Software Development Security Engineer
Resume:
Sowmya Ch
Senior Security Engineer ***********@*****.*** +1-512-***-****
PROFESSIONAL SUMMARY
• An IT professional with 10+ years of experience in Software Development and Application Security.
• Strong working experience in JAVA/J2EE development, maintenance, enhancement, and support
• A Pen tester with experience of penetration testing on various applications in different domains like healthcare, and Legal.
• Involved in Software development Life cycle (SDLC) to ensure security controls are in place.
• Experience in Threat Modelling during Requirement gathering and Design phases.
• Static Code Analysis during development phase.
• Good knowledge of MySQL, PL/SQL, Oracle, DB2 databases.
• Performed the gap analysis to identify scenarios like privilege escalation.
• Experience with static and dynamic analysis tools like HP fortify, HP web inspect and IBM AppScan.
• Involved in implementing and validating the security principles of minimum attack surface area, least privilege, secure defaults, Defense in depth, avoiding security by obscurity, keep security simple, Fixing security issues correctly.
• Experience on vulnerability assessment and penetration testing using various tools like BurpSuite, DirBuster, OWASP ZAP Proxy, NMap, Nessus, Kali Linux, Metasploit, Accunetix
• Hands-on experience in developing Application Security programs, security controls, creation of risk control matrices and risk mitigation strategies.
• Experience in conducting IT Security Risk Assessments in accordance with NIST and PCI framework
• Experience in collaborating with various product management and development teams to ensure alignment between security and development practices.
• Hands-on with Penetration Testing, Source Code Review, DAST, SAST, IAST and manual ethical hacking.
• Used Splunk and Grafana for monitoring, logging, and visualizing key system and application metrics.
• Experience in performing manual exploitation using different tools like Kali Linux (Nmap, Wireshark, Android Studio and Burp etc.
• Thorough knowledge on OWASP, SANS 25, PCI regulations and frameworks
• Attended the Black Hat USA conference in 2023, gaining insights into the latest cybersecurity trends and attack techniques
EDUCATION
ANU University
Bachelor’s degree 2015
CERTIFICATION
• CISSP GCIH (GIAC Certified Incident Handler)
• CISSP (ISC ) GCIH (SANS/GIAC)
• Certified Ethical Hacker (CEH) OSCP (Offensive Security) TECHNICAL SKILLS
Tools: BurpSuite, DirBuster, HP Fortify, IBM Appscan, OWASP ZAP Proxy, Nmap, Nessus, Kali Linux, Metasploit, HP Webinspect, Accunetix, Snyk, Blackduck, Check Marx, SIEM, Netapp Programming Languages: Java, Python, Linux, SQL, PL SQL, R/R studio, C#, .NET, Nodejs, C, C+, shell Scripting Web Technologies: HTML, CSS, XML, JavaScript, Azure Databricks. Operating Systems: Kali Linux, GNU/Linux, Windows XP/vista/7, Redhat Linux. Network Security tools: Nmap, Wire Shark, Metasploit, Nessus, QUALYS GUARDSSDIGGER, SSLSMART, SSLSCAN.
Clouds Platforms: AWS, Azure, GCP.
Security Assessment: Penetration Testing, Source Code Review, DAST, SAST, IAST, SCA, RASP, Threat Modeling, Manual Ethical Hacking.
DevOps tools: Jenkins, Docker containers, Kubernetes. Web Servers: Apache Tomcat, NGINX, JBOSS, JRUN, IIS, WebSphere. Protocols: OPENID Connect, OAUTH, SAML, RADIUS, SS, KERBEROS. Frameworks: ISO 27001, ITIL, COBIT, CMMI.
SDLC: Agile, Scrum, Kanban, Waterfall.
Encryption: AES, PGP, SSH, SSL.
Compliance and Knowledge: OWASP Standards, SANS Top 25, PCI Compliance, Security Regulations. Observability: Splunk, Grafana
WORKEXPERIENCE
Client: Credit Suisse (Investment Banking) Raleigh, NC Sr. Application Security Engineer Jul 2022 – Present
• Lead comprehensive software and cloud infrastructure security assessments, including threat modeling, risk-based assessments, and vulnerability management for applications.
• Identified and mitigated advanced application security issues such as Server-Side Request Forgery (SSRF) and Domain Takeover vulnerabilities.
• Led the implementation and management of API identity and access management controls, including OAuth 2.0, OIDC, and JWT, ensuring secure authentication and authorization processes.
• Successfully implemented API security measures using Cloudflare, ensuring robust protection of API endpoints.
• Developed comprehensive mitigation plans to address identified vulnerabilities, significantly reducing the organization's risk exposure
• Applied robust cryptography controls across various stages of data lifecycle, ensuring data protection at rest, in motion, and in use. Leveraged encryption techniques to safeguard sensitive information and maintain compliance with security standards.
• Expertise in decrypting API traffic for security inspection using protocols such as mTLS and TLS 1.3.
• Managed APIs using MuleSoft and Apigee, ensuring secure and efficient API gateway operations.
• Streamlined API management processes, leading to a 25% improvement in API performance and security.
• Collaborated with API teams to design and document secure API design patterns, ensuring adherence to best practices and security standards. Successfully developed secure API design patterns, reducing potential vulnerabilities and enhancing overall security.
• Led projects to design, implement, and support security-focused tools and services, including automated security assessments and incident response systems.
• Participated in security compliance efforts by implementing controls and processes to meet regulatory requirements such as FedRAMP and NIST.
• Developed and delivered training materials for general security awareness and specific security technologies, ensuring that staff were well-informed about security best practices.
• Utilized SCA tools to generate comprehensive reports on open-source software risks and provided actionable recommendations for mitigation.
• Conducted thorough penetration testing on various applications using tools such as Burp Suite, OWASP ZAP, and Metasploit.
• Developed and executed comprehensive security testing plans, including SAST, DAST, and IAST, to identify and address vulnerabilities in NG911 applications.
• Led the integration of Checkmarx SAST into the development workflow, significantly reducing the number of security vulnerabilities in production.
• Integrated SCA tools like Blackduck and Snyk into CI/CD pipelines to automate the detection and management of open-source vulnerabilities.
• Performed manual penetration testing to uncover complex security issues that automated tools might miss.
• Ensured compliance with ISO 27001 Information Security Management System (ISMS) standards.
• Conducted security code reviews using Veracode, identifying and addressing critical vulnerabilities in application code.
• Developed custom security rules and configurations in Checkmarx to align with the organization’s security policies
• Trained development teams on best practices for addressing findings from SAST tools like Veracode and HP Fortify.
• Perform in-depth reviews of design documents and completed implementations to identify potential vulnerabilities related to authentication, authorization, and input data validation.
• Identify critical, high, medium, and low vulnerabilities based on OWASP Top 10 and prioritize them accordingly.
• Perform offensive and defensive security measures, including vulnerability analysis, bug fixing, and securing APIs using SOAP UI.
• Used the OWASP Testing Guide to conduct comprehensive security assessments and penetration tests.
• Ensured compliance with NIST information security documentation, including NIST SP 800-53 and NIST SP 800-171. Conducted security assessments and evaluations, focusing on secure design and implementation practices.
• Utilized AWS services such as S3, IAM, Lambda, EC2, and API Gateway to enhance cloud security and ensure compliance with security standards.
• Developed and maintained comprehensive Security Orchestration, Automation, and Response (SOAR) playbooks, automations, scripts, jobs, and custom RESTful API integrations to enhance security operations.
• Integrated various security tools and platforms (e.g., SIEM, EDR, threat intelligence platforms) with SOAR solutions to create a cohesive and automated security ecosystem.
• Employed offensive security techniques to simulate real-world attacker behavior during Red Team exercises.
• Ensured that cloud services and applications comply with industry regulations and standards, such as GDPR, HIPAA, PCI DSS, and others. Conducted regular audits and assessments to maintain compliance and implement necessary changes to meet regulatory requirements.
• Utilized tools like NMap and Nessus to perform threat hunting and identify potential security threats in applications and network infrastructure.
• Developed and maintained threat models using a range of methodologies such as Stride, Dread, CVSS, Attack Trees.
Client: State of Texas Austin, Tx
Sr. Application Security Engineer Jul 2019 - Jun 2022
• Collaborated with cross-functional teams to prioritize and address security vulnerabilities, ensuring timely resolution and minimal impact on development cycles.
• Developed and enforced security policies and procedures to align with compliance requirements. Provided training and awareness programs to educate staff on compliance obligations and best practices.
• Set up and configured security monitoring tools to detect and respond to security incidents, anomalies, and potential breaches in real-time. Leveraged solutions such as Splunk, ELK Stack, and SIEM (Security Information and Event Management) systems for comprehensive security monitoring.
• Collaborated with cross-functional teams to integrate security measures into the CI/CD pipeline, ensuring continuous monitoring and compliance with industry standards.
• Provided training sessions and workshops to developers on understanding and mitigating vulnerabilities listed in the OWASP Top 10 and SANS Top 25.
• Conducted threat modeling sessions and security reviews, explaining complex vulnerabilities and their implications to stakeholders with varying levels of technical expertise.
• Implemented the OWASP Application Security Verification Standard (ASVS) to ensure thorough security verification.
• Implemented the NIST Cybersecurity Framework to manage and reduce cybersecurity risk.
• Performed internal audits to ensure ongoing ISO 27001 compliance.
• Collaborated with application development and site reliability teams to incorporate SAST into the CI/CD pipeline using tools like Jenkins.
Client: PenFed Credit Union Washington,DC
APPLICATION SECURITY ENGINEER Nov 2017 - Jun 2019
• Conducted dynamic and static application security testing (DAST & SAST) using tools like Checkmarx.
• Leveraged Python and Java proficiency to develop custom tools for automating threat model updates based on evolving threat landscapes.
• Collaborated with cross-functional teams to prioritize and remediate vulnerabilities identified by SAST tools.
• Developed and delivered security awareness training programs for employees.
• Collaborated with development teams to address security vulnerabilities and perform code reviews.
• Utilized Python for automation scripts, Splunk for log monitoring, and Jenkins for CI/CD pipelines.
• Expertise in using GitHub.
• Hands-on development experience in Java and utilized Git and Bitbucket for source control.
• Assisted in remediating security issues based on OWASP standards.
• Provided training to development teams on common vulnerabilities and code review issues.
• Integrated security tools into CI/CD pipelines to ensure continuous security monitoring and compliance.
• Implemented data encryption strategies to protect sensitive information both at rest and in transit.
• Developed and maintained security policies and procedures in line with regulatory requirements.
• Participated in security audits and assessments to identify and mitigate risks.
• Collaborated with cloud security teams to secure cloud infrastructure and applications.
• Performed code analysis and security reviews to identify potential vulnerabilities and recommend mitigations.
Client: CVS Health Corp Rhode Island
Java Software Developer Aug 2015- Oct 2017
• Involved in all phases of the Software development life cycle (SDLC) using Agile Methodology, designed use case diagrams, class diagrams, and sequence diagrams as a part of Design Phase.
• Developed UI using Swing, JSP, JSF, HTML, CSS, JavaScript, and jQuery.
• Developed of XML files, Schema’s and parsing them by using both SAX and DOM parser’s.
• Designed and Developed XSL style sheets using XSLT to transform XML and display the information on the UI screens.
• Used Splunk for Monitoring.
• Developed web applications using Spring MVC, jQuery, HTML, Bootstrap and worked on Multithreading and Collections Framework including List, Map etc. Added interactivity to the UI pages using JavaScript.
• Worked with Core Java technologies Collections, Serialization, Generics, Annotations and Exception Handling to implement Back-End Business Logic including Entity Beans and Session Beans.
• Configured Spring security in the application to secure the method calls and RESTful webservices.
• Implemented JDBC API for communicating with database layer.
• Deployed application in JBoss on UNIX.
• Coding using core java, Servlets and JSP using Eclipse IDE.
• Used Log4j and commons-logging frameworks for logging the application flow.
• Involved in Unit Testing using JUnit and Integration of Use Cases.
• Used version tools like SVN for source code and project documents
• Created and maintained API documentation using Swagger/Open API.
• Conducted performance testing and optimization to ensure application scalability and reliability.
• Worked closely with product owners and business analysts to gather and refine requirements.
• Developed and maintained build scripts and automated deployment scripts using Shell scripting.
• Ensured compliance with security best practices and conducted regular security assessments.
• Developed custom annotations and AOP (Aspect-Oriented Programming) for cross-cutting concerns such as logging and security.
Contact this candidate