Sravan Konduru
Pen tester/Security engineer
SUMMARY OF QUALIFICATIONS:
Having 5+ years of experience in IT industry as security analyst and penetration tester.
Static Code Analysis during development phase. Penetration testing based on OWASP Top 10.
Worked as an Information Security Test Consultant, involved in recommending security solutions of new applications incorporating secured SDLC, OWASP Top 10 based Vulnerability Assessment of various internet facing point of sale web applications.
Worked on Web-based applications, networks, and other types of computer systems on a regular basis and also performed on White Box, Black Box, Grey Box testing on various methodologies in security.
Experience in Threat Modelling during Requirement gathering and Design phases.
Hands on Experience on vulnerability assessment and penetration testing using various tools like BurpSuite, Fiddler 2.0, DirBuster, OWASP ZAP Proxy, SQLmap, Nmap, Nessus, FileZilla, Gpg4win Kleopatra, HP WebInspect, Metasploit, Accunetix.
Penetration testing based on OWASP 10.
Performing security tests as well as contributing to other cross discipline security projects on as needed basis.
Involved in implementing and validating the security principles of minimum attack surface area, least privilege, secure defaults, Defence in depth, avoiding security by obscurity, keep security simple, fixing security issues correctly.
Validate the false positives and report the issues.
Create detailed assessment reports with remediation, recommendations, and present findings to clients and re-testing the security issues.
Certified Ethical hacker. A good team player, Inquisitive, good in basic concepts and an excellent team player.
TECHINCAL PROFILE:
Regulations :
PCI-DSS, HIPAA, GLBA
Application Security Tools
Paros Proxy, Burp Suite, Fiddler 2.0, SQLmap, DirBuster, HP WebInspect Vulnerability Assessment tool, HP Fortify, FileZilla, Metaspoilt, Nmap, Nessus, Gpg4win Kleopatra, Accunetix
Operating System
Windows OS, Mac OS, Red hat Linux, Kali Linux
Programming Languages
Html5, CSS3, JavaScript, angular.js, jquery, Python, Php.
Tools and Utilities
Live HTTP Headers, Firebug 2.0,SFTP
CERTIFICATIONS:
Certified Ethical Hacker JAN 2011
Thomson Reuters, St. Paul, Minnesota Oct 2015 – Till Date
Role: Senior Penetration Tester
Pen testing on various application contacting PHI to ensure the company meets the compliance requirements
Schedule the pen test, also make sure that all the applications are covered in the schedule and completed in the time frame.
OWASP Top 10 Issues identifications like SQLi, CSRF, XSS, IDOR
Perform pen tests on different application a week.
Created written reports, detailing assessment findings and recommendations.
Found web site security issues (XSS, CSRF, session fixation, SQL injection, information leakage, application logic etc.) across various platforms.
Performed risk assessments to ensure corporate compliance.
Controls on session management like Server side session states, session termination, Session ID randomness, expiration, Unique tokens, concurrent logged in session, session fixation prevention.
Executed daily vulnerability assessments, threat assessment, mitigation and reporting activities in order to safeguard information assets and ensure protection has been put in place on the systems
Perform, review and analyze security vulnerability data to identify applicability and false positives
Work closely with research and development teams for vulnerability remediation
Environment: Metasploit, Burp Suite, Fiddler 2.0, Nessus, SQLmap, PHP, HTML, OWASP Mutillidae-II, Dirbuster, Microsoft Visual Studio, SFTP, FileZilla, Gpg4win Kleopatra, Nmap, Nessus.
INFOBLOX, Santa Clara, CA Sep 2014 – Oct 2015
Role: Technical Security Consultant
Working as a Technical Security Consultant in the areas of application security highlighting the security controls needed at the design level.
Understanding & implementation of security into SDLC via application risk assessment, requirements gathering, design review, application vulnerability assessment.
Validate Input validations, sessions management, client protocol controls, cryptography, Logging, Information leakage.
Perform thorough penetration testing on web applications.
Perform both manual and automation vulnerability assessment using tools like burp suite, SQLMap.
Ensure the issues identified are reported as per the reporting standards.
Perform validation on design of features like authentication, authorization, accountability.
Provide the report and explain the issues to the development team.
Implement security solutions according to Security Policy and Practices established by the Client.
Review of projects during the SDLC and make actionable recommendations to the project team, understand the technology and bring solutions based on them.
Burpsuite, Dirbuster, HP Fortify, HP WebInspect, NMap tools on daily basis to complete the assessments.
Manages risk by analysing the root cause of issues, impact to technology and required corrective actions leveraging advanced analytical skills.
Environment: JAVA, Asp.net, MySQL, Apache Kali Linux, Fiddler 2.0, Burp Suite, SQLmap, OWASP Mutillidae-II, Dirbuster, Microsoft Visual Studio, HP Fortify, HP WebInspect, SFTP, FileZilla, Nmap, Nessus, Wireshark.
QSSI, Columbia, MD Aug 2012 – Sep 2014
Role: Security Engineer
Vulnerability Assessment of various web applications used in the organization using Paros Proxy, Burp Suite and WebInspect etc.
Preparation of security testing checklist to the company.
Involved in secured design and solution for newly proposed applications, incorporating security right at the requirement elicitation and designing phase of SDLC.
Identified attacks like SQLi, XSS, CSRF, RFI/LFI, logical issues.
Monthly Automated Scans of the online applications in production using Web inspect and followed by report presentation.
OWASP TOP TEN 2013 Vulnerabilities Assessment. Online application testing and CR Regression testing, Assessment and Reporting.
Creating documentation for the vulnerabilities identified and reporting it to the application development team. Ensuring timely delivery of issues reported and remediation.
Network scanning using tools like NMap and Nessus.
Secured Code Review of the applications using open source utilities identifying flaws in the coding practises and encouraging secured coding among the developer community.
Grey Box testing of the applications.
Environment: JAVA, PHP, MS SQL, Apache Kali Linux, Fiddler 2.0, Burp Suite, Dirbuster, HP WebInspect, SQLmap, IBM Appscan Enterprise, Nmap, Nessus.
HP, Houston, Texas Jan 2011 – July 2012
Role: Security Analyst
OWASP Top 10 Issues identifications like SQLi, CSRF, XSS
Preparation of risk registry for the various projects in the client
Training the development team on the secure coding practices
Providing details of the issues identified and the remediation plan to the stake holders
Involved in a major merger activity of the company and provided insights in separation of different client data and securing PII
Identification of different vulnerabilities of applications by using proxies like Burpsuite to validate the server side validations
Execute and craft different payloads to attack he system to execute XSS and different attacks
SQLMap to dump the database data to the local folder
Identified issues on sessions management, Input validations, output encoding, Logging, Exceptions, Cookie attributes, Encryption, Privilege escalations
Provided and validated the controls on logging like Authentication logging, profile modification logging, logging details, log retention duration, log location, synchronizing time source, HTTP logging
Environment: Burp Suite, SQLmap, PHP, ASP, MS SQL, MY-SQL, Apache, OWASP ZAP Proxy, Dirbuster, HP Fortify, Nmap, SQLmap, Nessus, Metasploit.
TEQ Systems, Hyderabad, INDIA June 2010 – Dec 2010
Role: Penetration Tester
Perform pen tests on different application a week.
Preparation of security testing checklist to the company.
OWASP Top 10 Issues identifications like SQLi, CSRF, XSS.
Ensure all the controls are covered in the checklist.
Identified attacks like SQLi, XSS, CSRF, RFI/LFI, logical issues.
Updating of the checklist on weekly basis to ensure all the test cases are up to date as per the attacks happening in the market.
Information gathering of the application using websites like Shodan, ReverseDNS, Hackertarget.com.
Using various Firefox add-ons like Flag fox, Live HTTP Header, Tamper data to perform the pen test.
Network scanning using tools like NMap and Nessus.
Metasploit to exploit the systems.
Awareness of information security concepts and abiding by them during delivery.
Environment: Burp Suite, SQLmap, PHP, ASP, MS SQL, MY-SQL, Apache, OWASP ZAP Proxy, Dirbuster, Nmap, Nessus, Metasploit.