Penetration Testing Information Security
Resume:
Sr. Information Security Architect
Aditya Tirumala
************@*****.***
LinkedIn: http://www.linkedin.com/in/aditya-yadagiri-216966311
PROFESSIONAL SUMMARY:
Over 9+ years of experienced in Cybersecurity Professional with expertise in various domains, including Application Security, Vulnerability Management, Penetration Testing, Cloud Security, and Security Operations Center (SOC) operations. Proficient in utilizing industry-standard security tools and frameworks to identify, assess, and mitigate security risks and vulnerabilities. Proven ability to collaborate with cross-functional teams, communicate effectively, and drive security initiatives within organizations.
Performed vulnerability assessments, penetration testing, and secure code reviews for web applications, APIs, and network infrastructure.
Design, Configuration of Network using GNS3 and Packet tracer.
Analyzing and Troubleshooting Network issues using Wire Shark
Performed vulnerability assessments, penetration testing, and secure code reviews for web applications, APIs, and network infrastructure.
Experienced in manual and automated testing of websites and applications against OWASP Top 10, SANS 25, and other industry-standard security vulnerabilities.
Utilized SAST tools (Fortify, Checkmarx), DAST tools (Burp Suite, IBM AppScan), SCA tools (Black Duck), and other security scanning tools for code analysis and vulnerability identification.
Created comprehensive vulnerability assessment reports, including identified exposures, severity ratings, and mitigation recommendations.
Designed and implemented IAM configurations to secure access to sensitive data and applications across the organization.
Gained extensive experience with SIEM tools (Splunk, IBM QRadar) for log analysis, security incident monitoring, investigation, and mitigation.
Expertise in embedded C++ programming and Real Time Operating Systems (RTOS).
Managed and administered Entra ID, ensuring seamless user authentication and authorization across multiple applications.
Designed and implemented robust API security measures using Cloudflare to protect web applications from malicious traffic and DDoS attacks.
Implemented Perl Scripting for network Analysis.
created and maintained thorough enterprise security architecture frameworks that complied with HITRUST, SAML, and CISSP requirements.
Using OKTA, SAML, OIDC, and MFA, IAM solutions were designed and put into place to improve secure authentication and authorization in both on-premises and cloud contexts.
created security policies and procedures to guarantee adherence to industry standards (SSL/TLS, DLP) and enforce enterprise-wide encryption, cryptographic standards, and secure data transport techniques.
carried out frequent security audits and risk assessments on business systems, with an emphasis on HITRUST framework alignment, SAML integrations, and vulnerability management.
Analyzed security event data from network devices (IDS, IPS, firewalls) and performed static malware analysis on isolated virtual servers.
Architected end-to-end security solutions for various organizations, ensuring the integration of best practices in network security, data protection, and threat management.
Monitored and analyzed security events in a 24x7 Security Operations Center (SOC) environment for intrusions and malicious activities.
Investigated and responded to security incidents, phishing attempts, and cyber threats impacting the organization.
Configured SSO authentication protocols, such as SAML and OAuth2, to ensure secure, access management.
Collaborated with stakeholders to install, update, and troubleshoot automated systems adhering to cybersecurity standards and practices.
Certifications:
Certified Information Systems Security Professional (CISSP).
Technical Skills:
Skill Set
Details
Application Security
OWASP Top 10, ASVS, MSTG, Secure Code Reviews, SAST (Checkmarx, IBM AppScan, Fortify), DAST (Burp Suite, OWASP ZAP, Contrast), Threat Modeling, Secure SDLC
Penetration Testing
Web Application Pentesting, Network Pentesting, Cloud Pentesting (AWS, Azure, GCP), Mobile App Pentesting, Burp Suite, Nmap, Nessus, Metasploit, Kali Linux
Vulnerability Management
Vulnerability Assessments, Patch Management, Vulnerability Scanning (Nessus, Qualys, Nexpose), Remediation Tracking (Archer, BitSight, ScoreCard)
Cloud Security & Automation
AWS Security (JAM), Azure Security, GCP Security, Cloud Configuration Audits, Cloud Architecture Reviews, DevSecOps (CI/CD with Git, Jenkins, Ansible, Docker, Kubernetes), Ansble, Puppet
Identity & Access Management
IAM, RBAC, PAM, Privilege Management, Identity IQ (SailPoint, Crowdstrike, CyberArk)
Security Monitoring
SIEM (Splunk, QRadar, LogRhythm), IDS/IPS, Firewalls, Endpoint Security (McAfee, Symantec), Network Monitoring, Log Analysis, Threat Intelligence
Compliance & Standards
SOC 2, PCI-DSS, HIPAA, GDPR, ISO 27001, (800-30, 800-53, 800-61, 800-63), FIPS
Security Engineering
Security Architecture, Secure Design, Threat Modeling, Risk Assessment, Security Controls Implementation
Incident Response
Incident Handling, Forensic Investigations, Malware Analysis, Incident Response Lifecycle
Programming Scripting & Databases
Python, PowerShell, Bash Scripting, Embedded, Java, C, C++, MySQL, MongoDB, PLSQL, Oracle
Networking & Protocols
TCP/IP, DNS, DHCP, HTTP, HTTPS, SSH, TLS, VPN (IPsec, SSL, PPTP, L2TP), Firewalls, IDS/IPS, Packet Analysis (Wireshark, tcpdump)
Collaboration & Training
Technical Presentations, Security Awareness Training, Product Demonstrations, Customer Engagements, Sales Enablement
Security implementations
SSL certs, TLS, data encryption 512 and 256 standards, Kerbos authentication and PAM access management
Operating systems
Widows 2019, 2022 Linux rhel 7, 8 and 9, IBM AIX, UNIX sun Solaris
PROFESSIONAL EXPERIENCE:
Client: Amdocs, Plano TX Sep 2022 to Present
Sr. Cyber Security Engineer
Responsibilities:
Collaborated with stakeholders to install, update, and troubleshoot automated systems adhering to cybersecurity standards and practices.
Planned and executed remediation activities for vulnerabilities identified through application scanning tools like Qualys, mitigating risks in web applications and architectural weaknesses.
Collaborated with internal and external stakeholders to address IT governance and compliance issues, providing guidance on NIST and ISO risk management best practices.
Conducted IT audits for organizations, focusing on infosec, access controls, cloud computing, IT governance, cybersecurity, Data governance (DLP solutions) and 3rd party risk, vulnerability & and compliance.
Assess, prioritize and update existing IT security policies and standards to reflect the GRC framework.
Communicated effectively with business units regarding web application vulnerabilities and managed access control mechanisms.
Reviewed vendor security controls, ensuring adherence to global compliance standards, including ISO 27001, SOC 2, and GDPR.
malware prevention, DLP, IDS/IDP, cryptography, vulnerability scanning, and penetration testing), as well as related protocols and tools (e.g., SSH, SSL/TLS, snort, port scanners, rootkit detectors, etc
Led the design and implementation of SSO solutions using SAML, enabling seamless user authentication across multiple applications while enhancing security and user experience.
Designed and implemented secure cloud architectures for platforms such as AWS, Azure, and Google Cloud, ensuring robust protection of data and applications.
Design, development, and unit, system and integration testing of embedded application software’s with C++ on a multithreaded QNX environment.
Developed and maintained security policies and procedures aligned with HITRUST standards, promoting a culture of compliance and security awareness within the organization.
Implemented OAuth2 protocols to enable secure authorization and access to APIs and third-party services.
Investigated and documented network security incidents, reported to management, monitored security data, and analyzed threats.
Prepared for HITRUST certification audits by coordinating documentation, evidence collection, and remediation activities, resulting in successful audits with minimal findings.
Analyzed organization-based security, risk, privacy, and social governance policies to evaluate cyber exposures and champion effective solutions.
Acted as a Subject Matter Expert (SME) in cybersecurity, offering expert guidance on threat detection, incident response, and risk management to internal and external stakeholders.
Strong knowledge of NIST Special Publication 800-37, which outlines the RMF process, including the steps of categorization, selection, implementation, assessment, authorization, and continuous monitoring, to ensure compliance with federal cybersecurity requirements.
Utilized DLP analytics tools to identify potential data loss incidents, generating reports that informed management and guided strategic decisions.
Spearheaded the implementation of the HITRUST CSF (Common Security Framework) to enhance the organization’s security posture and achieve compliance with HIPAA and other regulatory requirements.
Managed security tools for PCI DSS compliance, collaborating with the security team to standardize policies.
Conducted daily vulnerability assessments, prioritized risks, and established remediation timelines.
Assisted in assessing compliance with cybersecurity frameworks and remained updated on industry trends and emerging technologies.
Configured and secured SSH access for remote administration, ensuring secure communications and access controls.
Led the deployment of IDS/IDP solutions that improved threat detection capabilities, successfully identifying and mitigating [number] of intrusions in real time.
Writing PowerShell scripts to conduct penetration testing, vulnerability scanning, and security assessments of network infrastructure, web applications, and cloud environments
Conducted compliance assessments, based on NIST and ISO standards, to evaluate adherence to regulations such as PCI DSS, GDPR, and HIPAA.
Integrated Entra ID with cloud services like Azure and Microsoft 365, enabling centralized identity management.
Security assessments and audits across multiple platforms and systems, identifying vulnerabilities and recommending actionable solutions to mitigate risks.
Developed and managed identity federation strategies utilizing SAML, facilitating secure cross-domain authentication and improving access management.
Conducted regular audits of cryptographic implementations to ensure compliance with industry standards and regulatory requirements.
Managed user identities, roles, and permissions within the IAM system, ensuring proper access control.
Monitored and researched cyber threats impacting the organization.
Presented findings from penetration tests to stakeholders, effectively communicating risks and recommended mitigation strategies.
Implemented risk management processes aligned with the HITRUST framework, enhancing the organization's ability to identify, assess, and mitigate security risks effectively.
Utilizes NIST 800-53A and NIST 800- 53 rev-4 to review implemented controls and enter information into the Requirements Traceability Matrix (RTM) and findings into the Security Assessment Report (SAR).
Managed and enhanced cloud security operations on Azure and GCP, integrating robust firewall strategies and ensuring alignment with NIST cybersecurity frameworks and CJIS compliance requirements.
Established a routine vulnerability scanning program that identified and remediated vulnerabilities across the organization’s IT infrastructure.
Developed and implemented security policies and control measures for Cisco's cloud environments, continuously assessing and optimizing policies to uphold NIST and CJIS standards Azure and GCP platforms.
Client: Cisco, Sanjose, CA Jun 2021 to Aug 2022
Role: Information Security Analyst
Responsibilities:
Performed vulnerability assessments, network penetration testing, and web application penetration testing for Java and .NET applications.
Conducted static and dynamic code analysis, threat modeling, design reviews, and penetration testing to identify vulnerabilities in internal and external web applications.
Experienced in manual and automated testing of websites against OWASP Top 10 and SANS 25 vulnerabilities.
Thorough understanding of OWASP Top 10 vulnerabilities, their attack vectors, and defense mechanisms (e.g., XSS, SQLi, CORS).
Conducted regular tuning of IDS/IDP alerts to reduce false positives, enhancing the efficiency of the security operations team.
Resolved vulnerabilities in the WebEx and FedRAMP GRC environments, POA&M & NIST, using automated scripts created in Python, PowerShell, Bash.
Managed vendor risk assessment processes, evaluating third-party vendors for compliance and security risks, following NIST and ISO guidelines.
Developed and executed incident response protocols for malware outbreaks, ensuring swift containment and recovery while minimizing business disruption.
Responsible for maintaining accreditations and certifications such as ISO 27001, ISO 22301, ISO 20000 & and other regulations.
Collaborated with IT teams to prioritize vulnerability remediation based on risk assessment and potential impact on business operations.
Conducted comprehensive assessments of current security practices against HITRUST requirements, identifying gaps and developing remediation strategies to ensure compliance.
Configured and managed SAML assertions to securely transmit user identity information between identity providers (IdPs) and service providers (SPs), ensuring data integrity and confidentiality.
Continuously reviewed and enhanced IT security policies, procedures, standards, and guidelines, utilizing cutting-edge tools such as GRC (Governance, Risk, and Compliance) software to streamline the compliance process and maintain alignment with departmental prerequisites.
Used assembly language and C, writing the embedded software for 8031/8051 board.
Utilized SAST tools (Fortify), DAST tools (Burp Suite, IBM AppScan), and SCA tools (Black Duck) for code scanning, generating reports, and collaborating with developers for remediation.
Collaborate with Internal audit, External Audit, SOX PMO in a regular cadence, discuss changes to the control environment and prepare effective, efficient compliance and substantive test plans and SOX Calendar.
Deployed Azure IaaS virtual machines (VMs) and AWS Cloud services (PaaS role instances) into secure VNets and subnets.
Implemented SSL/TLS encryption for web applications to protect data in transit and improve trust with end-users.
Provide review of security controls employing NIST 800-53 recommended security controls.
Gained experience with SIEM tools (Splunk) for log analysis and security incident monitoring, investigation, and mitigation.
Developed threat models for key applications and infrastructure, informing the penetration testing process and enhancing overall security measures.
Developed and maintained key management procedures, including key generation, storage, rotation, and revocation, adhering to best practices and compliance standards.
Configured and managed DLP policies that monitored and controlled data transfers across endpoints, ensuring compliance with regulatory requirements.
Conducted risk assessments and vulnerability analyses to identify potential threats and vulnerabilities, guiding the creation of security standards.
Ensured interoperability between various SAML-compliant systems and applications, streamlining authentication processes and reducing operational overhead.
Researched new and evolving threats and vulnerabilities that could impact the monitored environment.
Orchestrated the transition of security operations to integrate with GCP, leveraging Azure for comprehensive security enhancements and ensuring adherence to NIST and CJIS regulatory requirements through strategic firewall deployment.
Client: Best Buy, Minneapolis, MN Nov 2019 to May 2021
Position: Application Security Engineer
Responsibilities:
For the network, we use Nmap and Metasploit scripts. For the Web, we use Metasploit scripts and work manually as well.
Alternatively, we do a nexus scan and an infrastructure scan for both network and web services.
performed development staff for test planning, create weekly reports, develop test cases, ensure code functionality, and identify defects to implement a strategy to enhance testing.
performed static application security testing assessments for web applications, microservices, and mobile applications using Checkmarx.
Generated detailed vulnerability reports that provided actionable insights and recommendations for management and technical teams.
Conducted training sessions for employees on recognizing and avoiding malware threats, fostering a security-aware culture within the organization.
Deployed and configured Snort as an IDS to monitor network traffic and detect potential threats.
Performed application security programs (DAST and SAST) at the enterprise level to identify, report, and remediate security vulnerabilities from applications deployed in DEV, PRE-PROD, and
Managed OAuth2 token lifecycles, ensuring proper issuance, validation, and expiration of access tokens.
Worked closely with developers to integrate Cloudflare security features into API development workflows.
Integration of the IBM Appscan tool with Jenkins in the agile development process for dynamic analysis and security testing.
Conducted comprehensive penetration tests on web applications, networks, and systems, identifying critical vulnerabilities and providing remediation guidance.
Analyzed IDS/IDP logs to identify patterns and trends, providing insights that informed proactive security measures.
Assessed and mitigated risks associated with SAML implementations, implementing best practices for token signing, encryption, and assertion validation.
Implemented multi-factor authentication (MFA) within the IAM system to strengthen security for user access.
Responsible for ensuring IT systems have all security controls in place and functioning properly in accordance with NIST 800-53rev4 publication.
Designed Terraform templates to create custom sized VPC, subnets, NAT to ensure successful deployment of Web applications and database templates on AWS.
I worked extensively with software development teams to review the source code, triage the security vulnerabilities generated by Checkmarx, and eliminate false positives.
Developing threat modeling framework (STRIDE, DREAD) for critical applications to identify Potential threats during the design phase of applications.
Implemented robust encryption protocols (e.g., AES, RSA) for data at rest and in transit, ensuring the confidentiality and integrity of sensitive information.
Designed and implemented a comprehensive DLP strategy that safeguarded sensitive data and reduced data breaches by [percentage].
Developing mitigation strategies to address identified threats and enhance the security posture of the system.
Analyzing the system's design and architecture to understand potential vulnerabilities and attack surfaces.
Detect problems early in the software development life cycle (SDLC)—even before coding begins
Improving the application security posture of the company's online business by performing periodic assessments on mission-critical applications.
Log defects in Jira and assign them to the application team for fixes. Work with application teams to help them remediate security vulnerabilities.
Perform risk analysis to identify points of vulnerability and recommend disaster recovery strategies and business continuity planning.
Implemented a robust continuous monitoring program utilizing a NIST SP 800-137 compliant Information System Continuous Monitoring (ISCM).
AmeriHealth, Philadelphia, PA Nov 2018 to Oct 2019
Application Security / Cloud Security Engineer
Responsibilities:
Monitored networks using DLP, Websense, Trend Micro, and IBM QRadar SIEM tools.
Worked with security tools like Symantec DLP, Endpoint Protection, Encryption, Bluecoat Proxy, and syslogs.
Led international encryption server projects as a Voltage secure data encryption engineer.
Conducted vulnerability assessments and penetration testing to identify system vulnerabilities.
Supported Tripwire application, assisted with Nessus, vulnerability management, and compliance.
Led a cloud security engineering team, executed complex solutions, and delivered projects.
Adopted and taught best cloud security engineering practices.
Spearheaded cloud migration strategies, focusing on the transition to Azure and AWS platforms, ensuring seamless integration and robust security.
Developed and maintained documentation for IAM configurations and procedures, ensuring clarity and consistency across the organization.
Conduct Information System Audit (Security Control Assessment) and Security Authorization (SA) using NIST Risk Management Framework SP 800-37 guide.
Performed internal network vulnerability assessments to enhance security culture.
Utilized frameworks like ISO 27001, PCI DSS, OWASP, SANS, and Forcepoint.
Monitored and researched cyber threats impacting the organization.
Specialized in data loss prevention and large infrastructure encryption.
Developed cloud security environment architectures and proof of concepts.
Architected, implemented, and supported cloud-based infrastructure and solutions.
Managed repeated threats and conducted vulnerability tests across systems.
Designed and implemented solutions to protect sensitive data and strengthen data protection.
Supported IT teams with risk remediation, including VBlock infrastructure vulnerability remediation.
Integrated Splunk with ServiceNow, Active Directory, and LDAP.
Managed Splunk instances, analyzed security events, risks, and reporting using Splunk Deployment Server.
Created comprehensive documentation and diagrams for knowledge sharing.
Assisted with Splunk dashboards, use cases, technical services, and data queries.
Worked with NERC CIP, Tripwire, Tenable, and IP360 Enterprise 8.6.
Developed and implemented NIST-based cyber security standards to reduce IT asset vulnerabilities.
Target, Minneapolis, MN Aug 2016 to Nov 2018
Product Security Engineer
Responsibilities:
Performed manual penetration testing of applications and APIs to identify OWASP Top 10 and SANS 25 vulnerabilities.
Trained development teams on secure coding practices.
Trained teams on security requirements, threat modeling, and security testing to improve SDLC and achieve secure SDLC.
Conducted black box penetration testing on internet and intranet-facing applications.
Identified OWASP Top 10 issues like SQLi, CSRF, and XSS.
Performed static code analysis using HP Fortify to identify vulnerabilities in applications.
Utilized tools like Burp Suite, Dirbuster, HP Fortify, and Nmap for assessments.
Conducted security code reviews for Java, .NET, and PHP using HP Fortify and IBM AppScan, and helped teams remediate issues.
Designed and implemented secure cloud architectures for platforms such as AWS, Azure, and Google Cloud, ensuring robust protection of data and applications.
Prepared risk registries for various projects.
Provided details on identified issues and remediation plans to stakeholders.
Conducted grey box testing of applications.
Participated in client interviews to determine the Security posture of the System and to assist in the completion of the Security Assessment Plan using NIST SP 800-53A test required to maintain Company Authorization to Operate (ATO), the Risk Assessment, System Security Plans, and System Categorization
Verified existing controls for least privilege, separation of duties, and job rotation.
Provided insights on separating client data and securing PII during a major company merger.
Identified application vulnerabilities using proxies like Burp Suite to validate server-side validations.
Identified issues related to session management, input validations, output encoding, logging, exceptions, cookie attributes, encryption, and privilege escalations.
Executed and crafted payloads to attack systems and execute XSS and other attacks.
Used SQL map to dump database data locally.
Client: Zensar Technologies, Pune, India Apr 2015 to Feb 2016
Position: Cyber Security Analyst
Responsibilities:
Performed vulnerability assessments of Java and .NET web-based applications using Burp Suite and HP Web Inspect.
Conducted web application vulnerability assessments, threat modeling, and secure code reviews.
Performed network vulnerability assessments using tools to evaluate attack vectors, identify vulnerabilities, and develop remediation plans and security procedures.
Conducted automated web application security testing using Checkmarx, HP WebInspect, Fortify, and Burp.
Configured and used tools like SSO, Fortify, Checkmarx, and App Scan for web and mobile application testing and issue remediation.
Captured and analyzed network traffic at all OSI layers, monitored security of critical systems (email, database, web, and application servers).
Worked with operational security tools and practices like IDS, firewalls, and third-party security products.
Proactively monitored blogs and blocked malicious IPs/URLs at the organization level.
Responsible for security outbreak incident reports and post-incident response reports.
Performed effective security event monitoring and log analysis from various security controls like Websense, IDS/IPS, and firewalls.
Managed compliance of network devices and configurations according to standard build procedures.
Demonstrated knowledge of system and network security, log analysis, and intrusion detection technologies.
Provided 24/7 computer network security auditing and fraud, waste, and abuse detection for government agency customers.
Maintained technical knowledge and troubleshooting skills for supported application and network security products and services.
Tracked incidents until closure, coordinated with teams for resolution and reporting.
Monitored bandwidth utilization of links and used monitoring tools for network systems.
Experienced in maintaining IP addressing and subnetting, wireless router configuration, email verification for phishing, and solving end-user security issues.
Stayed up to date with information security news, techniques, and trends.
Client: HashedIn, Bangalore, India Oct 2014 to Mar 2015
Position: Security Engineer
Responsibilities:
Black box pen testing on internet and intranet-facing applications
OWASP Top 10 Issues identifications like SQLi, CSRF, and XSS
Preparation of risk registry for the various projects in the client
Training the development team on secure coding practices
Providing details of the issues identified and the remediation plan to the stakeholders
Gray Box testing of the applications.
Identified hidden files using dirbuster.
Worked on DOM-based XSS manually.
Worked on Directory Traversal attacks manually
Implemented Agile methodology to follow the workflow process.
Contact this candidate