Sarmad Khan
VA/DC/MD
Summary
- Over 6 years of experience specializing in Cyber Security with a focus on Web Application and API Penetration Testing.
- Proficient with a suite of security tools including Burp Suite, Fiddler 2.0, DirBuster, OWASP ZAP Proxy, SQLMap, Nmap, Nessus, ReadyAPI, Postman, Gpg4win Cleopatra, MicroFocus Fortify, WebInspect, and Metasploit for comprehensive vulnerability assessments and penetration testing.
- In-depth knowledge of security frameworks and risk methodologies such as OWASP Top 10, CVSS, NIST, and FedRAMP.
- Competent in both manual and automated approaches for bug analysis across various applications.
- Experienced in scrutinizing web services, detecting business logic flaws, and ensuring the integrity of enterprise integrations.
- Proficient in the implementation of Secure SDLC principles and embedding security within DevSecOps pipelines.
- Adept at evaluating third-party libraries for vulnerabilities using tools like Synk and Nexus IQ Server.
- Functioned as a technical consultant, managing diverse analysis tasks and audits for security tool utilization across multiple projects.
- Self-directed professional able to deliver under limited supervision and tight schedules.
- A proactive collaborator, effectively engaging in team-based settings.
- Excellent communication, analytical, and problem-solving skills, supported by strong capabilities in coordination, documentation, project planning, and interpersonal relations.
Overview
8
8
years of professional experience
1
1
Certification
Work History
Security Consultant
S
08.2022 - Current
- Conducted comprehensive web application and API security testing for premier banking institution, utilizing advanced tools such as Postman, ReadyAPI, and custom scripts to uncover vulnerabilities.
- Expanded security testing scope to include thick client applications, employing Wireshark for network traffic analysis, and SQLMap for database security assurance.
- Incorporated use of Linux-based security tools and Burp Suite for in-depth penetration testing and security assessments of client-server applications. Instrumental in integrating security testing practices within DevSecOps pipeline, automating security scans, and embedding security checks within CI/CD process.
- Played crucial role in implementing threat modeling in collaboration with application monitoring team, ensuring log analysis conformed precisely to OWASP's Top 10 API security risks.
- Utilized Symantec DLP to monitor and analyze security incidents, focusing on identification and remediation of incidents involving potential data leakage.
- Leveraged Splunk for sophisticated log monitoring, aiding in swift detection of anomalous activities and security breaches within application environment.
- Crafted detailed security assessment reports and communicated findings to project managers and development teams, elucidating risks and remediation strategies for identified vulnerabilities.
- Worked diligently to translate technical vulnerabilities into business impacts, allowing for informed decision-making by non-technical stakeholders.
- Collaborated directly with development teams to discuss identified vulnerabilities and their severity, promoting understanding of impact on application security and emphasizing importance of prompt and effective remediation.
Web Application Pen Tester
ASM Research
11.2021 - 10.2022
- Worked in Application Security to perform web application pen test of DOH Marketplace applications
- Conducted network and application penetration testing, web application security reviews, and source code security analysis for internal clients
- Performed manual and automated vulnerability assessment of web applications using Burp Suite, PostMan, MicroFocus Fortify, Kali Linux, ZAP Proxy, BurpSuite etc.
- Manually verified different classes of vulnerabilities found by manual assessment
- This includes critical vulnerabilities such as DOM based XSS, CSRF, and SQL Injection
- Developed proof-of-concept exploits that allowed business to understand risk, resulting in speedy remediation
- Detected and reported potential security misconfigurations that posed risks to client systems, along with recommended preventive measures.
- Performed application risk assessments and threat modeling
- Identifying critical, High, Medium, Low vulnerabilities in applications based on OWASP Top 10 and prioritizing them based on criticality
- Manage internal and external security assessments, risk analysis, and system or application level vulnerability testing, reviews, and mitigation
- Analyzed security vulnerability data to identify applicability and false positives
- Identification of Injection, Business logic, Authentication, Session Management, etc related flaws in applications and encasing attack scenarios and associated risk to business
- Schedule and coordinate activities with our development teams in planning, execution, and mitigation of identified vulnerabilities
- Worked closely with DevOps team to setup MicroFocus Fortify within Jenkins CI process to perform scheduled scans for around 15 applications.
Web Application Pen Tester
InterSec, Inc
10.2016 - 01.2021
- Focused on providing vulnerability and risk adversary service of all client’s IP address
- Identified vulnerable systems and false positive vulnerabilities, prepared high risk systems for remediation
- Performed semi-automated and manual Web Application and Network Penetration Testing utilizing multiple tools to include, but not limited to Burp Suite, Net Sparker, Tenable Nessus, SQLMap, AppDetective, Custom Scripts, Metasploit, NMap, netcat, and other tools within Kali Linux toolset
- Performed security assessment, penetration test, and report creation to identify security risks, threats and vulnerabilities of networks, systems, applications, and related components
- Performed Static Code reviews using Fortify for all major programming languages and manual validation of scan results to eliminate false positives
- Developed exploit code using Burp Suite
- Identified attacks like SQLi, XSS, CSRF, RFI/LFI, logical issues.
Skills
- Proficient in IT security, IDS, IPS, Vulnerability/Risk Assessment, manual source code review, security audit, and many others
- Security/Testing Tools MicroFocus Fortify, WebInspect, SonaType Nexus IQ Server, Burp Suite, DirBuster, OWASP ZAP Proxy, Nmap, Nessus, Kali Linux, Metasploit SQLMap, ReadyAPI, SonarQube, Jenkins, JIRA, Postman
- Programming Language: Java, VB Script, JavaScript, HTML, SQL
- Data Base: Oracle, SQL Server, MYSQL, DB2, AWS
- Operating System: Windows OS, Red Hat Linux, Kali Linux
Certification
- CompTIA -Security+
- CompTIA -Network+
- CompTIA -PenTest+
- IN Progress – eJPT, CDP (DevSecOps Practitioner)
Timeline
Security Consultant
S
08.2022 - Current
Web Application Pen Tester
ASM Research
11.2021 - 10.2022
Web Application Pen Tester
InterSec, Inc
10.2016 - 01.2021
Similar Profiles
Fvgb SdfgbFvgb Sdfgb
D at SD at S
Rajaneesh JosephRajaneesh Joseph
Trailer Driver at STrailer Driver at S
Damarcus J. PowellDamarcus J. Powell
Fire Safety Technician and Inspections at SFire Safety Technician and Inspections at S
M KhalilM Khalil
Sales Development Specialist at LazyboySales Development Specialist at Lazyboy
Matthew EllisMatthew Ellis
Audio/Visual Installation Contractor at SIG SystemsAudio/Visual Installation Contractor at SIG Systems