Syed Atif Rizvi
adm6cm@r.postjobfree.com
EXECUTIVE SUMMARY
●Extensive experience in Application Security Architecture design and threat modeling with web application development background
●Experience in leading Application Security testing with Burp Suite, NetSparker, Nessus, OWASP ZAP, Metasploit and HP Fortify
●Working domain knowledge in Web technologies, Mobile applications, SharePoint, Business Intelligence, Azure Cloud, IT Infrastructure and Enterprise security
●Skills in Splunk, Risk Assessment, Security monitoring tools, Cloud Security Assessment, NIST and OWASP frameworks, SDLC and CI/CD Pipeline integration
●Excellent leadership, interpersonal, communication, analytical, problem-solving, people management and presentation skills.
●A highly organized, detail-oriented professional with excellent skills and ability to rapidly learn innovative technology, defining, directing and designing a creative approach in Cyber Security domain and project management standards.
PROFESSIONAL EXPERIENCE
Application Security Architect, Mr Cooper, Dallax, TX Aug 2020 – Present
Key Contributions and Results:
Implemented HP Fortify solution across the organization for SAST and DAST for web application, mobile, client/server and Microservices scanning and develops remediation plan to discuss with business and development team
Routinely performs application onboarding, application/Cloud security assessment, Azure DevOp integration with Fortify
Participate in secure application design meetings with developers and Architects and provide consultation for the
Secure SDLC control, Secure architecture and threat modeling analysis
Review the quarterly third party “pentest” report and develop the mitigation strategy with the development team
Published Secure Coding Standards, Cloud Application Security, Web Application, Mobile and API security standard for the development teams and to meet the Internal Audit requirements.
Verifying and implementing the gap for OAuth, SAML and Open ID Connect standard
Periodically assessed tools like MuleSoft, “noname” API security, CheckMarx, MetaSploit pro, VulnDB etc.
Developed the Splunk dashboard for application inventory and integrated it with Threat and Vulnerability management
Provide security exception for the certain unfixable/third party libraries and issues
Integrated the Security controls in the SDLC cycle by referencing the OWASP ASVS, OWASP Preventive control common control present in the Fod
Source code reviews with the developers for critical and high issues vulnerability found in the Fortify
Occasionally works with Internal Audit finding in the Archer to resolve enterprise-wide security issues
Oversee the Vendor developed application security and enforce the vendor to adhere to company application security standard and requirements
Mentor junior team member
Lead Application Security Engineer, Wayne County, Detroit, MI May 2019 - May 2020
Key Contributions and Results:
Implemented NetSparker cloud solution for dynamic application security testing.
Dynamic Analysis vulnerability analysis and penetration testing of Granicus kiosks, Qomo Android TV, JAIS web application, Pay Taxes Online Web Application, Wayne County intranet portal, Vital record web application, UASI word press web application assessment
Vulnerability analysis and pen tested Xamarin developed Android Mobile applications hosted at Google Play
Collaborated with the Application and integration teams to develop Android application security apps policy using OWASP Top 10 and implemented SAST and DAST framework for Mobile applications using MobSF framework.
Implemented Cysafe controls for Software Inventory, Web Browser Protections, Penetration Tests, Monitoring and Review of Third-Party Services and Software Whitelisting using SCCM
Performed Manual Static Analysis with Code reviews and evaluated Proof of Concept for Static Analysis tools from CheckMarx
Presented Application security vulnerability analysis reports tailored for developer and to the upper management and coordinated in remediation of vulnerabilities
Performed developers training for Secure application development
Evaluated options of Software Security testing evaluation in Azure DevOp
Completed Splunk dashboards for Software inventories by integrating SCCM and Ivanti enterprise applications using Splunk DB Connect.
Implemented IIS server logging, Web application monitoring using Splunk Apps.
Senior Application Analyst, Beaumont Health System, Troy, MI July 2014 – May 2019
Key Contributions & Results:
Planned and executed web and mobile application vulnerability and penetration compliance for OWASP Top 10 and presented vulnerabilities and risk assessment report to management and development team for remediation
Integrated Qualys scans in DevSecOp web development process
Routinely perform dynamic analysis using Burp Suite and OWASP ZAP
Extensive knowledge in .Net frameworks, classic ASP, Angular and Xamarin
Performed SQL server vulnerability assessment and hardened the security gaps
Implemented Identity management processes for SharePoint to hardened the Access security that also reduced the number of help-desk calls for IT support teams and that saved 100K in revenue per annum
Security Risk Assessment for Azure Cloud, critical enterprise applications, vendor and other IT assets
Assisted in the information security risk assessment program by identifying risks in the current security posture.
Reviewed and assessed the findings for the key vulnerabilities, developed a comprehensive Project Plan to address all reported defects, and execute a plan of remedial action to either repair the identified defects, or develop the appropriate compensating controls.
Performed Information Security Risk Management activities which include development of programs, security awareness and training
SharePoint Analyst, Masco Corporation, Ann Arbor, MI March 2014 to July 2014
Key Contributions & Results:
Assessed and planned the migration of in-house hosted applications (Web and SharePoint) to Cloud environment
Senior Application Management (Consultant), Ford Motor Company, Dearborn, MI Apr 2013 to March 2014
Key Contributions & Results:
Responsible for the vulnerability testing of the applications and their remediation
Performed Penetration testing on web applications, servers and SharePoint infrastructure
Categorized and labelled the web and SharePoint applications based on the data classification analysis
Proactively identified process improvements that reduce support cost and effort.
Developed a plan to monitor by using WebTrend Analytics tool and created a report for business regarding performance metrics for websites.
Led the deployments, key enhancements and break fix using Change Management process. Audited and refined the security and developed documentation for retention policies with Stakeholders.
Estimated work effort for own tasks as well as team members and mentoring junior offshore support analysts
Presented the application support model to the entire support staff.
Web Applications Lead, Affinia Group, Ann Arbor, MI Feb 2011 to April 2013
Key Contributions & Results:
Reviewed and fixed the cross-site scripting and SQL injection security issues for the web sites
Participated in IT Internal Audits of Web apps and coordinated with the Third-party Auditor
Manual and automated scanning of web applications against known application vulnerabilities
Demonstrated exploits on vulnerable assets to prove weakness
Technical lead in supporting 10 internet-based web sites and performed regular modification and maintenance
Lead the team of development and migration of internet-based websites to Sitefinity portal at Azure cloud hosting
Completed the project of migrating 7 business part catalog Classic ASP websites from Internet Service provider to
company internal hosting and coordinated with infrastructure and database teams to resolve technical issues
Compuware Corporation, Detroit, MI May 2007 to Jan 2011
Client: GM
Position: Development lead, Project duration: 4 months
Major Projects:
Lead the conversion of .Net based applications to SharePoint publishing web sites.
Client: HealthCare – CareTech Solution
Position: Migration Lead, Project duration: 4 months
Major Projects:
Maintenance cost saved by converting classic ASP applications to .NET for several hospital web sites.
Client: GM
Position: Web Infrastructure Consultant, Project duration: 6 months
Major Projects:
Worked in Agile environment to setup up Infrastructure consolidation with HP and Compuware for hosting servers
SharePoint servers for intranet sites
Client: Visteon
Position: Technical Lead, Project duration: 2 years and 5 months
Role:
Key Contributions & Results:
Architected, designed and developed HR Performance Tool, HR Human skill capital project and Visteon Badging request system .Net applications. Led the project in collaboration with IBM Vendor for consolidation of several Perl/CGI applications hosted on scattered web servers and consolidated to load balanced web servers in Sun Solaris environment, resulting in 500K$ per annum savings. Led the decommissioning project for non-active web applications to reclaim the hard drive space, simplified portal applications resulting in increased the performance of the server. Co-ordinated with IBM DBA team and Web Server team for database and web site migration from UK datacenter to US datacenter. Supported two internal intranet portals – my Visteon portal and hub Visteon portal.
Web Application Developer, Plastech Engineered Products, Dearborn, MI Sep 2002 to May 2007
Key Contributions & Results:
Developed several lines of business custom Classic ASP and .Net applications.
Promoted to Team Lead of Application development team
EDUCATION and CERTIFICATIONS
Master of Science (MS) in Computer Engineering, Wayne State, Detroit, MI
Security Risk assessment training
Splunk Power User Certified, Java Certified Programmer (JCP)
Attended GrrCON Conference, Digital Security Government Summits Security Conferences
PMP (PMI) Certified, AGILE SCRUM Master (EXIN) Certified, Fred Pryor – Management and Leadership training