 Implemented Application Security program (DAST and SAST) at the enterprise level to identify, report and remediate security vulnerabilities from applications deployed in DEV, PRE-PROD and PROD environments. Rolled out IBM AppScan products such as AppScan Enterprise (ASE), Standard, Source, Developer plug-ins to various development teams across the business lines. Conducted monthly developer workshops to educate and train developers on secureSDLC, scan source code using IBM AppScan Source, triage and resolve the security vulnerabilities. Conducted security assessment to ensure compliance to firm’s security standards (i.e., OWASP Top 10). Specifically, manual testing has been performed to identify Cross-Site Scripting and SQL Injection related attacks within the code. Participated in the implementation of AWS Cloud security for applications being deployed in the Cloud. Developed threat modeling framework (STRIDE, DREAD) for critical applications to identify potential threats during the design phase of applications. Reviewed source code (Java/J2EE/Spring/FTL/JavaScript) and developed security filters within AppScan for critical applications. Reviewed Android and iOS mobile code for TIAA mobile apps and recommended code fixes.  Participated in the Proof of Concept (POC) in implementing Arxan application protection software for Mobile apps.

 Performed security assessments for the client-facing apps. The associated IT infrastructure such as database management systems, middleware systems, web services (SOA) were also included in the security assessments. Implemented Secure Software Development Life Cycle (S-SDLC) processes; developed secure coding practices for web, mobile applications, including database and middleware systems. Reviewed Architecture Design Documents (ADD) and Solution overview Documents (SODs) to identify security anomalies in the system architecture and design, and provided recommendations to address data security and privacy concerns. Reviewed security vulnerability reports for applications and databases, analyzed and worked extensively with the development teams for the implementation of mitigating controls. Conducted pen testing for the Web Services (SOA) used by various travel agency partners to connect to Wyndham for booking and reservations. Implemented IBM AppScan standard, source editions, HP WebInspect and QualysGuard web application scanners. In addition, the security tools Metasploit and BurpSuite were utilized for manual penetration testing. Worked with software development teams, DB/Unix administrators and solution architects as a subject matter expert related to security compliance with PCI DSS and industry standards.

 Conducted security assessments for various applications supporting Corporate & Investment Banking, Loan, Treasury, Equities and FI businesses. The web application infrastructure such as IBM WebSphere, Apache Tomcat, and IIS web/application servers were reviewed for compliance to firm’s security baselines. Performed penetration testing for external facing web applications. Security areas covering DMZ architecture, threat modeling, secure coding practices (i.e., OWASP standards) and vulnerability analysis were assessed. Developed audit programs for IT infrastructure supporting Corporate and Investment Banking (CIB) department to facilitate end-to-end compliance with Global as well as Federal Financial Institutions Examination Council (FFIEC) guidelines and controls. Managed security assessments for various types of Operating Systems (O/S) used by the firm. The audits of RedHat Linux, Oracle Solaris, Windows (including Active Directory) and IBM AIX were conducted. Several control enhancements, specifically, on the patch management process, were recommended. Performed database management system audits across all business lines and entities in North America hub. Database servers such as, Oracle, SQL Server and Sybase were reviewed for compliance to global and local security baselines.

 Designed and developed a suite of applications used by the internal audit department, including BPlanner, OATS, and Time tracking systems. Developed server side business components using Java Servlets, JSPs, and Enterprise Java Beans (EJBs) Developed graphical charts using Sitraka JClass to show department’s performance statistics. Analyzed performance issues in the application, related system configuration and developed solutions for improvement.  Developed stored procedures, views and triggers using Oracle PL/SQL. Involved in Weblogic and Tomcat application server installation and configuration in production, development and QA environments. Automated code deployment to production environment by creating tasks using ANT deployment tool.