Home

Deepala Vm - security engineer

[email protected]

Location: Bentonville, Arkansas, USA

Relocation:

Visa:

VM Deepala PROFESSIONAL SUMMARY: Over 5 years of professional IT Experience in Security Testing particularly focused on performing technical activities such as Source Code review, Vulnerability Analysis, Security Architecture, Penetration testing, IT Risk Assessments, Secure Application Testing based on tools. Experience in Threat Modeling during Requirement gathering and Design phases. Experienced with embedded processors used in Automotive and IOT Devices Hands on experience with SAST and DAST using tools like HP Fortify, HP Web Inspect, Check Marx and IBM Appscan Excellent knowledge in OWASP Top 10, SANS 25, and WASC Threat Classification 2.0 methodologies. Worked with engineers and development teams to ensure that architecture solutions are compliant with security frameworks such as NIST 800-53, FedRamp, ISO 27001/27002, HIPPA, COBIT, PCI etc. Skilled in performing both manual and automated security testing for web, mobile applications based on OWASP and CWE/SANS publications. Extensive experience designing and implementing secure architecture solutions on AWS, ensuring the confidentiality, integrity, and availability of applications and data. Generated detailed penetration testing reports, documenting identified vulnerabilities, their potential impact, and recommended mitigation strategies to enable proactive security measures. Experience in maintenance and management of the MSSQL cluster database for the jira/Confluence/Bit Bucket systems. Implemented Application Security program (DAST and SAST) at the enterprise level to identify, report and remediate security vulnerabilities from applications deployed in DEV, PRE-PROD and PROD environments. Good experience to provide remediation consultation to organizations and system owners, ensuring vulnerabilities are remediated IAW DISA/NIST and Cyber Threat Intelligence research Expert level skills with Linux servers, VMs and embedded devices. Experienced in developing cryptographic and hashing algorithms. Utilized industry-leading tools and technologies such as Metasploit, Burp Suite, Nmap, Wireshark, and Nessus to perform vulnerability assessments and penetration testing. Skilled in conducting threat modeling exercises to identify and mitigate potential risks within AWS environments, collaborating with cross-functional teams to implement appropriate security controls. Experience in Security, Risk and Compliance Management and RISK Management methodologies. Good experience in Web technologies like HTTP, HTML, CSS, Forms, Database Connectivity. Having good experience in Secure SDLC and Source Code Analysis (Manual &Tools) on WEB based Applications. Experienced in performing analysis of the results from penetration test to identify the risks that need to be taken care of immediately. Ethical/Black Hat hacking of mobile, embedded & wireless devices (Android, iOS, Linux) Experienced in developing cryptographic and hashing algorithms. Have technical knowledge on network security domains such as SAML, Siteminder, Openld, and Kerberos. Generated and presented reports on Security Vulnerabilities to both internal and external customers. Ruby on Rails, Node.js, C#, IOS, Android, C++, Java, ASP.Net, Mainframes, Apex and IV Generation Configurations/JavaScripts. TECHNICAL SKILLS Tools: App Detect, App Rador, Cyber Ark, Oracle Identity Manager, Oracle Access Manager, Hijack, Metasploit Pro, Whitehat Sentinel, ZED attack proxy, SQLMAP, Web Scarab, Paros, Nmap, BMC Blade Logic, Nessus, Rapid7 Nexpose Cloud: AWS (EC2, AWS S3, AWS SAS, AWS SNS, ECS, ELB, Embedded programming: FTDI, NECV850, TriCore, Android Scripting: jQuery, Ext JS, Angular JS, Node JS Languages: Python Scripting, C, C++, Java, .Net and Android Enterprise Integration: Kafka, API Services, Microservices, Rest Services. Web Services, JMS, MQ, EJB, FTP, JMS, Adapters, JSON & XML CERTIFICATIONS: Certified Ethical Hacker (CEH) v9 Bachelors in computer science- Jntuk 2018 Masters in Cyber Security UNT 2021 PROFESSIONAL EXPERIENCE: Client: Wal-Mart, Bentonville, AR Oct 2021- Till date Role: Security Engineer/Penetration Tester Responsibilities: Challenge suppliers to improve effectiveness in Vehicle Cybersecurity Created methodology, mentored and trained internal penetration testing team on various embedded security topics Developed and implemented solutions using AWS Cloud platform and its features which includes 2, VPC, ECS, AMI, SNS, RDS, SQS, EBS, CloudWatch, CloudTrail, CloudFormation, Auto scaling, CloudFront, IAM, S3, and Route53. Development of assorted testing/build scripts as needed using Selenium WebDriver/IDE written in Python and BASH. Assisted in the implementation of a company-wide cybersecurity strategy, including the use of Black Duck for open-source component analysis. Conducted comprehensive penetration tests on enterprise networks, identifying and exploiting security vulnerabilities to assess the overall security posture. Set up DBs in AWS using RDS and configured instance backups to S3 bucket. Performed Application Security assessments (DAST and SAST) at the enterprise level to identify report and remediate security vulnerabilities from applications deployed in DEV/CAT, DR and PROD environments. Managed client requirements and configured SailPoint IIQ connectors. Conducted threat modeling exercises to identify potential attack vectors related to input handling and developed risk mitigation strategies to protect against them. Conducted weekly meetings with developers to remediate security issues. Work closely and collaboratively with Information Security Officers (ISOs), IT Portfolios, and Business units to support their needs Conducted in-depth vulnerability assessments and penetration testing to identify and address security weaknesses. Developed automated security testing scripts using tools like OWASP ZAP and Burp Suite, specifically tailored to assess the security posture of Java applications. Conduct internal and external security audits based on standard cybersecurity frameworks from ISO 27002, COBIT, NIST, OWASP and Cloud Security Alliance Deployed, managed scalable and fault-tolerant systems on AWS. Implemented fixes and patches to address security vulnerabilities in Java codebase, ensuring timely resolution and protection against potential exploits. Collaborated with IT teams to enhance network security and ensure the effective deployment of security measures. Conducted in-depth vulnerability assessments and penetration testing to identify and address security weaknesses. Collaborated with clients to define penetration testing objectives, scope, and rules of engagement, ensuring alignment with their specific security requirements and compliance standards. High Availability - Front end and Back End successful Implementation, Infrastructure Monitoring, Services monitoring to the customer IAM environment. Act as an advocate of information security policies, standards, controls and as an enabler to the business while managing risk appropriately Participated in red teaming exercises to evaluate the organization's overall security posture. Collaborated with regulatory compliance teams to ensure penetration testing activities align with legal and industry compliance requirements, such as GDPR, CCPA, and SOX. Conducted Dynamic and Static Application Security Testing (SAST & DAST). Played a pivotal role in incident response activities by analyzing input-related security incidents, identifying the root causes, and implementing corrective measures to prevent recurrence. Created Pingaccess Identity mappings to work through pingaccess gateway Managing cloud security products (i.e. Cloud Conformity, Evident.io, Dome9, Redlock.io, etc.) Automated Veracode with Jenkins (CI/CD) to run scans daily. Configured Ticker, Front-end and Back-end machines using Exceed software. Prepared Threat modelling reports for the different projects Perform vulnerability assessment and Penetration Testing on Networks and Applications. Automated Checkmarx with Bamboo (CI/CD) to run scans on a daily basis. Source code using IBM AppScan Source, triage and resolve the security vulnerabilities. Providing fixes & filtering false findings for the vulnerabilities reported in the scan reports. Participated in the implementation of AWS Cloud security for applications being deployed in the Cloud environment. Conducted thorough penetration testing and security assessments to identify and rectify input validation weaknesses, reducing the attack surface and bolstering the overall security posture. Built VPCs from scratch and used AWS Cloud Formation to create private, public subnets, network access lists and configured internet gateways. Collaborated with developers to integrate security requirements and practices into the software development life cycle (SDLC), resulting in the reduction of vulnerabilities in Java applications. Used Burp suite to Manual Penetration Testing for internal sites Built VPCs from scratch and used AWS Cloud Formation to create private, public subnets, network access lists and configured internet gateways. Responsible for Data loss prevention (DLP) and service interruptions. Performed security assessments and penetration testing on AWS infrastructure and applications to identify and remediate vulnerabilities. Collaborated with cross-functional teams to design and implement appropriate security controls to mitigate identified risks. Exposure to wild fire advance malware detection using IPS feature of Palo Alto. Monitor critical infrastructure including firewalls, IDS/IPS devices, virtual networks, vulnerability scanners, VPNs, WANs, and disaster recovery sites Review and updated System Security Plan (NIST SP), Risk Assessment (NIST SP) and Security Assessment Report (NIST SP A). Enforced enterprise-wide work force to PingID for MFA. Manage Splunk (SIEM) configuration files like inputs, props, transforms, and lookups. Upgrading the Splunk Enterprise and security patching. Collaborated with API development teams to ensure secure design and implementation of Java-based APIs, utilizing techniques such as input validation, authentication, and authorization. Experience in deploying and monitoring applications on various platforms using Elastic BeanStalk, setting up the life cycle policies to back the data from AWS S3 to AWS Glacier. Performed penetration testing for external facing web applications. Security areas covering DMZ architecture, threat modeling, secure coding practices (i.e., OWASP standards) and vulnerability analysis were assessed. Initiated projects to create disaster recovery plans for identified gaps. Adina IT Service, Hyderabad, India June 2018 - June2021 Security Test Engineer Responsibilities: Perform threat modelling of the applications to identify the threats. Implemented and managed the Black Duck Hub vulnerability scanning tool to identify and mitigate open source software security risks. Identify issues in the web applications in various categories like Cryptography, Exception Management. Integration of SAST and DAST tools with Jenkins in agile development process. Creating security testing pipeline in Jenkins for code review and penetration testing Risk assessment on the application by identifying the issues and prioritizing the issues based on risk level. Providing remediation to the developers based on the issues identified. Revalidate the issues to ensure the closure of the vulnerabilities Build efficient, reusable front-end components and infrastructure Explanation of the security requirements to the design team in initial stages of SDLC to minimize the efforts to rework on issues identified during penetration tests. Verify if the application has implemented the basic security mechanisms like Job rotation, Privilege escalations, Lease Privilege and Defense in depth. Conducted regular security assessments of software codebases and provided actionable recommendations to development teams. Using various add on in Mozilla to assess the application like Wappalyzer, Firebug, Live HTTP Header, Tamper data, Cooki. Collaborated with developers to integrate Black Duck scans into the CI/CD pipeline, ensuring continuous security checks. Work with internal customers to create front-end web applications that focus on quick, interactive, visual data representation and quick searching techniques for large text document datasets. Designed and developed security-based tools and applications. Developed security templates and deployment scripts for Java applications to ensure consistent and secure cloud deployments. Maintained a comprehensive software component inventory, monitoring for vulnerabilities and tracking remediation efforts. Generated technical reports containing security-based findings. Document secure coding guidelines and run training programs to assist internal development personnel Conducted detailed root cause analysis of security incidents and breaches affecting Java applications, identifying systemic issues and proposing preventive measures. Worked closely with the legal and compliance teams to ensure open-source license compliance. Conducted security awareness training sessions for development teams to promote secure coding practices. Collect application vulnerability metrics and introduce automated security checks into application build process Performed manual penetration testing to exploit and mitigate security threats such as CSRF, XSS, Buffer Overflows, SQL injections and DOS Attacks etc., Keywords: cprogramm cplusplus csharp continuous integration continuous deployment message queue javascript sthree information technology hewlett packard Arkansas