Network Security/Systems Engineer
Mohammed Ali
C: (817) 659-4903
Email: m.ali001300@[Link] LinkedIn: [Link]
PROFESSIONAL SUMMARY:
Overall 12+years of experience as Network Security/Systems Engineer in various Domains such as Web
Application/Thick Client Security Testing, Vulnerability Assessment, Cloud Computing, Azure DevOps,
Azure Active Directory, Penetration Testing, Automation Testing and Generating reports using tools.
Background/understanding of Software Development Lifecycle.
Excellent knowledge in CWE, OWASP Top 10, and WASC Threat Classification 2.0 methodologies.
Experience in penetration testing with Kali Linux: Snyk, Nmap, Nessus, Nexpose, Wireshark, ProxyChains,
Enum4linux, Password Cracking, TCPDump, PWDump, FGDump, Metasploit.
Responsible for the management and administration of processes and tools that enable the organization to identify,
document, and access intellectual capital and information content.
Application Security Analysis for some of the major Clients using HP Fortify & IBM AppScan.
Experience with using a framework to evaluate and analyze mobile devices, applications, mobile environments,
and supporting infrastructures and to identify design weaknesses and vulnerabilities.
Proficient in understanding application-level vulnerabilities like XSS, SQL Injection, CSRF, authentication
bypass, weak cryptography, authentication flaws etc.
In-depth experience with log search tools such as Splunk, usage of regular expressions and natural language
queries
Good experience with system vulnerability detection and mitigation. Good Understanding of Web
Technologies HTTP, HTML & CSS.
Good Understanding of compliance and regulatory requirements like PCI DSS, SOX & HIPPA.
Good Understanding in Pen testing and Automation testing of Mobile application both Andriod and IOS.
Served as primary security liaison on infrastructure, application and database projects and day-to-day app/data
activities.
Experience using a wide variety of security tools to include Kali-Linux, Wireshark, L0phtcrack, Snort, Cain
and Abel, Nikto, DirBuster, IBM AppScan, Nessus, Open Vas, W3AF, BeEF, Ettercap, Maltego.
Experience in different web application security testing tools like Acunetix, Metasploit, Burp Suite,
CryptoAPI, RestAPI, SOAR, SIEM, SQLmap, OWASP ZAP Proxy, Nessus, Nmap and HP Fortify.
Knowledge of log formats and ability to aggregate and parse log data for syslog, http logs, DB logs for
investigation purposes.
Knowledge of network security zones, Firewall configurations, Palo Alto, Cisco, and IDS policies.
Proficient in Linux operating system configuration, utilities, and programming.
Broad knowledge of hardware, software, and networking technologies to provide a powerful combination of
analysis, implementation, and support.
Sound knowledge and industry experience in Vulnerability Assessment and Penetration Testing on WEB
based Applications, Mobile based application, Azure DevOps & AD and Infrastructure penetration
testing.
Extensive experience working with Qualys Guard to conduct Network Security assessments.
Worked as a key member in streamlining security processes, design and implement efficient security solutions
achieving security efficiency.
Excellent team player, enthusiastic initiator, and ability to learn the fundamental concepts effectively and
efficiently.
Possess strong technical writing and presentation skills to articulate the vulnerability assessment process end to end
to any audience.
Expert ability with scripting languages such as Selenium, Python, PowerShell, Polaris CLI and Git Bash
Having good experience in Secure SDLC and Source Code Analysis (Manual &Tools) on WEB based
Applications.
�TECHNICAL SKILLS:
Vulnerability Testing Tenable Nessus, NMAP, OpenVAS, QualysGuard, SNMP
Application Security Websense, IBM Rational AppScan, Burp Suite, Paros, HPWeb Inspect, HP Fortify, SQLmap,
Nikto, Metasploit, Kali Linux, Openstack/Ansible, Checkmarx, Synopys, Snyk, Rapid7
DevSecOps: Jenkins, Maven, Docker Container, GitHub, TFS, BOTO3, AWS CLI, AWS, CloudWatch,
AWS Config, OSS. Black Duck & Coverity, Polaris/Synopsys, Seekers, Cloud Computing,
Azure DevOps, Azure Active Directory
SIEM Tools TSIEM, HP Arc Sight, Qradar, Splunk, Solarwinds, Selenium, Dynatrace
Penetration Testing Wireshark, Metasploit Framework, OOP/OOD
Languages & Databases HTML, JavaScript, Java Code, PHP, SQL, Python, .NET, Git Bash, Polaris CLI, Bitbucket
EDUCATION:
• Bachelor of Commerce from Osmania University
CERTIFICATIONS:
• Certified Ethical Hacker (CEH)
• Cisco CCNA Certified
• CompTIA A+ Certified
• MCSE Certified
SECURITY SKILLS/TOOLS:
Network Enumeration: Maltego, Google Hacking, DNS, SMB, LDAP, AWS
Port/Vulnerability Scanning: Nmap/Nmap Scripting Engine (NSE), Netcat, Nessus, OpenVAS
Sniffing/Man-in-the-Middle: Wireshark, Ettercap, Cain & Abel
Web Application Vulnerability Scanning: Nessus, OpenVAS, Vega, HP Fortify, Acunetix, HP Web
inspect, Synopsys, IBM AppScan, Burp Suite Pro.
Server/Client-Side Exploitation: Metasploit, Social Engineering Toolkit (SET).
Password Cracking: Hydra, Rainbow Crack, L0phcrack, John the Ripper, Pyrit.
Web Application: Manual SQL Injection, Manual Cross Site Scripting (XSS), Cross site request
forgery (CSRF), SQLmap. Java
Networks Cisco/Juniper/Palo Alto/Firewalls, AWS Services: EC2, Lambda, CloudWatch,
CloudFormation, Cloud Computing, Bitrise, Azure DevOps, Azure Active Directory
Debuggers: OllyDbg, WinDBbg.
Wireless: Aircrack-NG Suite and Kismet.
PROFESSIONAL SUMMARY
Bank Of America, TX May 2023 – Present
Network/Systems Engineer
Providing Production Support for multiple infrastructure applications and systems, while driving continued IT
Operations Management service improvements. Working towards automation, and elimination of systems and or process
bottlenecks. Lead and coordinate timely issue resolution for critical applications in partnership with other technicians
from database, web service, network, storage, OS system admin, application developer, and management teams.
Experience with Java, UNIX OS/DMZ servers, Perl and Python scripting, SQL query, System Analyst, web services,
monitoring (MIPS) documentation, DC (Data Center) exercise, change control, troubleshooting, PowerShell, and process
improvement.
2|Page
�• Drive standardization for new onboarding processes and controls.
• Research and implement processes and technological improvements.
• Establish and improve monitoring to measure end-to-end performance and end-user availability of systems via a
suite of common monitoring tools.
• Providing support to the Engineering team, Request for Production Server Breakglass for sever access.
• Develop, test, and deploy automated workflow in support of the IT business.
• Troubleshoot, resolve system issues, server details on DSS RunBook.
• Deliver technical documentation for all projects completed. Pull Incident reports using MicroStrategy for
eSMART – ITSM Remedy.
• Perform root cause analysis for recurring problems by partnering with other teams to develop long-term
resolutions, including implementing preventative measures to minimize problems and production outages.
• Manage and implement production changes, releases, and upgrades in a collaborative environment in
accordance with lifecycle methodology and risk guidelines and data management.
• Manage activities related to maintenance of the application systems that are running the daily operations of the
firm.
• Monitor Production environments / scheduled jobs and identify improvement to monitoring.
• Supports the 24x7 day-to-day maintenance of the infrastructure application systems in operation, including
tasks related to identifying, troubleshooting, and resolving application and data issues.
• On-call coverage requirements to support break-fix needs.
• Strong UNIX, Linux, Wintel, Perl/Shell/Python scripting.
• PgAdmin/SQL/Database queries for data extraction.
• Develop custom automation to streamline support processes.
• Strong problem root cause diagnosis skills and desire to learn processes, new products, applications, and
technology.
• Submitting ARM (Access Request and Provisioning), my technology request for software and hardware.
• MIPS (Monitoring Information Process Suite) adding the servers to MRD for monitoring and SiteScope alerts,
Putting severs on iMon, MaintMode for certain period.
• Resolving and documenting incident and service tickets in a timely manner according to Service Level
Agreements (SLAs) on ITSM Remedy queue or assigned completion dates.
• Great soft skills – People and communications skills.
• Good proficiency in system, network, security and database operations, protocols, and industry standard
technologies.
• Experience with supported tools such as: myCTO, MIPS, iMON, JFrog, Cutover, MatterMost, TML (Trusted
Media Library) Dynatrace, Splunk, GIS portal, AppHQ (Enterprise Application Management), DSSAPPS
Server Information RunBook, Swagger UI, Tableau, SCCM, Tanium, F-DNS, BladeLogic, Horizon Artifactory,
True sight Orchestration.
• Experience in command line interfaces (CLI), third party APIs and integration.
• Experience in server administration with Red Hat Enterprise Linux and Windows Server
• Good understanding of developing fault tolerant solutions and knowledge in horizontal scaling and
resiliency/HA.
• Ability to juggle competing priorities and adapt to changes in project scope.
US Bank, TX
Systems Engineer Jan 2022 – May 2023
• Responsibilities include preventing and protecting against unauthorized access, maintaining the integrity and
confidentiality of critical data against internal and external threats.
• Ensuring enterprise-level endpoint protection and encryption; and simplifying the security toolset by implementing
superior products that cover many security vectors without impeding systems' performance or diminishing user
experience.
• Possess strong technical writing and presentation skills to articulate the vulnerability assessment process end to end
to any audience.
• Creating Active Directory Groups and sending Azure Onboarding Forms to System Managers for the Application
for Azure SSO Tasks, SSO implementations, BURM Approvals, Validate work in Test and Dev environment.
3|Page
�• Working on Azure Active Directory for test and production environment and as well Azure DevOps for User
Stories.
• Working on Azure SSO tasks, SSO MRA Applications, Azure Active Directory, and connecting to CA Privileged
Access Manager Client.
• Updating the SSO Applications Organizer and Attend weekly meetings for updates.
• Maintain knowledge of current security trends and advisories, develop regular communication to develop a
wide security awareness across the firm’s stakeholders.
• Assist management to develop the strategy for the future direction of the Information Security Management
System.
• Other Adhoc Activities like monthly and weekly report creations. Scheduling meetings with different application
teams for understanding future pipelines for applications.
• Focus on the tools, processes, and methods needed to design, implement, and test complete systems and to adapt
existing systems as the environment evolves.
• Ensure Cybersecurity processes are incorporated in system design, development, automation testing, SAML
Integration and implementation.
• Applies understanding of the current threat landscape, in general and specific to both the Financial Services
field and the firm and uses that operational awareness and threat intelligence data to drive decision-making.
• Understands actual business requirements and ensures those drive assessment and guidance.
• Create and maintain custom rulesets within the tooling to account for false positives, trending threats, and areas
of focus. Generate reports to DevSecOps team on regular basis on the repositories and the branch scanned.
• Identifies and determines root cause analysis for failed scans. Works with proper teams toward resolution.
• Works with development and engineering teams to convey findings and risk, assisting with remediation
strategies and risk assessment.
• Strong experience in web security and federation protocols (Firewalls, Palo Alto, SSL/TLS, REST, Snyk,
OAuth, SAML, LDAP-S, SAML, CA PAM, WS-Federation, SCIM, OAuth, and OIDC, XSS, etc.)
• Verifies remediation of security findings using commit histories and rescans of code.
IHG Hotels and Resorts, Atlanta, GA
Application Security Analyst Jun 2021 – Dec 2021
• Serve as a primary technical security resource on all product development.
• Perform design reviews and technical security assessments to highlight risk and help engineering teams improve
the overall security of the products.
• Design and implement security best practices and standards across varied engineering teams and environments.
• Implement and conduct code reviews with a combination of static testing, automation testing, manual reviews,
and dynamic analysis / pen-testing.
• Understanding of all development environments, build tool like Splunk, Jenkins, Maven, NPM, Gradle,
Tomcat, Spring, Apache etc.
• Conduct threat modelling, identify & drive risk decisions, and influence technical designs and architectures.
• Engage with developers to provide remediation support, triage results and generating CSV reports.
• Perform security reviews of new services and features. Cloning repositories and adding YAML files.
• Build tools to simplify and automate Vulnerability Management processes.
• Possess strong technical writing and presentation skills to articulate the vulnerability assessment process end to end
to any audience.
• Providing engineering designs to mitigate security vulnerabilities in new software solutions.
• Design and implement tooling and automation for application security HP, Synopsys, Selenium, Veracode,
ChekMarx (Synopsys is the primary tool) (e.g. SAST/DAST/IAST/SCA in CI/CD)
• Performing regular security testing as well as code reviews for improving the software security
• Maintaining technical documentation related to software security.
• Ensuring software security at all levels of architecture
• Staying updated with latest tools and advanced industry practices for software security.
• Strong experience in web security and federation protocols (Firewalls, Palo Alto, Snyk, SSL/TLS, REST,
OAuth, SAML, LDAP-S, SAML, WS-Federation, SCIM, OAuth, and OIDC, XSS, etc.)
4|Page
�• Develop and execute an appropriate security testing strategy for each engagement, including performing
software security testing, automation testing against applications, platforms, and systems.
• Analyze testing results that are generated from SAST tooling and identify and suppress false positives.
• Create and maintain custom rulesets within the tooling to account for false positives, trending threats, and areas
of focus. Generate reports to DevSecOps team on regular basis on the repositories and the branch scanned.
• Identifies and determines root cause analysis for failed scans. Works with proper teams toward resolution.
• Works with development and engineering teams to convey findings and risk, assisting with remediation
strategies and risk assessment.
• Verifies remediation of security findings using commit histories and rescans of code.
• Contributes to the development of standard methodologies and SDLC activities through reporting and
publishing of findings to facilitate new design approaches to deter these defects from reoccurring.
• Ability to break down complex or vague problems and step through them in a rational way.
• Shows flexibility in thinking and ability to evolve a solution when additional information or ideas are presented.
• Decisions and recommendations distinguish between near term mitigation and required future investments.
• Actively helps team members/make suggestions to improve practices.
• Perform Manual assessment on Java/.Net applications for the results from the AppScan to eliminate false
positives and report the High, Medium, and Low issues.
• Analyze the enterprise's information security environment and recommend security measures to safeguard
applications and information assets using threat modeling, OWASP, CWE, CVE and PCI DSS.
• Make decisions that show a focus on current and future business priorities, together with fiscal responsibility.
• Applies understanding of the current threat landscape, in general and specific to both the Financial Services
field and the firm and uses that operational awareness and threat intelligence data to drive decision-making.
• Understands actual business requirements and ensures those drive assessment and guidance.
Global IT Associates, Toronto, ON Dec 2017 – May
2021
Security Analyst
• Conducting Vulnerability Assessments using IBM AppScan to evaluate attack vectors, Identify System
Vulnerabilities and Develop remediation plans and Security Procedures.
• Conducting Web Application Vulnerability Assessment & Threat Modelling, CryptoAPI, RestAPI, SOAR,
SIEM, Splunk, Gap Analysis, secure code review on the applications.
• Drive cloud security standards through developing architecture and work with application teams to ensure the best
solutions are implemented to support cloud initiatives.
• Identify the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and
SANS 25 and prioritizing them based on the criticality.
• Work with the internal development team to relay customer feedback and incorporate it into our agile
development process.
• Utilize and Implement OWASP Top Ten issues, WASC and CWE's into Security Testing efforts.
• Support the development and maintenance of program level Information Assurance A&A process activities and
related documentation such as systems concept of operations, system security design, implementation plans, and
operational procedures.
• Work with different application teams to help them understand the vulnerabilities listed and provide
recommendations to fix the same.
• Provide timely incident response to all system and/or network security breaches on Firewalls/Cisco/Juniper/Palo
Alto, AWS Services: EC2, Lambda, Snyk, CloudWatch, Cloud Computing, CloudFormation etc.
• Perform Man-in-the-Middle attack by intercepting the Wireless parameter of (iPhone)mobile on wireless
network.
• Organize Kick off meetings with the application teams to understand the application security requirements,
application flow, functionality, architecture, and the technology.
• Maintain strong working relationships with individuals and groups involved in managing information risks
across the organization.
• Score the vulnerabilities based on CWE / CVSS scoring system.
5|Page
�• Hands on Experience in conducting web application security scan using IBM AppScan, HP web inspect and
Accunetix.
• Use Network monitoring tools to ensure network connectivity and Protocol analysis tools to assess and
pinpoint networking issues causing service disruption.
• Generate and presented reports on Security Vulnerabilities to both internal and external customers.
• Experience in using Kali Linux to do vulnerability assessment with tools like DirBuster, Nessus, and NMap.
• Responsible for exploiting the critical threats that were reported during the scanning phase.
• Report the final findings, which includes the successful exploits and the recommendations to rectify them so as to
make the network secure.
• Expertise in using the DAST tools (Like IBM AppScan and Burp Suite Pro) while the application is running to
penetrate the application in various ways to identify potential vulnerabilities outside the code and in third party
interfaces.
• Maintain knowledge of current security trends and advisories, develop regular communication to develop a
wide security awareness across the firm’s stakeholders.
• Ensure Cybersecurity processes are incorporated in system design, development, automation testing, and
implementation.
• Assist management to develop the strategy for the future direction of the Information Security Management
System.
• Other Adhoc Activities like monthly and weekly report creations. Scheduling meeting with different application
teams for understanding future pipelines for applications.
• Perform source code analysis (Python, Selenium, .Net) to find the vulnerabilities at the code level and providing
mitigation techniques to the developers.
• Develop plan to implement regular threat assessments to identify and address vulnerability risks.
• Perform Manual assessment on Java/.Net applications for the results from the AppScan to eliminate false positives
and report the High, Medium, and Low issues.
• Use the tool called ComDroid to detect the mobile application communication vulnerabilities.
• Participate in the development, architecture, documentation and improvement of security monitoring and operational
systems to include Threat Vulnerability Scanning / Analytics, including configuring dashboards / metrics views
into the current operational state, alert response.
• Assist developers in remediating issues with Security Assessments with respect to OWASP standards.
• Analyze the enterprise's information security environment and recommending security measures to safeguard
applications and information assets using threat modeling, OWASP, CWE.
• Assist in review of business solution architectures from security point of view which helps avoiding security related
issues/threats at the early stage of project.
• Use SAST tools (Like HP Fortify and SonarQube) to test source code, byte code to expose weaknesses in the
software before it is deployed.
• Providing KT to Development team for better understanding of Vulnerabilities.
Bonafide Inc., ON May 2014 – Dec
2017
Security Analyst
Responsibilities
• Identified the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and
SANS 25 and prioritizing them based on the criticality.
• Managed SIEM user accounts (create, delete, modify, etc.)
• Created client-specific Watch Lists if necessary.
• Attended Vendor-specific meetings and conferences for Business and Professional development.
• Created innovative solutions to automate and reduce timeframes for operational changes as well as initial
installation of the platform.
6|Page
�• Collaborated with internal and enterprise security teams in the support of systems related to prevention &
protection, detection, recovery, remediation.
• Managed appliance or virtual appliance OS and SIEM software.
• Conducted Web Application Vulnerability Assessment & Threat Modeling, CryptoAPI, RestAPI, Snyk,
SOAR, SIEM, Splunk, Gap Analysis, Secure Code review on the Applications.
• Assisted developers in remediating issues with Security Assessments with respect to OWASP standards.
• Used SAST tools HP Fortify & VCG to test source code, Byte code to expose weaknesses in the Software before it
is deployed.
• Developed in-depth knowledge on our current security posture and the strategic vision for Enterprise-wide
security, including current policies and secure development methodologies.
• Performed DAST on the web applications using Burp Suite Pro, OWASP ZAP to identify security weaknesses and
provide remediations.
• Performed Manual assessments on the source code (Java, .Net & Selenium, Python) to look for security weakness
inside the code.
• Developed and provided security metrics to track systems status, vulnerabilities, risks, and efforts to effect process
or system improvements on Firewalls/Cisco/Juniper/Palo Alto, AWS Services, EC2, Lambda, CloudWatch,
Cloud Computing, CloudFormation
• Performed Mobile penetration testing, automation testing and using Open-source tools and validate results by
eliminating false positives.
• Organized meetings with application teams to help them understand OWASP Top 10 Methodologies and provide
remediation’s for vulnerabilities.
• Responsible for performing vulnerability assessments using tools like Nmap, Nessus & Qulays and perform
assessments on thick client applications.
• Performed Web application and Source code assessments to make sure application are compliant with PCI DSS
requirements.
• Participated in daily scrum meetings & security assessment meetings.
Shaw Direct, Mississauga, ON Mar 2012 – May 2014
Security Engineer
Responsibilities:
• Established vulnerability assessment practice, proactively ensuring safety of Client-facing applications, and
minimizing client audit findings.
• Implemented, configured, and managed multiple vulnerability assessment tools such as Nexpose, Nessus.
• Explanation of the security requirements to the design team in initial stages of SDLC to minimize the efforts to
rework on issues identified during penetration tests.
• Expertise in using the DAST tools (Like IBM AppScan and Burp Suite Pro) while the application is running to
penetrate the application in various ways to identify potential vulnerabilities outside the code and in third party
interfaces.
• Performed security analysis and identifying possible vulnerabilities in the key derivation function, create
Vulnerability Assessment report detailing exposures that were identified, rate the severity of the system &
suggestions to mitigate any exposures & testing known vulnerabilities.
• Performed threat modeling of the applications to identify the threats.
• Mitigate/correct security deficiencies identified during security/certification testing and/or recommend risk
acceptance for the appropriate senior leadership.
• Identified issues in the web applications in various categories like Cryptography, CryptoAPI, RESTAPI, Snyk,
SOAR, SIEM, Splunk, Exception Management.
• Worked on installation, configuration, and administration and troubleshooting of LAN/WAN infrastructure.
• Risk assessment on the application by identifying the issues and prioritizing the issues based on risk level.
• In the team, focus of work was to audit the application prior moving to production.
• Daily administrative tasks, reporting and communication with the relevant departments in the organization.
• Preparated of risk register for the various projects in the client by performing risk assessment using NIST
framework and quantitative approach. Scoring the vulnerabilities based on CWE / CVSS scoring system.
7|Page
�• Burp Suite, DirBuster, HP Fortify, NMap, QualysGuard tools were used as part of the penetration testing, on
daily basis to complete the assessments.
• Used SAST tools (Like HP Fortify and SonarQube) to test source code, byte code to expose weaknesses in the
software before it is deployed.
• Worked closely with the Vulnerability Management and application teams to ensure secure transition of applications
into production.
• Provided fixes & filtering false findings for the vulnerabilities reported in the scan reports. Adding new
vulnerabilities to the Vulnerability Database for various platforms with proper exploits.
• Assisted in preparation of plans to review software components through source code review or application security
reviews on Firewalls/Cisco/Juniper/Palo Alto.
• Assisted developers in remediating issues with Security Assessments with respect to OWASP standards.
• Provided remediation to the developers based on the issues identified.
• Revalidated the issues to ensure the closure of the vulnerabilities.
• Verified if the application has implemented the basic security mechanisms like Job rotation, Privilege escalations,
Lease Privilege and Defense in depth.
• Used various add on in Mozilla to assess the application like Wappalyzer, Flagfox, Live HTTP Header, Tamper
data.
Loblaws Inc., Mississauga, ON Jan 2010 – Feb 2012
Security Engineer
Responsibilities:
Conducted network Vulnerability Assessments using tools to evaluate attack vectors, Identify System
Vulnerabilities and develop remediation plans and Security Procedures.
Worked with the Program Managers and Technical subject matter experts to perform Vulnerability
evaluation, assist in System Architecture Design, and Risk Management using Approved Security Tools.
Uncovered high Vulnerabilities at the Infrastructure level for Internet facing Web sites.
Helped establish and implemented a framework for Identity and Access Management leveraging Corporate best
practices, Standards and Tools.
Used SAST tools (Like HP Fortify and SonarQube) to test Source code, Byte code to expose weaknesses in the
Software before it is deployed.
Worked closely with Risk assessment team to provide them with the proof for the Vulnerabilities exploited for the
final report.
Provided fixes & filtering false findings for the Vulnerabilities reported in the scan reports. Adding new
Vulnerabilities to the Vulnerability Database for various platforms with proper exploits.
Extensive Interaction with Onsite Coordinator in understanding the business issues, requirements, doing
exhaustive analysis and providing end-to-end solutions.
Conducted Web Application Vulnerability Assessment & Threat Modelling, Gap Analysis, secure code review
on the applications.
Developed and provide security metrics to track systems’ status, Vulnerabilities, Risks, and efforts to effect
process or System improvements.
Utilized and Implement OWASP Top Ten issues, WASC and CWE's into Security Testing efforts.
Analyzed the enterprise's information security environment and recommending security measures to Safeguard
applications and information assets using threat modeling, OWASP, CWE.
Responsible for Providing application security consulting SME Support to developers.
Utilized QualysGuard as primary tool to monitor tickets and vulnerabilities.
Used SAST tools (Like HP Fortify and SonarQube) to test source code, Byte code to expose weaknesses in the
software before it is deployed.
Expertise in using the DAST tools (Like IBM AppScan, HP web inspect, Accunetix and Burp Suite Pro) while
the application is running to penetrate the application in various ways to identify potential vulnerabilities outside
the code and in third party interfaces.
Performed Man-in-the-Middle attack by intercepting the Wireless parameter of iPhone on wireless network.
Created and defined Nexpose vulnerability scanning rules for assessing security posture and compliance.
8|Page
� Performed vulnerability scans using QualysGuard, report findings, create remediation plan.
Performed Vulnerability Assessments using Paros Proxy, Burp Suite, Web Scarab, YASCA, and Maltego.
Hands on Experience in conducting web application security scan using IBM AppScan, Snyk, Burp Suite,
Splunk, DirBuster, HP Fortify, NMap tools. Java were used as part of the penetration testing, automation
testing, on daily basis to complete the assessments.
Provided KT to Development team for better understanding of Vulnerabilities.
Triad Guaranty Insurance, Winston Salem, NC Jan 2009 – Jan 2010
Security Engineer
Responsibilities:
Worked with the Program Managers and Technical subject matter experts to perform Vulnerability
evaluation, assist in System Architecture Design, and Risk Management using Approved Security Tools.
Uncovered high Vulnerabilities at the Infrastructure level for Internet facing Web sites.
Helped establish and implemented a framework for Identity and Access Management leveraging Corporate best
practices, Standards and Tools.
Conducted network Vulnerability Assessments using tools to evaluate attack vectors, Identify System
Vulnerabilities and develop remediation plans and Security Procedures.
Used SAST tools (Like HP Fortify and SonarQube) to test Source code, Byte code to expose weaknesses in the
Software before it is deployed.
Worked closely with Risk assessment team to provide them with the proof for the Vulnerabilities exploited for the
final report.
Other Adhoc Activities like monthly and weekly report creations. Scheduling meeting with different application
teams for understanding future pipelines for applications.
Assisted in review of business solution architectures from security point of view which helps avoiding security
related issues/threats at the early stage of project.
Expertise in using the DAST tools (Like IBM AppScan, HP web inspect, Accunetix and Burp Suite Pro) while
the application is running to penetrate the application in various ways to identify potential vulnerabilities outside
the code and in third party interfaces.
Assisted in the design of systems security infrastructure and provided technical security guidance as needed for
projects.
New York State OMRDD, Schenectady, NY Jan 2007 – Dec 2008
Security Engineer
Responsibilities:
• Expertise in using the DAST tools (Like IBM AppScan and Burp Suite Pro) while the application is running to
penetrate the application in various ways to identify potential vulnerabilities outside the code and in third party
interfaces.
• Performed security analysis and identifying possible vulnerabilities in the key derivation function, create
Vulnerability Assessment report detailing exposures that were identified, rate the severity of the system &
suggestions to mitigate any exposures & testing known vulnerabilities.
• Performed threat modeling of the applications to identify the threats.
• Identified issues in the web applications in various categories like Cryptography, Exception Management.
• Worked on installation, configuration, and administration and troubleshooting of LAN/WAN infrastructure.
• Risk assessment on the application by identifying the issues and prioritizing the issues based on risk level.
• In the team, focus of work was to audit the application prior moving to production.
• Daily administrative tasks, reporting and communication with the relevant departments in the organization.
• Preparated of risk register for the various projects in the client by performing risk assessment using NIST
framework and quantitative approach. Scoring the vulnerabilities based on CWE / CVSS scoring system.
• Burp Suite, DirBuster, HP Fortify, NMap, tools were used as part of the penetration testing, on daily basis to
complete the assessments.
9|Page
�• Scanned systems and review and validate vulnerability scan results at the Operating System (OS) and application
level and perform detailed analysis in support of OS and application-level vulnerabilities.
• Analyzed the enterprise's information security environment and recommending security measures to safeguard
applications and information assets using threat modeling, OWASP, CWE.
• Used Network monitoring tools to ensure network connectivity and Protocol analysis tools to assess and
Pinpoint networking issues causing service disruption.
• Used SAST tools (Like HP Fortify and SonarQube) to test source code, byte code to expose weaknesses in the
software before it is deployed.
• Worked closely with the Vulnerability Management and application teams to ensure secure transition of applications
into production.
• Provided fixes & filtering false findings for the vulnerabilities reported in the scan reports. Adding new
vulnerabilities to the Vulnerability Database for various platforms with proper exploits.
• Assisted in preparation of plans to review software components through source code review or application security
review.
Worked in Middle East from 1992 to 2006 as Security Engineer
10 | P a g e
