Information Security Penetration Testing
Resume:
Ravi Monavarty
****.*********@*****.***
Recruiters Notes:
Ravi has 12+ years of IT experience. Working as an Information security professional with around 6 + years of experience in Security Architecture Reviews, Threat Modeling, SAST and DAST & Penetration Testing, for web, mobile, web services and Cloud platforms and 4+ years into Risk and compliance. Expertise in manual exploitation and mitigating security findings not limited to but including OWASP Top 10 and SANS 25.
Skill Matrix:
Skill
Experience
Information Security
10+ Years
OWASP Top 10
06+ Years
VeraCode
04+ Years
Penetration Testing
02+ Years
SAST and DAST
06+ Years
Vulnerability
10+ Years
Professional Summary:
Working as an Information security professional with around 6 + years of experience in Security Architecture Reviews, Threat Modeling, SAST and DAST & Penetration Testing, for web, mobile, web services and Cloud platforms and 4+ years into Risk and compliance. Expertise in manual exploitation and mitigating security findings not limited to but including OWASP Top 10 and SANS 25.
Technical Skills:
Security Architecture/Threat Modeling
Microsoft Threat Modeling Tool (TMT)
Source Code Analysis Tools
HP Fortify, IBM App Scan Source, Veracode, Checkmark
Dynamic Analysis Tools
IBM App Scan, HP Web Inspect, Nexpose /Rapid7, App Spider, Imperva Database Scanner
Network Security Testing Tools
Nmap, Metasploit, Nessus, Qualys Guard,
Proxy Tools
Burp Suite, ZAP
DevOps proficiency
Designing security controls
Developing security plans
Implementing security programs
Symantec Endpoint Protection
Qualys Cloud Platform
Nagios monitoring software
Wireshark software
Data security
Certifications:
Certified Information Systems Manager (CISM) – ISACA
Nexpose (Rapid7) Certified Administrator.
Metasploit Pro Certified Specialist.
SASE Level 1 certified from Kato Networks.
CEH8 Certified Ethical Hacker (GM).
Educational Details:
Master in Power Systems Engineering from Osmania University Hyderabad, India
Bachelor of Engineering in Electrical & Electronics from Andhra University, India
Professional Experience
E*TRADE From Morgan Stanley
Alpharetta, GA
Principal Cybersecurity May2019– Present
Responsibilities:
The overall experience in Web application Security, Mobile application Security, Network VA, Resource Management and Project Planning
Performing Static source code analysis using HP(Microfocus) Fortify, Checkmark
Various Databases configuration through Imperva Database Scanning tool. Involved in Weekly Database scan schedules and finding Vulnerabilities to report to Tech Owners. Coordinating with Development team for remediation efforts.
Experienced in Qualys security monitoring to continuously discover and secure global IT assets Modules such as Asset view, Cloud Agent, Vulnerability Management, Web Application scanning (WAS).
Collaborating with development team to remediate the vulnerabilities identified in web or mobile based applications.
Performed security assessments for the applications hosted in AWS, Azure and provided security risk mitigations to the development team.
Experience in integrating AWS applications with Jenkins CI/CD pipeline and performed automated security tests.
Performing Dynamic vulnerability assessments using HP WebInspect, and Qualys .
Having strong knowledge on best security practices centered around AWS cloud.
Performing Network Penetration testing using Qualys Guard, Nessus etc.
Performing manual testing of OWASP Top 10 Vulnerabilities to exploit and mitigate security threats such as XSS, CSRF, SQL Injection, Buffer Overflows and DOS Attacks etc.,
Performing Mobile Application Security Assessment (MGS) including Android & iOS platforms.
Performing port/SSL version scans using Nexpose/Rapid7 and Insight VM respectively.
Communicating identified vulnerability findings with clients/customers and remediating appropriate mitigations.
Assessing and risk classification of identified vulnerabilities based on the security impact, likelihood, and business risks.
Preparation of Test Setup, Security Test Area Coverage definition, Test Plan and Test Cases for new features/implementation.
Evaluate how the application protects data in use, in transit, and at rest.
Acting as a subject matter resource in specific programming languages and web application environments.
Propose vulnerability risk level and estimated level of remediation effort.
Report trending data of overall Appsec vulnerabilities and reports in Divisional metrics to the Leadership Team.
Coordinated with Appsec Owners, Business Owners and Technical owner’s remediation effort of Appsec Vulnerabilities and Open-Source Vulnerabilities.
Created Dashboard Third-party Finding Pen Test Vulnerabilities of E*TRADE and Gradifi Systems.
Creation of Business Owner and Technical Owner data for all Linux Assets from different sources in E*TRADE and loading into the Database table. Involved in Integration of CMDB data with TVM portal Data.
Get involved with Morgan Stanley/ E*TRADE integration projects with multiple companies Share works and Eaton Vance.
Equifax
Alpharetta, GA
Sr. Application Security consultant Aug2018– April 2019
Responsibilities:
Performed Manual Penetration attack simulations on client products to determine and exploit security flaws.
Detailed and thorough Static, Dynamic analysis for Android and IOS platforms.
Performed manual and automated static code analysis using HP Fortify & Checkmarx.
Designed security test suite for in scope web and mobile-based applications.
Performed interception attacks using web proxies such as Burp Suite, ZAP
Experienced in Agile/scrum methodology.
Training application developers in secure coding techniques and helping to integrate security into the ASDLC.
Experience in Using penetration tools and methodologies such as OWASP Top 10, HP Web Inspect, IBM AppScan, Fortify, Nessus, Acunetix, Burp Suite, Firefox Add-ons XSS Me, SQL Inject Me, SoapUI and others, to determine the security of web application developed in different platforms like Microsoft .NET, Java, J2EE, AJAX, PHP.
Possess an in-depth understanding of emerging technologies and their commercial applications.
Performed Dynamic vulnerability assessments using HP Web Inspect, Qualys.
Working to enhance the Software Development Life Cycle (SDLC) by adding security to remove Vulnerabilities and protect business logic.
Establishing a security program for the SDLC, capture the current application architecture, lead the overall application review process, identify Application vulnerabilities, propose architectural changes, design, coordinate, and implement these changes at procedural and technological levels.
Performing detailed Quality Assurance (QA) review of web-based applications, identify and
Validate application vulnerabilities and perform actual remediation at architectural and source code levels.
General Motors
Roswell, GA
Application Software Security Lead Jan 2014 – July 2018
Responsible for reviewing end to end control documentation for Applications, Infrastructures, and Supplier managed-externally hosted applications.
Provided control consultation for Identity & Access Management, Change Management, Disaster Recovery, Job scheduling, Data management, Privacy laws, legal and regulatory requirements.
Contribution for Datacenters transformation: identified the current pain points and initiated process improvements.
Communicated with Senior Management/ IT department and delivered assessment findings/ non- compliance progress/ remediation plans in various governance meetings and forums.
Ensured the team and supporting applications in compliance towards organization Information Security Policy and Procedures.
Analyzed scan results from Fortify SCA scans and providing a detailed overview on vulnerabilities which includes Definition, Risk, and Remediation
Experienced in Qualys security monitoring to continuously discover and secure global IT assets Modules such as Asset view, Cloud Agent, Vulnerability Management, Web Application scanning (WAS).
Reviewed the results of penetration tests on high-risk web applications in the firm that deal with critical financial, client information and assessed the likelihood and impact.
Provided awareness trainings on Information security policies, standards, and supporting materials to reduce risk with the assistance of the Director of Technology.
Validate IT Risk acceptance, policy exceptions, deviations to standards and ensured compensating controls are documented, assessed, and approved by senior management.
Co-Ordinated with various suppliers, shared GM IT Control policies/ processes, reviewed the control artifacts, ensured adherence for Supplier managed IT applications.
Assisted Code Management integrating Jenkins with HP Fortify Static Code Analysis tool.
Initiated requests in conducting the technical audit Vulnerability Assessment and recommend the risks to be remediated.
Directed the ownership of project management process from project initiation to closure including planning, scoping, estimation, architectural review, tracking, budgeting, resource allocation, risk mitigation and status reporting to customers and senior management within pre-set deadlines & parameters.
Ensured the adherence to Quality norms and SLA.
Communicated & coordinated with Development team in various Verticals Global Purchase & Supply chain, Manufacturing, and Customer care Application modules.
Worked with development teams (different USA Innovation centers), Project Managers in Europe and USA.
Developed Selenium Login and workflow scripts (Qualys) for all Dynamic scan applications.
Having valuable experience in Secure SDLC and Source Code Analysis HP Fortify (Manual &Automation Tools) and Jenkins CI/CD on WEB based Applications.
Mar 2010 - Dec 2013
Lockheed Martin,
Atlanta, GA/ Charleston, SC
Sr. Security Engineer Mar 2010 - Dec 2013
Responsibilities:
Dynamic and static scans were planned on each sprint for all Projects developed during this period. Example: Supply Chain Design R1 Release and deployed successfully without any security issues.
Coordinated and helped to Build the Team and resolved Jenkins and TFS Build Problems
Conducted SAST and DAST with tools like HP Fortify, IBM App-scan, WebInspect, Nmap, Nessus.
Mentored all Security processes to Development Team members.
Worked on HP Web Inspect to discover and secure global IT assets, Vulnerability Management and Web Application scans (WAS).
Knowledge and industry experience in Vulnerability Assessment and Penetration Testing on WEB based Applications, Mobile based application, and Infrastructure penetration testing.
Having good experience in Secure SDLC and Source Code Analysis H.P Fortify (Manual & Tools) on WEB based Applications.
Contact this candidate