Name :Kumaran Chandra
Email :**********@*****.***
Phone : 201-***-****
An Information Security Professional with experience of over 9 years in Cloud Security, Application Security, API Security, Security Architecture & Design, Network Security, Identity and Access Management (IAM),DevSecOps, Security Automation, Penetration Testing,, Threat Hunting, Secure Coding, Mobile Security, Cryptography, PKI, Security Audits, Security Information Event Management (SIEM), Security Controls and Validation, IT Risk Assessments, Regulatory Compliance.
Experience Summary
Highly analytical computer security analyst with success both defending and attacking large-scale enterprisenetworks.
Working knowledge of OWASP Top 10andSANS Top 25 software guidelines, Federal Financial Institutions Examination Council's (FFIEC) regulations, includingPayment Card Industry (PCI-DSS), HIPAA, Center for Information Security (CIS benchmarks) and Sarbanes-Oxley Section404 (SOX).
Experience in conducting IT Security Risk Assessments in accordance to NIST and FFIEC framework
I’ve hands-on experience in performing threat hunting using Carbon Black as part of Security Operations Center (SOC) operations.
Very good experience in tools like Burp Suite, IBM/HCLAppScan Standard, AppScan Enterprise, AppScan Source Analysis, Secure Assist, Checkmarx, HP Toolkit, HP Web Inspect, HP AMP, Qualys, Nessus, Nmap, etc.,
Hands-on with Penetration Testing, DAST, SAST, IAST and manual ethical hacking.
Advanced threat hunting, root cause analysis using Carbon Black (Cb Response), decide on what to remediate and what to risk accept based on security requirements. Implementation of cloud (AWS and MS Azure) security controls for IaaS, PaaS and SaaS based applications and infrastructure.
Hands-on with Symantec CloudSOCCASB and Symantec DLP.
Cloud networking and routing technologies (path based) Experience.
Experienced with Puppet, Ansible, Chef and saltstack as System Configuration Tool.
Configuring, Automating and Deploying Chef, Puppet and Ansible for configuration management to existing Infrastructure.
Working knowledge of IAM implementation, OAuth2.0, SAML frameworks.
Experience using a wide variety of security tools to include Kali-Linux, Metasploit, HP WebInspect, HP Microfocus Fortify, Veracode, BurpSuite Pro, Wireshark, L0phtcrack, Snort, Nmap, Nmap-NSE, Cain and Abel, Nitko, Dirbuster, IBM App Scan, MicrofocusWebInspect, OWASP ZAProxy, Nessus, Open Vas, W3AF, BeEF, Etthercap, Maltego, Wifi-Security, SIFT, SOAP UI, Havij, Aircrack-ng suite.
Hands-on with network penetration testing and ethical hacking.
Involved in implementing and validating the security principles of minimum attack surfacearea, least privilege, secure defaults, avoiding security by obscurity, keep security simple, Fixing security issuescorrectly.
Worked on Web Application Firewalls (WAF) and database security / Vulnerability scanners.
Strong knowledge in Manual and Automated Security testing for Web and Mobile Applications.
Analyze the results of penetrations tests, design reviews, source code reviews and other security tests.
Decide on what to remediate and what to risk accept based on security requirements.
Excellent communicator with strong written and oral communication skills. ... Strong negotiation skills and an ability to work with the business to find compliant solutions. Strong risk management and IT security skills.
Proficiency with scripting languages such as Python, Perl, Java Scriptand Power Shell.
Security Tools and Technologies
Security Tools
MicrofocusWebInspect, QualysGuard, Veracode, RSAArcher, FireEye Retina, Onapsis, IBM/HCLAppScan Enterprise (ASE), Standard & Source editions, BurpSuite Pro, Acunetix, Fortify SCA,BeEF,WAS, SQLMAP. CHEKMARX (Code Analysis), Carbon Black.
CigitalSecureAssist, AppDetect, BeyondTrust PAM, Oracle Identity Manager, Oracle Access Manager,JHijack, Metasploit Pro, ZED attack proxy, IDA Pro, Firemon, SQLMAP, Wireshark, WebScarab, BlueCoat Proxy, Nmap, BMC BladeLogic, Nessus, Rapid7 Nexpose, Tripwire, DBProtect, ArcSight SIEM, e-DMZ Password Auto Repository (PAR), Varonis, Amazon Web Services (AWS) Cloud security.
Programming Languages
Java, C# .NET, C, C++
Identity & Data Protection Tools
Gemalto KeySecure HSM, ProtectDB, ProtectFile, RSA Single Sign-On (SSO), OAuth2.0 & SAML, Two-Factor (2F) authentication.
Cloud Platforms
Java & J2EE Technology
AWS, MS Azure
Spring Framework, EJBs, Struts2, Servlets, JavaServerPages (JSPs), JMS, Java Mail API, JNDI, LDAP, JDBC, JTS, RMI, AWT, Swing, Socket Programming, IONA Orbix CORBA.
Networking
IDA pro, OllyDbg, Windbg, Symantec Endpoint Protection, DL, Palo Alto Firewalls, Cisco IronPort, Check Point, Cisco ASA, IDS/IPS, Anti-virus, BMC BladeLogic, Remedy.
Scripting Languages
Python, Powershell, shell Scripting
Web Technologies
HTML 4.0/5, XHTML, DHTML, CSS2/CSS3, JAVASCRIPT, JQUERY, Angular JS, NodeJS, AJAX, JSON and XML
Web Services
RESTFul/SOAP, SOA, UDDI, WSDL, Apigee, SoapUI Pro
Operating System
Linux/Unix (Red Hat Enterprise Linux, Debian, Ubuntu, Kali Linux), Windows.
Databases
MySQL, Oracle, MS SQL Server
Certifications and Training
Certified Ethical Hacker (CEH) v9
Certified Information Systems Security Professional (CISSP)
AWS Certified Security Specialty – 2018
SANS - Secure Coding in Java/JEE: Developing Defensible Applications
Penetration Testing With Kali Linux by Offensive Security
Professional Experience
Client: Austin Community College (ACC), Austin, TX
Role: Sr. Security Engineer August 2018-Present
Responsibilities:
Performed code analysis usingMicrofocus Fortify, Veracode, CHECKMARX.
Performed the penetration testing of mobile (Android and iOS) applications, specifically, APK reverse engineering, traffic analysis, malware analysis (IDA Pro), and manipulation, dynamic runtime analysis.
Configured Qualys scanner and performed both authenticated and unauthenticated scans.
Integrated Qualys with third party Privileged Access Management (PAM), password vaults.
Reviewed Qualys scan reports, performed the triaging to eliminate false positives
Worked with external security vendors (i.e., TrendMicro) in conducting Managed Detection and
Instrumental in architecting, implementing and administrating a Security and Information Event Management (SIEM) solution (Splunk) to automate the correlation,
Performed API Security testing, CI/CD pipeline, security automation of APIs using SmartBear SoapUI Pro.
Working knowledge of OWASP Top 10 and SANS Top 25 software compliance guidelines,
Federal Financial Institutions Examination Council's (FFIEC) regulations, including Payment Card Industry (PCI-DSS 3.2), HIPAA and Sarbanes-Oxley Section404 (SOX).
Monitored for non-complaince issues and recommended solutuonss by closely working with various engineering teams such as architecture and design.
Researched applicablecomplainceguideliens for various enterprise systems, developed policies, procedures and ensured that these policies and procedures have been enforced.
Participated in the implementation of Public Key Infrastructure (PKI) for securing data at rest and data in transit. Involved in the implementation of encryption and decryption of confidential data and supported the certificate key life cycle.
Worked on MITRE ATT&CT to strengthen the cyber defense and developed analytical techniques.
Implemented Continuous Integration (CI) and Continuous Delivery (CD) using Jenkins CI which has very strong build pipeline consists of Build verification, Junit tests, Deployment Tests, API tests, Service Tests.
Created continuous integration system using Ant, Jenkins, Puppet full automation, Continuous Integration, faster and flawless deployments.
Design and implementation of a Puppet-based configuration management system for all new Linux machines.
Setup puppet master, client and wrote scripts to deploy applications on Dev, QA, production environment.
Development of Puppet modules with Jenkins for continues integration and continues deployment of managed products, and related services
Used Ansible and Ansible Tower as Configuration management tool, to automate repetitive tasks, quickly deploys critical applications, and proactively manages change.
Wrote Python Code using Ansible Python API to Automate Cloud Deployment Process.
Developed Python Modules for Ansible Customizations.
Development of Puppet modules with Jenkins for continues integration and continues deployment of managed products, and related services.
Participated in the implementation of Tanium platform. Deployed and configured Tanium Asset,ch, EDR and Vulnerability Configuration modules, generated reports and applied remediation to meet the compliance.
Performed server hardening of Linux and Windows server based on CIS benchmarks and internal security standards
Implemented DevSecOps for automating security scanning process and integrated with CI/CD pipeline using Jenkins, GitHub, Gradle, TFS.
Configured security controls for AWS VPCs, S3 buckets, EC2 instances, ECS, ECRs. Route53, CloudWatch.
Content delivery network (CDN) with Akamai, Amazon CloudFront.
Cloud networking and routing technologies (path based) Experience.
Participated in the implementation of AWS Virtual Private Cloud (VPC). Implemented multiple layers of security, including security groups, network access control lists, to control access to Amazon EC2 instances in each subnet.
Implemented Cloud Access Security Broker (CASB) for cloud apps using Symantec CloudSOC. Integrated CloudSOC CASB with Symantec DLP and Endpoint Protection (SEP).
Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS 25 and prioritizing them based on the criticality.
Proficient in understanding application level vulnerabilities like XSS, SQL Injection, ClickJacking, CSRF, authentication bypass, cryptographic attacks, authentication flaws etc.
Conducted security assessment of PKI Enabled Applications
Skilled using Burp Suite Pro, Veracode, HP Web Inspect, IBM AppScan Standard, Source and Enterprise, nmap, Dirbuster, Qualysguard, Nessus, SQLMap, RSAArcher, FireEye Retina, Onapsis for web application penetration tests and infrastructure testing. Performing onsite & remote security consulting including penetration testing, application testing, web application security assessment, onsite internet security assessment, social engineering, wireless assessment, and IDS/IPS hardware deployment.
Capturing and analyzing network traffic at all layers of the OSI model.
Monitor the Security of Critical System (e.g. e-mail servers, database servers, Web Servers, Application Servers, etc.).
Performed pen testing of both internal and external networks. The pen testing scope included O/S SQL, Oracle Database.
Performed the configuration of security solutions like RSA two factor authentication, PingFederateSingle Sign on (SSO), SAML 2.0, Symantec DLP and log aggregation and analysis using HP ArcSight SIEM.
Change Management to highly sensitive Computer Security Controls to ensure appropriate system administrative actions, investigate and report on noted irregularities.
Conduct network vulnerability assessments using tools to evaluate attack vectors, Identify System Vulnerabilities and develop remediation plans including, security policies, standards and procedures.
Client: Humana, Louisville, KY
Role: Sr. Security Engineer February 2016 -July 2018
Responsibilities:
Expertise in using the DAST tools (IBM Appscan and BurpSuite Pro) while the application is running to penetrate the application in various ways to identify potential vulnerabilities outside the code and in third party interfaces.
Performed code analysis with Checkmarx and Served as a Subject Matter Expert (SME) in the field of application security and Cyber security operations.
Python has been utilized for SQL/HTML/LDAP injection, cross site scripting, command injection in web applications and identifying misconfigurations.
Automated security scanning process (DevSecOps) as part of Continuous Integration and Continuous Delivery (CI/CD) of security reports into the build cycle.
Performed pen testing of both internal and external networks as per PCI-DSS standards. The pen testing scope included O/S (Windows and Linux) and external facing web apps and database servers that store credit card information.
Performed server hardening of Linux and Windows server based on CIS benchmarks and internal security standards
Performed vulnerability assessments and remediation for Linux and Windows servers and workstations
Monitored for non-complaince issues and recommended solutuonss by closely working with various engineering teams such as architecture and design.
Researched applicablecomplainceguideliens for various enterprise systems, developed policies, procedures and ensured that these policies and procedures have been enforced.
Developed Security requirements for Data Loss Prevention (DLP) specifically for Data at Endpoint, Data In-transit, and Data at rest.
Worked on design and development of multiple security operations in SIEM and endpoint protection and data protection.
Worked with IBM QradarSIEM Integration a IDS/IPS And responsible for integrating the log sources with IBM Qradar.
Managed security assessments to ensure compliance to firm’s security standards (i.e., OWASP Top 10, SANS25). Specifically, security testing has been performed to identify XML External Entity (XXE), Cross-Site Scripting and SQL Injection related attacks within the code.
Integrated Qualys with third party Privileged Access Management (PAM), password vaults.
Reviewed Qualys scan reports, performed the triaging to eliminate false positives
Conducted security assessment of Cryptography applications including the apps that use Hardware Security Model (HSM).
Implemented HP ArcSight ESM including, correlation rules, data-monitors, reports, event annotation stages, case customization, active lists, and pattern discovery.
Performed pen testing of both internal and external networks. The pen testing scope included O/S (Windows and Linux) and external facing web apps and database servers that store customer confidential information.
Working knowledge of OWASP Top 10 and SANS Top 25 software guidelines, Federal Financial Institutions Examination Council's (FFIEC) regulations, including Payment Card Industry (PCI-DSS), HIPAA and Sarbanes-Oxley Section404 (SOX).
Participated in Web Application Security Testing including the areas covering Mobile, Network, security, WIFI.
Conducted pen testing for the Web Services (SOA) used by various travel agency partners to connect to Wyndham for booking and reservations.
Reviewed Azure network security architecture and implemented security controls. Specifically, Azure virtual networks, including on-premise connectivity, traffic filtering, secure communication, point-to-site VPN etc
Participated in the implementation of AWS Cloud security for applications being deployed in the Cloud. Developed WACLS and configured rules and conditions to detect security vulnerabilities in the Cloud Front.
Implemented Security Group Policies for Elastic Compute Cloud (EC2) instances within AWS. Developed AWS Service Roles to protect Identity Provider access
Skilled using Burp Suite, Checkmarx, HP Fortify, SecureAssist, WAS, NMAP, Havij, DirBuster for web application penetration tests.
Generated and presented reports on Security Vulnerabilities to both internal and external customers.
Security assessment of online applications to identify the vulnerabilities in different categories like Input and data Validation, Authentication, Authorization, Auditing & logging.
Vulnerability Assessment of various web applications used in the organization using Burp Suite, and Web Scarab, HP Web Inspect.
Experience with Identity and Access Management (IAM) and development of user roles and policies for user access management.
Analyzed correlation rules developed for Security Incident and Event Management (SIEM) system. Reviewed the solution implemented for “log forwarding” from various network devices to ArcSight central logging for alerting and security monitoring.
Training the development team on the most common vulnerabilities and common code review issues and explaining the remediation.
Follow up and ensure the closure of the raised vulnerabilities by revalidating and ensuring 100% Closure.
Update with the new hackings and latest vulnerabilities to ensure no such loopholes are present in the existing System
Client: SWIFT, Manassas, VA
Role: Security Engineer. September 2013-December 2015
Responsibilities:
Extensive Interaction with Onsite Coordinator in understanding the business issues, requirements, doing exhaustive analysis and providing end-to-end solutions.
Conducting Web Application Vulnerability Assessment & Threat Modeling, Gap Analysis, secure code review on the applications.
Performed malware analysis using IDAPro, OllyDbg, Windbg.
Conducted security assessments of firewalls, routers, VPNs, BlueCoat Proxy, IDS/IPS and verified its compliance to internal and external security standards.
Experience with ISO 27001/27002 Certification for ISMS, Sarbanes Oxley (SOX) Compliance
Doing multiple level of testing before production to ensure smooth deployment cycle.
Creation of Generic Scripts for testing and reusability.
Performed security hardening for Linux, Windows, Web servers, App Servers and Database servers in accordance with both internal and external standards (CIS benchmarks, PCI-DSS, NIST, FFIEC etc.,)
Configured Qualys scanner and performed both authenticated and unauthenticatedscans
Performed system design reviewes and proposed recommemndations to comply with the policies and standards.
Formalized enterprise policy (Know Your Customer (KYC), Customer Identification Program (CIP)) to ensure systems and processes meet regulatory requirements.
Provide compliance advice on complex projects.
Utilized Puppet for managing the configuration of Linux servers.
Performed server hardening of Lix and Windows server based on CIS benchmarks and internal security standards.
Enabled continuous monitoring for the hosts using Qualys VM/VMDR.
Application Security Review of all the impacted and non-impacted issues.
Providing guidance to Development team for better understanding of Vulnerabilities.
Assisting customer in understanding risk and threat level associated with vulnerability so that customer may or may not accept risk with respect to business criticality
Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS 25 and prioritizing them based on the criticality for remediation.
Assisting in review of solution architectures from security point of view which helps avoiding security related issues/threats at the early stage of project
Ensuring compliance with legal and regulatory requirements.
Client: Calsoft Inc, Bangalore, India
Role: Java Developer June 20011 August 2013
Responsibilities:
Designed and developed a suite of applications used by the internal cyber security operations group.
Design and implementation of SOAP, RESTful Web services.
Developed application presentation layer, which is based on Spring MVC framework involving JSP, Servlets,RESTFul Web Services, and HTML, CSS
Heavily leveraged Python's graphics APIs for creating graphics and serialization libraries for encoding data in XML/JSON formats.
Responsible for developing multi-tier websites, the full cycle: analysis, design, development, testing, and documentation
Work closely with the Product Management, Support, and Test Engineering teams to achieve the highest business value for the company
Hands on experience programming with C++, Python, Django and Ajax technologies.
Used Python based GUI components for the frontend functionality such as selection criteria Created test harness to enable comprehensive testing utilizing Python.
Well versed in WAMP (Windows, Apache, MYSQL, and Python) and LAMP (Linux, MySQL, and Python) Architecture.
Developed Servlets and Utilized JQuery to create a fast and efficient chat server.
Implemented the Scrum Agile methodology for iterative development of the application.
Developed server side business components using Java Servlets, JSPs, and Enterprise Java Beans (EJBs)
Used Spring Framework for Dependency injection and integrated with the Hibernate framework for interacting with the Oracle database.
Automated code deployment to production environment by creating tasks using ANT, Maven deployment tools.
Involved in system design, enterprise application development using object-oriented analysis in Java/JEE6.
Developed stored procedures, views and triggers using Oracle PL/SQL.
Analyzed performance issues in the application, related system configuration and developed solutions for improvement.
Involved in WebLogic and Tomcat application server installation and configuration in production, development and QA environments.
Conducted training sessions to the rest of the development team on advanced technologies, code reviews and discussion sessions to ensure that coding standards are followed.
Education Details:
Master in Computer Application from Visvesvaraya Technological University(VTU), Belguam(Karnataka, India)-July 2002