Security Information
Resume:
Bharadwaj
Application Security Specialist / Penetration Tester Mobile: 404-***-****
Certified Ethical Hacker(CEH) Email: ac5l2m@r.postjobfree.com
Professional Summary
Professional with 6+ years of progressive experience in Information Technology with extensive experience in Information Security, Application Security, Software Security, Enterprise Vulnerability Management, penetration testing and generating reports using tools.
Strong experience of Web Application Vulnerability assessments, penetration testing. Ability to conduct penetration testing for well-known technologies and known security flaw concepts SQL injection, XML injection, XSS, CSRF, IDOR, Path Traversal, etc.
An Information Security Professional with experience in penetration testing and vulnerability assessments on various applications in different domains. Involved in secure Software Development Life Cycle (SDLC) to ensure security controls are in place.
Experienced in developing and implementing of Information Security Policies and Guidelines as per OWASP (Open Web Application Security Project), SANS Secure Coding guidelines.
Hands-on experience on vulnerability assessment and penetration testing using various tools like Burp Suite, Fiddler, ZAP Proxy.
Sound knowledge and industry experience in Vulnerability Assessment and Penetration Testing on WEB based applications, Mobile based application and Infrastructure penetration testing.
Strong Experience in Testing Client Server applications and Web based application using both Manual and Automated testing tools.
Having valuable experience in Secure SDLC and Source Code Analysis (Manual & Tools) on WEB based Applications with tools such as HP Web Inspect, CheckMarx, HP Fortify.
Experience using a wide variety of security tools to include Kali-Linux, Wireshark, Nessus, Qualy’s Guard.
Used penetration tools and methodologies such as OWASP Top 10, HP Web Inspect, IBM AppScan, Fortify, Acunetix, Burp Suite and others to determine the security of web application developed in different platforms like .NET, Java, AJAX, PHP and many others.
Extensive Interaction with Onsite Coordinator in understanding the business issues, requirements, doing exhaustive analysis and providing end-to-end solutions.
Follow up with Development teams to get recent functionality changes, their security analysis scheduling and coordinating with my team to sync with the project changes.
Experience in identifying SQL injection. Script injection, XSS, Phishing and CSRF attacks.
Verify if the application has implemented the basic security mechanisms like Job rotation, Privilege escalations, Least Privilege and Defense in depth.
Create detailed assessment reports with remediation, recommendations and present findings to clients and re-testing the security issues.
Vulnerability Assessment includes analysis of bugs in various applications on various domains by using both manual and automation tools.
Excellent oral and written communication, interpersonal, negotiation, judgement, decision-making, analysis and problem-solving skills.
Worked independently and within a team environment.
Perform the gap analysis to identify scenarios like privilege escalation.
Core Qualifications
Web Application security
Penetration testing
Vulnerability assessment
Secure Code Review using SAST and DAST
Technical Skills
Tools and Add-ons
OWASP ZAP, NMAP, Fiddler, Wireshark, Nessus, Qualy’s Guard, Kali-Linux, Acunetix, Metasploit.
Web Technologies
HTML, CSS3, XML, SOAP, AJAX.
Tracking Tools
Bugzilla, Team Forge.
Database
MS SQL SERVER 2015/2008/2012.
SAST/Code Review
Vera code, Checkmarx, HP Fortify.
Web Application Scanners
Burp Suite Pro, Acunetix, IBM AppScan, HP Web Inspect.
Languages
C, C++, PHP, Java, .NET, Python, Perl.
Project Experience
Ace Insurance, Philadelphia, PA June 2016 to Present
Web Application Penetration Tester
Responsibilities
Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS 25 and prioritizing them based on the criticality.
Define vulnerabilities that are susceptible to attack and exploitation, while identifying and eliminating false positives.
Wide experience with network security policies, and implementation.
Conducted Dynamic, Static, Mobile and Manual application security testing using IBM AppScan Enterprise, IBM Security AppScan Source and Burp Suite Pro.
Integrated IBM AppScan Enterprise and IBM Security AppScan Source for Analysis, Development and Automation.
Provided Internal Sales Teams with Pre-Sales Engineering Support for IBM AppScan Product Demo’s and IBM AppScan Proof-of-Concept (P.O.C) trials.
Profound knowledge of various internet and network technologies.
Performed research, analysis and testing of network and application vulnerabilities.
Exploited web application vulnerabilities such as cross-site scripting, SQL injection, directory traversal, man-in-the-middle attacks, authentication bypass, and command injection.
Generated custom doc/pdf files that tests for the existence of vulnerability.
Vulnerability Assessment of various web applications used in the organization using OWASP ZAP, Burp Suite and HP Web Inspect.
Perform vulnerability, configuration and compliance scan with Rapid7 to detect deficiencies and validate compliance with information systems configuration with organization’s policies and standards.
Static and dynamic scanning of various application using HP Fortify and HP Web inspect, Identify false positives and report in SSC.
Prepared and documented test plans for security evaluations. Designed and updated reports about security of targeted systems. Automated and executed penetration tests for builds.
Conducted Mobile application security test using IBM AppScan cloud tool.
Developed operating system and security application installation methods for Tenable security center and Nessus Scanner servers for virtual or physical server solutions.
Coordinate with dev team to ensure closure of reported vulnerabilities by explaining the ease of exploitation and the impact of the issue.
Security testing of APIs using SOAP UI.
Update with the new hackings and latest vulnerabilities to ensure no such loopholes are present in the existing system.
Reviewing the SCA report by removing the false- positives and reporting to the application teams with recommended remediation's.
Training the development team on the most common vulnerabilities and common code review issues and explaining the remediation's.
Follow up/triage and ensure the closure of the raised vulnerabilities by revalidating and ensuring 100% Closure.
Assisted clients with questions regarding vulnerabilities and proposed mitigations.
Environment: OWASP ZAP, Burp Suite, HP Web Inspect, SOAP, Java, NMAP, Windows, Linux
Cisco, San Jose, CA Feb 2014 to May 2016
Vulnerability Testing / Penetration Tester
Responsibilities
Responsible to assess the controls to identify gaps and to design and analyze segregation of duties, least privilege for that application.
Performed manual Penetration Testing to verify false positives.
Verified regulatory violations in web applications by performing manual testing.
Used Burp suite, HP Fortify on daily basis to complete vulnerability assessments.
Ensure the issues identified are reported as per the reporting standards.
Found common web site security issues (XSS, CSRF, session fixation, SQL injection, information leakage, application logic etc.) across various platforms.
used automated tools for exploiting vulnerabilities and formal tests on web-based applications on a regular basis
Directed research pertaining to the latest vulnerabilities, tools and the latest technological advances in combating unauthorized access to information.
Leads/coordinates vulnerability scanning and change management activities with managed service provider.
Analyzes technical vulnerabilities various operating system attack surfaces in the computing environment.
Analyze network topologies and traffic and capacity requirements and provide recommendations and guidance through the secure lens of Tenable.
Conducted security assessment of PKI Enabled Applications.
Skilled using Burp Suite, Acunetix Automatic Scanner, NMAP, DirBuster for web application penetration tests.
A security roadmap and action plan detailing how to resolve issues.
Manual and Dynamic penetration testing of web applications using Burp Suite and App Scan.
Provide the report and explain the issues to the development team.
Installed and configured Red Hat Directory Server(LDAP) and provided password authentication for Linux Servers. Performed patch, package, configuration management.
Responsible for leading in the research, mitigation and co-ordination of actions designed to reduce information security risk across internet facing presence.
Provide information security guidance and consulting to business partners and system staff.
Exhibited client facing skills and capability to articulate technical concepts to a variety of technical and
non-technical audiences.
Involved with senior executive level management and system administration teams in effecting a seamless DLP implementation.
Environment: ASP.NET, Kali Linux, Nessus, NMAP, HP Fortify, IBM AppScan
HCL, Noida, India Feb 2012 to Dec 2013
IT Security Testing
Responsibilities
Addressed and integrate Security in SDLC by following techniques like Threat Modeling, Risk Management, Logging, Penetration Testing etc.
Wide experience with network security policies, and implementation
Profound knowledge of various internet and network technologies
Broad experience in troubleshooting skills of VoIP and WAN/MAN/CAN infrastructures and remote accesses.
Strong in IP Networking and Routing Protocols.
Proficient in understanding application level vulnerabilities like XSS, SQL Injection, CSRF, Authentication bypass, Weak Cryptography, Authentication flaws etc.
Designed, implemented and maintained VPN tunnels to remote offices and power plants
Configured and maintained Cisco PIX/ASA Firewalls, IDS/IPS, routers and switches.
Conducting Web Application Vulnerability Assessment, secure code review on the applications.
Skilled using Burp Suite, Fiddler, Fortify SCA, IBM App Scan, SQLMAP, NMAP, Wireshark for web application penetration tests.
Generated and presented reports on Security vulnerabilities to both internal and external customers.
Security assessment of online applications to identify the vulnerabilities in various categories like Input and data Validation, Authentication, Authorization & logging.
Interface directly with customers in the creation, deletion, and ongoing management of user accounts in complex operational support system network environments.
Having review meetings on daily basis, Weekly & Monthly basis for software development i.e., relying on agile scrum development model.
Generated and presented reports on Security Vulnerabilities to both internal and external customers.
Proposed remediation strategies for remediating system vulnerabilities.
Capturing and analyzing network traffic at all layers of the OSI model.
Providing fixes & filtering false findings for the vulnerabilities reported in the scan reports.
Responded to Access Management related inquiries, incidents, and service requests via the company's internal service management software.
Added, modified, and removed user account access/security daily.
Conducted onsite penetration tests from an insider threat perspective.
Involve actively in the release management process to ensure all the changes of the application had gone to security assessment.
Discovered and communicated two reflective cross-site scripting vulnerabilities and two unprotected directories while performing an external web security assessment.
Environment: Vulnerability Assessment, Fortify, Burp Suite Pro, IBM App Scan, NMAP, Web Scrab.
Contact this candidate