Risk Assessments Penetration Testing
Resume:
Jagadeesh Korukondi
*************@*****.***
Skill Set
Security Architecture & Risk Assessments: Designed and reviewed security architectures to assess current controls, identify potential flaws, and conducted security risk assessments of applications and APIs using NIST-mandated security domains, ensuring comprehensive security evaluations and enhancing the overall security posture.
Penetration Testing & Vulnerability Scanning: Performed manual penetration testing for web applications using tools like Burp Suite Pro, OWASP ZAP, and SQL Map to identify vulnerabilities and false positives, while also executing network and server vulnerability scans with Nessus, Qualys Guard, and Nmap to enhance system security.
Led the introduction of Zero Trust architecture concepts into the enterprise security strategy, improving security controls and mitigating risks associated with modern cloud technologies, resulting in enhanced security across the organization.
Identified and mitigated risks in SD-WAN and SASE/SSE solutions by conducting thorough risk assessments of middle-mile cloud-transit networks, ensuring robust security implementations and reducing potential attack vectors.
Collaborated with senior leaders and stakeholders to recommend business modifications during periods of high vulnerability, aligning security efforts with business objectives and improving overall resilience.
Established governance frameworks and enterprise security controls as a subject matter expert, creating governance models that enhanced security compliance with standards such as NIST, CIS, and GDPR, ensuring alignment across the organization.
Led threat modeling and risk analysis activities during different design iterations, identifying vulnerabilities early in the process and enabling proactive remediation, resulting in more secure architecture designs.
Application Security Testing (SAST/DAST): Conducted static and dynamic application security testing (SAST/DAST) using tools like Veracode, HP Web Inspect, and Acunetix360, analyzing false positives and collaborating with development teams to address security vulnerabilities, resulting in a significant reduction of critical vulnerabilities across multiple release cycles.
Source Code Reviews & Secure Coding Practices: Led comprehensive source code reviews across languages such as Python, JavaScript, Angular, Oracle (PL/SQL), and Apex Low Code, ensuring compliance with industry standards and improving security and performance by reducing vulnerabilities by 20% in production systems.
Server, Network, & Data Center Management: Administered server management, Active Directory, VMware, data centers, and network security, ensuring system reliability, high availability, and securing environments through virtualization, hardening, and network security protocols, including firewalls, routers, and web application firewalls.
Infrastructure & System Administration Tools: Leveraged Microsoft tools like SCCM, SCOM, AD tools, and application management platforms to streamline infrastructure and system administration, optimizing system performance and ensuring seamless operations across multiple geographies.
Led the migration of 10+ legacy applications to cloud-based infrastructure, developing a security planning and risk mitigation strategy that ensured compliance with industry standards (ISO 27001, GDPR), resulting in enhanced security and regulatory adherence.
Led software development initiatives for over 10 years with proficiency in Python, JavaScript, Angular, Oracle (PL/SQL), and Apex Low Code, driving the creation of secure, high-performance applications, resulting in improved system efficiency and code maintainability across multiple projects.
Led and managed a 24/7 SOC team, overseeing scheduling, training, and mentoring to ensure continuous coverage and high team performance, while conducting regular performance evaluations to promote skill development and team efficiency.
Developed and implemented SOC processes, procedures, and playbooks, ensuring effective and consistent security operations, incident detection, and response, leading to a 25% increase in incident response efficiency.
Oversaw security event monitoring and analysis from multiple sources including SIEM, IDS/IPS, endpoint protection, and cloud platforms, successfully coordinating incident containment and remediation efforts to minimize downtime and damage.
Security Frameworks, Vulnerability Management, and Compliance: Leveraged industry-standard frameworks (NIST 800-53, PCI DSS, ISO 27001, OWASP Top 10, SANS Top 25) to establish a comprehensive vulnerability management program using Qualys and Wiz across cloud and on-premises environments, aligning security practices with compliance standards such as GDPR, HIPAA, and SOX.
Cloud Security and Threat Detection: Configured cloud security services (IAM, CloudTrail, GuardDuty, Config, Security Hub) for enhanced threat detection and monitoring, and led cloud migration projects for AWS, Azure, and GCP, optimizing application performance, scalability, and security.
Penetration Testing and Source Code Audits: Conducted pre- and post-migration security audits, including source code reviews in Python, JavaScript, Oracle PL/SQL, and Apex Low Code, identifying and remediating vulnerabilities, resulting in a 20% reduction in security flaws and ensuring compliance with OWASP and ISO 27001 standards.
Endpoint and Infrastructure Security: Provided primary support for endpoint security through CrowdStrike Falcon, implementing USB blocking and firewall modules, while utilizing tools like Splunk, Qualys FIM, and Axonius for comprehensive security monitoring and real-time compliance across cloud and IT systems.
Automation, Incident Response, and Identity Management: Developed Python scripts to automate vulnerability scanning, penetration testing, and security monitoring, improving efficiency by 50%. Managed identity lifecycle processes, implementing IAM controls, SSO, and MFA to ensure secure access and compliance, reducing unauthorized access incidents by 20%.
Project and Risk Management: Applied project management tools (ServiceNow CRM, Jira) to manage vulnerability assessments, pen testing, and security/compliance programs, ensuring timely risk mitigation within SLAs and achieving a 25% reduction in regulatory non-compliance risks through strategic risk assessment and mitigation strategies.
Education:
Masters in CIS from Bellevue University, Omaha (Nebraska). 2016
Bachelor of Technology in Computer Science & Engineering. 2010
Certifications:
Certified Ethical Hacker version 11 Certification number: ECC7283490156
Microsoft Certified: Azure Security Engineer Associate Certification number:H605-3371
Languages:
.Net, Core Java, Apex
Web services:
WCF, Web Services
Scripting Languages:
Java Script, AJAX, Python
Markup Languages:
XML, HTML, CSS, Server XMLHTTP.
Databases:
SQL Server 2012/2016, PostgreSQL
Operating Systems:
Windows 10, Linux, windows server 2016
Tools:
Qualys, Nessus, Burp Suite, Acunetix, HCL App scan, Splunk, Crowdstrike, Axonious, SQL Map, Qualys FIM, OWASP Zap Proxy, CheckMarx Etc.
Software:
VisualStudio.NET 13/12/10,IIS(7.0,6.0,5.0)
Version Control:
Team Foundation Server(TFS) and SVN
PROFESSIONAL WORK EXPERIENCE
Eli Lilly and Company, Indianapolis, IN Jan 2024 - Present
Application Cyber Security Architect
Responsibilities:
Dynamic Application Security Testing (DAST) and Vulnerability Management: Performed DAST scans using Qualys and WebInspect, ensuring data confidentiality, integrity, and availability, and conducted false positive analysis using Burp Suite, reducing unnecessary remediation efforts while enhancing overall vulnerability management efficiency.
Application Security and OWASP Compliance: Verified the security posture of web applications against OWASP Top 10 vulnerabilities, collaborated with development teams to remediate vulnerabilities, and assessed application risks and severity, ensuring legal compliance and minimizing attack surfaces.
Endpoint Security and Microsoft Defender: Configured and administered Microsoft Defender Advanced Threat Protection (ATP) and created GPOs to manage endpoint security policies, improving threat detection, policy enforcement, and overall security posture for endpoints and servers.
Network and API Security: Architected secure network infrastructures using Fortinet firewalls, enhancing defenses against DDOS attacks and advanced persistent threats, and exploited common API vulnerabilities to tighten security controls, improving system stability and API security.
Encryption and Key Management: Managed encryption of data at rest and in transit using AWS KMS and PKI systems, ensuring key security and compliance with data protection standards, and integrated encryption mechanisms into systems, reducing data breach risks by 40%.
Code Review and Secure Development: Conducted code reviews for Python, JavaScript, and PL/SQL applications, implementing secure coding standards in Java to mitigate common vulnerabilities like SQL injection and XSS, resulting in improved security posture and reduced security incidents by 20%.
Directed post-incident analysis efforts, identifying root causes of security incidents and driving improvements in SOC processes, reducing response times and increasing the organization's resilience to future attacks by 30%.
Established and tracked SOC performance metrics and reporting mechanisms, ensuring continuous assessment of team effectiveness, operational improvements, and alignment with organizational security goals.
Collaborated with internal cybersecurity teams (CSIRT, Threat Hunt, Threat Intelligence, Vulnerability Management) and external stakeholders, ensuring comprehensive security incident handling and strengthening the organization's overall security posture.
Penetration Testing and API Security: Performed penetration tests on RESTful and SOAP APIs, uncovering critical vulnerabilities such as broken authentication and excessive data exposure, enabling developers to patch security flaws, reducing security risks by 30%.
Encryption Audits and Data Protection: Conducted encryption vulnerability assessments, ensuring regular key rotation and secure encryption practices for data in transit and at rest, safeguarding sensitive information and enhancing overall encryption security during migration processes.
Humana Inc, Louisville, KY Mar 2021 – Dec 2023
Application Cyber Security Architect
Responsibilities:
Application and API Risk Assessments: Conducted comprehensive security risk assessments of applications and APIs based on architecture, design, and data flow, identifying security gaps and providing mitigation strategies across 7 NIST-mandated security domains, improving overall security posture.
Static and Dynamic Analysis for Vulnerability Identification: Performed static (SAST) and dynamic (DAST) analysis, leveraging tools like Veracode and WebInspect to detect vulnerabilities in application source code, collaborating with development teams to implement secure coding best practices, resulting in a 30% reduction in critical vulnerabilities.
Cloud and Endpoint Security: Deployed cloud agents across Windows and Linux environments to identify vulnerabilities, implemented Qualys FIM for PCI-critical systems, and enhanced endpoint security with CrowdStrike, automating vulnerability management and ensuring compliance with PCI, GDPR, and HIPAA regulations.
Automated Security Integration in CI/CD Pipelines: Integrated Veracode SAST and Burp Suite into CI/CD pipelines, automating security scanning and vulnerability detection, reducing manual security assessments by 50%, and improving development efficiency by streamlining the feedback loop.
Penetration Testing and Threat Mitigation: Conducted internal and external penetration tests on web, mobile applications, and networks, uncovering critical vulnerabilities like SQL injection and XSS, and executed tailored remediation plans that reduced high-risk vulnerabilities by 25% and improved network resilience by 40%.
Stayed abreast of emerging security threats and industry best practices, regularly updating SOC procedures, technologies, and staff training to ensure cutting-edge incident response capabilities and alignment with evolving threat landscapes.
Communicated SOC operations and incident progress to senior management and key stakeholders, ensuring transparency and alignment with organizational security objectives while providing actionable insights to improve strategic decisions.
Security Incident Detection and Response: Utilized SIEM systems to analyze and correlate security event data, monitoring network traffic and system logs for threats, and implemented custom security plug-ins for CI/CD tools, enhancing threat detection and reducing response times.
Vulnerability Management and Automation: Automated vulnerability discovery and remediation using Python scripts with tools like Nessus and Qualys, increasing patching efficiency and reducing manual effort, while integrating Axonius to streamline the management of devices, users, and cloud assets.
Network Security and Compliance Audits: Managed secure network protocols, configured firewalls and VPNs, and executed network penetration tests, identifying misconfigurations and ensuring regulatory compliance, resulting in successful quarterly audits with financial institutions.
DuPont, Wilmington, DE July 2017- Feb 2021
Application Security Specialist
Responsibilities:
Web Application and API Security: Performed dynamic and manual security scans for web applications (Azure & On-Premises) and APIs using tools like Burp Suite, Imperva WAF, and automated testing tools, identifying and remediating vulnerabilities like SQL Injection and Cross-Site Scripting (XSS), resulting in a 40% reduction in successful attack attempts.
Cloud Security and Compliance: Developed secure onboarding processes for cloud accounts across AWS and Azure, provisioning and configuring cloud security services such as IAM, logging, and threat detection. Ensured compliance with federal regulations and security standards, enhancing the overall cloud security posture.
Secure Code Reviews and Development: Conducted in-depth code reviews in Java, Python, JavaScript, and PL/SQL to identify vulnerabilities and enforce secure coding practices, reducing reported bugs and security incidents by 20%. Implemented secure coding standards and input validation to mitigate injection attacks and buffer overflows.
Incident Response and SIEM Management: Managed security operations, overseeing incident response and monitoring in a 24/7 SOC environment. Optimized SIEM tools and integrated them with IDS and firewalls, improving real-time detection and reducing incident response times by 25%.
Penetration Testing and Vulnerability Management: Conducted regular penetration testing using Burp Suite and Zap proxy tools, uncovering and remediating vulnerabilities. Applied CVSS scoring to prioritize remediation efforts, ensuring compliance and enhancing the security posture of web applications.
Active Directory and Asset Management: Executed Active Directory infrastructure backup and restore, performed asset onboarding and migration using SailPoint IIQ, and ensured secure management of MA2 assets in the DuPont IAM application, enhancing identity and access management processes.
Cox Enterprises, Omaha, NE Jan 2016- June 2017
Cyber Security Engineer
Responsibilities:
Performed DAST and SAST scans using automated testing tools, conducted false positive analysis, and provided reports with remediation to customers, ensuring accurate vulnerability identification and facilitating timely security improvements.
Prepared proof of concepts (POCs) for regularly generated vulnerabilities to remediate them faster, accelerating the vulnerability management process and enhancing overall security.
Improved security and reduced vulnerabilities by identifying and mitigating potential risks associated with systems and applications, enhancing the organization’s security posture.
Minimized gaps in the vulnerability management process and recommended areas for improvement, optimizing security operations and strengthening defenses against potential threats.
Performed network and server scans using Qualys WAS, identifying vulnerabilities and helping to maintain a secure and compliant IT environment.
JDA Software Pvt Ltd, Hyderabad, India Dec 2013- June 2015
Application Security Analyst
Responsibilities:
Installed and configured Active Directory and Windows Servers for multiple clients, ensuring seamless integration, optimal performance, and operational efficiency.
Identified and remediated security vulnerabilities (XSS, SQL Injection, CSRF) through gray box testing, improving application security and reducing risks in alignment with OWASP and SANS standards.
Collaborated with design teams during the SDLC to address security requirements early, minimizing rework and reducing development costs.
Developed POCs and conducted secure coding sessions for critical vulnerabilities, enhancing security awareness and reducing high-severity issues.
Centralized disaster recovery (DR) and BCP efforts for critical servers, ensuring resilience and minimizing downtime during incidents.
Conducted risk assessments and applied CIS Benchmarks and CVSS scoring to provide remediation guidance, ensuring compliance and mitigating risks.
Applied secure SDLC practices and performed source code analysis to identify and fix vulnerabilities, enhancing overall application security.
ICIC Lombard Pvt Ltd, Hyderabad, India Feb 2011 – Nov2013
Security Engineer
Responsibilities:
Conducted security assessments, including scoping questionnaires, DAST, and secure code reviews, identifying vulnerabilities and improving security posture across applications and systems.
Collaborated with development teams to formulate test plans, provide remediation support for vulnerabilities (XSS, SQLi, DDOS), and integrate OWASP standards into the SDLC, enhancing secure coding practices and reducing risks.
Performed penetration testing (black box, gray box) and generated custom scripts and test documents to validate vulnerabilities, improving security measures and protecting against attacks.
Provided OWASP Top Ten training to QA Engineers and developers, increasing awareness of common vulnerabilities and ensuring secure development processes.
Installed, configured, and hardened systems, laptops, and encryption tools, enhancing data security, reducing vulnerabilities, and improving system integrity.
Pegasys Information technology, Hyderabad, India June 2010 – Jan2011
Application Security Engineer
Responsibilities:
Created security risk assessment reports with remediation strategies for identified vulnerabilities in applications, enabling effective risk management and improving overall security posture.
Performed penetration testing for applications using organizationally provided payloads to identify vulnerabilities, enhancing application security by exposing potential weaknesses.
Collaborated with the development team to remediate vulnerabilities in applications, ensuring timely resolution of security issues and minimizing potential attack vectors.
Conducted security scans based on OWASP Top 10 standards to identify and address common vulnerabilities, strengthening application defenses and reducing the risk of exploitation.
Contact this candidate