Karthi G
Info Security Consultant / Penetration Tester
We can share the passport Number also
Employer Details:
Ganesh
******@*******.***
Professional Summary:
•6 years’ experience in information security and Penetration testing in creation and deployment of solutions protecting applications, network, system and information assets for diverse enterprises.
•Certified CompTIA’s Security + and C EH.
•Identifies as well as applies innovative practice in security to enhance the global operations of the organizations.
• Exposure to IT Security Compliance frameworks such as PCI- DSS, SOX, ISO, HIPAA, NIST and Industrial Control Systems Risk assessments.
•Experience in working with Network infrastructure such as Firewalls (pal alto), IDS/IPS, Router, NAC, Switch, Unified threat management system.
•Performs risk assessments and defines strategies to address the identified risks.
•Hands on experience with Various SAST and DAST tools for vulnerability assessment.
•Black box security testing- penetration testing, Reverse Engineering, Fuzzing, Threat Modeling/Design Review.
•White box review- code review. Gray Box testing of the applications.
•Involved in Software development Life Cycle (SDLC) to ensure security controls are in place.
•Has a good understanding of Web app based attacks to include XSS/ Request forgery, DDoS, MITM, LFI/ RFI attacks, vulnerability attacks, code injection and Buffer Overflow.
•Worked in HPe Voltage secureData Appliance and RSA DPM for an end to end encryption on online transaction and PII Data.
•Worked in SIEM tool Splunk for monitoring and security assessments and SCOM for alerts.
•Well versed with tools such as interceptor proxies - Paros, BurpSuite, Spike and Fiddler.
•Commercial tools such as IBM AppScan and HPe’s WebInspect etc.
•Very good knowledge of working with Syslog and Splunk for various functionalities like monitoring, auditing and analysing log messages.
•Network security tools such as Nessus, Nmap, iptables, metasploit, netcat, openssh, openssl, sqlmap, tcpdump, Cain and Abel etc.
•Well versed with various vulnerabilities and attacks at application - OWASP top 10, LDAP injection, XPath injection etc
•IT Security Project management.
•Well versed in Change Management, Access Management and Incident Management.
•Excellent team player .
Technical Skills:
Vulnerability Assessment Tools:
Burp Suite Pro, OWASP ZAP Proxy, Paros proxy, IBM Appscan, Metasploit, Acunetix, HP Web inspect, HP Fortify, Dirbuster, Qualysguard, MobiSec, TCP Dump, Fiddler, Cookie Manager, Checkmarx.
Network Auditing Tools/ Assessment:
NMap, Nessus, GFILAN Guard, Qualysguard, Symantec ESM, Sys-internal Tools, Hydra, Wireshark.
Other Tools:
Sql Map, Sql ninj, Splunk
Testing Tools:
SOAP UI and SOA Test tools for web security services.
Operating System:
Kali Linux, GNU/Linux, Windows.
Programming Languages:
PowerShell, Python
Compliance Standards
ISO 270001/2, PCI-DSS, SOX, HIPAA, COBIT
Educational Qualifications:
B.E Anna University, INDIA.
M.S. in Software Engineering, USA.
Project Details:
Client Name: Home Depot
Location: Atlanta and Austin.
Role: Application Security/ Pen Tester/ Security Analyst
Duration: Oct 2014 to till date.
Roles and Responsibilities:
•Responsible to assess the controls to identify gaps and to design and analyze segregation of duties, least privilege for that application.
•Gray Box testing of the applications.
•Verified the existing controls for least previlage,seperation of duties and job rotation.
•Burpsuite, Dirbuster, HP Fortify NMap tools on daily basis to complete the assessments
•Ensure the issues identified are reported as per the reporting standards.
•Worked in HPe Voltage secureData Appliance and RSA DPM for an end to end encryption on online transaction and PII Data.
•Worked in SIEM tool Splunk for monitoring and security assessments. and SCOM, on alerts.
•Provide the report and explain the issues to the development team.
•Using various Firefox add-ons like Flag fox, Wappalyzer, Live HTTP Header, Tamper data to perform the pen test.
•Met with business partners and technical support staff in explaining and performing audit test scripts.Assisted in developing Information Security Audit Test Plans, primarily using Security Plan risk tables and meeting with Information Security Consultants (ISCs).
•Performed threat modelling using security compliance such as PCI-DSS.
•Write up findings and recommendations for management review.
•Develop, review and approve security plans fprojects.
•Review, interpret and provide input to corporate information security policies and procedures.
•Generated periodic security and audit status and metric reports to Sr. Technology Management.
•Provided input to Risk Management and Compliance Self Assessment project requests.
Name: Primitive Logic
Location: Los Angeles, CA.
Role: Pen Tester/ Security Analyst
Duration: May 2012 to Sep 2014.
Roles and Responsibilities:
•Performs the tasks of designing Advanced Security & Management Solutions for the organization.
•Well versed with various vulnerabilities and attacks at application - OWASP top 10, SQL Injection, XSS, CSS, LDAP injection, XPath injection etc.
•Conducts regularly review of Global Security Incidents as well as reports and update the same to the internal teams.
•Execute and craft different payloads to attack he system to execute XSS and different attacks
•SQLMap to dump the database data to the local folder
•Assigns the tasks of auditing& proposing solutions to improve current security levels at Clients.
•Performs Risk Assessment Services and provides Solutions to mitigate Risks discovered and reported.
•Burpsuite, Dirbuster, NMap tools on daily basis to complete the assessments.
•Initiated Reconciliation of exceptions and minimizing the count of Exceptions in the project.
•Acts as a 3rd level Tech. support to Operations team to solve complex technical problems.
•Ensures that the operation, design, and management of information systems are in according to the standards of the organization.
•Establishes and maintains a framework to ensure that information security policies, technologies and processes are aligned with the business regulations of the organization.
•Identifies as well as applies innovative practice in security to enhance the global operations of the organizations.
•Performs risk assessments and defines strategies to address the identified risks.
•Ensures that risk identification, mitigation controls and analysis are integrated into application life cycle and change management processes.
Client Name: eBay.
Location: San Jose, CA.
Role: Security Engineer.
Duration: Feb 2011to April 2012.
Roles and Responsibilities:
•Performed vulnerability assessments, threat assessment, mitigation and reporting activities in order to safeguard information assets and ensure protection has been put in place on the systems.
•Participated in development and implementation of ontological and heuristic behavior frameworks for incident investigation and response.
•Found common web site security issues (CSRF, XSS, applications logic, SQL injection, information leakage, session fixation etc.) across various platforms.
•Preparation of security testing checklist to the company.
•Ensure all the controls are covered in the checklist.
•Updating of the checklist on weekly basis to ensure all the test cases are up to date as per the attacks happening in the market.
•Investigating logs and payloads for server crashes/core dumps, DDoS attacks, SQL/XSS etc.
•Prioritizing and managing multiple tasks in accordance with high level objectives.
•Performed live packet data capture with Wire shark to examine security flaws
•Metasploit to exploit the systems
•Performed dynamic and static analysis of web application using IBM AppScan and HP Fortify.
•Information gathering of the application using websites like Shodan, ReverseDNS.
•Network scanning using tools like NMap and Nessus.
•Helped to research open-source intelligence feeds for current and emerging threat information
•Creation of secure virtualized lab for exploit creation, malware distribution analysis and security product testing
•Collaborated with fellow analysts to develop and streamline operational guidelines and perform analytical support of security incident calls across the enterprise.