening the firewall so that it should check for the content and allow

the packets

3. Hardening web application server for rejecting cross site scripting,

brute force attack, and remote code execution.

4. Hardening database server for rejecting SQL Injection and blind SQL

injection.

5. Directory Traversal Techniques were used Check if any of the files /

folders out of the document root of the web server could be accessed by

appending any of the following to any URL in the application.

6. Hidden Field Manipulation is used to check to see if any state-related

or sensitive information is stored in hidden fields.

7. URL Manipulation used to check if any state-related or sensitive

information is stored in hidden fields.

8. Cookie Manipulation ensures that no sensitive information is stored

directly in cookies.

9. Checked for format strings, this is used for C/C++ based applications if

the form field of a page accepts large chunk of data check for the

existence of buffer overflow

10. Checked for Race conditions to see if all shared resources/variables

are locked before access and released after access. For example, in a Java

program, ensure all accesses to shared variables are enclosed in a

'synchronized' block.

.

4. Project Name : Security Support Desk

Client Sun Micro Systems (formerly StorageTek Inc.), Toulouse,

Frankfurt, Singapore, Kula Lumpur

Role Team Lead

Duration (07/2004) - (02/2006)

Team Size Project :15 Module : 1

Environment Software

Network Security Sun

Solaris,

Linux

Hardware Cisco PIX, Cisco VPN Concentrator, Cisco Router

2600

Project Description

To Manage and Maintain the security infrastructure of Sun Microsystems

(formerly StorageTek Inc.). The security infrastructure comprises of

managing devices includes Cisco PIX, Cisco VPN Concentrators etc and

Microsoft firewalls.

Contribution

Lead the team of 15. Handle escalations, Design and deploy security

services across Europe and Asia Pacific.

As a team lead, was responsible for

. Design & Deploy security services for all the sites across Europe/Asia

Pacific

. Handle Escalations

. Also managed the application vulnerability assessment team.

. Recommendation of new products

. Responsible for overseeing the Quality procedures related to the project.

. Client site visit for implementations.

5. Project Name : Bank Network/Information Security

Client Bank Muscat, Oman

Role Security Administrator

Duration (05/2004) - (07/2004)

Team Size Project :5 Module : 1

Environment Software

Network Security Checkpint

NG/AI, Sun

Solaris

Hardware Nokia firewall

Project Description

To Manage and Maintain the multi-layered security infrastructure of Bank

Muscat.

Contribution

Worked as a Security Administrator for the bank. Responsible for the rule

base, Handle all escalations, Review of security policy and recommend

changes to the policy and procedures. Review of new applications and

technologies to be implemented in the bank for security.

As an administrator, was responsible for

. Plan secure messaging architecture including deployment of PKI and PGP

mechanisms.

. Installation and maintenance of Checkpoint Firewall/VPN and MS-ISA

Server.

. Configuration of RealSecure Network Intrusion Detection System.

. Installation, management and fine-tuning of Websense URL Filtering

software and Symantec web security for Microsoft ISA Proxy Service.

. Create OS hardening guidelines and scripts of automating the hardening

process.

. Maintain necessary documentation for External, IT and Security audits.

. Design, co-ordinate and implement VPN solutions.

. Design, co-ordinate and implement security products for various needs.

6. Project Name : IMS

Client GAVS Information Services (P) Ltd..

Role Network/Security Administrator

Duration (04/2003) - (05/2004)

Team Size Project :5 Module : 1

Environment Software

Network Security Linux

FreeS/Wan

Hardware Cisco Pix 515E, Cisco 3700 Series, Cisco 1700

Voice Gateway

Project Description

To Manage and Maintain the entire in-house WAN & Security infrastructure of

the firm.

Contribution

Worked as a Network/Security Administrator for GAVS. Responsible for the

rule base, Handle all escalations, Review of security policy and recommend

changes to the policy and procedures.

As an administrator, was responsible for

. Installed Linux FreeS/WAN, all VPN tunnels to Client and other office

locations are built. Is was cost effective and very stable

installation. The kernel has been rebuild to accept only IPSec packets

from external networks.

. Installation and maintenance of Checkpoint Firewall/VPN and MS-ISA

Server.

. Installation, management and fine-tuning of Websense URL Filtering

software and Symantec web security for Microsoft ISA Proxy Service.

. Create OS hardening guidelines and scripts of automating the hardening

process.

. Maintain necessary documentation for External, IT and Security audits.

. Design, co-ordinate and implement VPN solutions.

. Design, co-ordinate and implement security products for various needs.

7. Project Name : IMS

Client First Flight Couriers Limited

Role Contract Maintenance - First Flight Network Infrastructure

Duration (07/1999) - (04/2003)

Team Size Project :1 Module : 1

Environment Software

Network Security Linux, MS

Windows

NT/2000

Hardware Cisco 800 Series

Project Description

To Manage and Maintain the entire in-house WAN infrastructure for First

Flight, Tamilnadu region.

Contribution

Worked as a Network/Security Administrator for the client First Flight

Couriers Ltd.. Responsible for the rule base, Handle all escalations.

As an administrator, was responsible for

. Deployed the Windows NT Server user accounts for their Tamilnadu work

locations. Setup PDCs and BDCs server infrastructure.

. Installation and maintenance of Cisco 800 Series routers to connect

their offices across Tamilnadu.

. Setup the ISA proxy server for internet access for the users.

Education

Degree University

Master of Computer University of Madras,

Applications India

B.S (Computer Science) University of Madras,

India



Contact this candidate