TECHNICAL PROFICIENCY:

Java, TCP/IP, HTTP, TLS, HP WebInspect, HP Fortify, Burp, Zap

EXPERIENCE:

Director of Software Security Assurance

Confidential, New York, NY

Responsibilities:

• Establish the software security assurance program consistent with FFIEC, NY DFS, NIST and BNPP Group risk, regulatory and compliance standards.
• Develop and publish the secure architecture and supporting secure frameworks as well as standard security requirements for thick client, web and mobile applications.
• Ensure appropriate security controls are in place and auditable.
• Conduct secure developer training to raise the level of security awareness and promote understanding amongst development teams.
• Evaluate tools for and develop process for managing Free and Open Source (FOSS) code libraries.
• Eradicate Java Runtime vulnerabilities in server environment and develop process to manage Java.
• Institute the Security Architecture Review, Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Application Penetration Testing processes and procedures to proactively integrate security testing earlier in the software development lifecycle (SDLC).
• Manage relationships with development and operations organizations, communicate metrics, and advise senior management.
• Lead and manage a team of 4 with a $900,000 budget.

Security Architect

Confidential, Malvern, PA

Responsibilities:

• Provided security guidance and governance for complex large scale User and Network Segmentation program improving the overall security posture of the company.
• Provided ongoing architectural improvements for the next generation content management system.
• Researched, defined, documented, and communicated security requirements to drive change in the organization.
• Helped define and test stand alone security alert mechanisms in Amazon Web Services (AWS) using Lambda.
• Provided expert security advice for programs and projects.

Application Security Assurance Expert

Confidential, Malvern, PA

Responsibilities:

• Managed, coordinated and conducted an average of 75 security architecture reviews, penetration tests, code reviews and other security risk assessments of vendor purchased and in - house developed thick client, web and mobile device applications and infrastructure assets per year.
• Developed and continually improved policies, standards and procedures referenced by application development teams.
• Evaluated applications and infrastructure against established policies, Standard Security Requirements, industry best practice and contemporary attack methods far beyond OWASP Top 10 in order to produce more consistently secure software.
• Provided technical direction, mentoring and leadership in day to day operations for a team of 7 augmented by external consultants.
• Described vulnerabilities in business context with regard to confidentiality, availability and integrity, resulting in greater understanding from technical teams, business teams, as well as management.
• Rated and prioritized vulnerabilities according to a uniform risk rating methodology, so that more significant vulnerabilities were fixed sooner.
• Composed and published draft and final assessment reports to communicate understanding of vulnerabilities and their severity to development teams and management.
• Worked closely with development teams to establish client relationships and provide appropriate vulnerability remediation.
• Conducted Security Architecture Reviews and Threat Modeling exercises to reveal design flaws as well as missing or broken security controls.
• Decompile Java binary jar files with JAD to reveal vulnerabilities in compiled code.
• Utilized dynamic application security testing (DAST) and static application security testing (SAST) methods as well as manual attack methods to help find vulnerabilities during assessments.
• Actively retested vulnerability fixes to ensure adequate balance between business and security needs.
• Used metrics to track trends and drive opportunities for improvement.
• Developed and maintained the IT Security Vulnerability Register.
• Worked with teams to integrate security gates and testing into the DevOps pipeline.
• Assisted in maintaining the penetration testing lab environment.
• Produced education articles and training videos to promote awareness of application security issues throughout the organization.
• Helped establish and grow the application and infrastructure assessment process from team inception.
• Orchestrated the evaluation of and pilot the use of passive proxies by functional testers, enabling them to find security vulnerabilities sooner in the SDLC.

Functional Test Tech Lead

Confidential, Malvern, PA

Responsibilities:

• Verified and validated 48 common services and applications prior to delivery and in corporation by internal clients into their applications.
• Developed test harnesses in Visual Basic (VB), Java, as well as automated test scripts.
• Configured Windows, Unix and Linux operating systems for testing services and applications in net centric environments.
• Troubleshot issues and suggested fixes.
• Created and maintained test plans and cases. Executed manual and automated test suites. Reproduced errors and verified fixes.
• Provided technical guidance to a team of 6 others in producing and conducting automated test scripts, test plans, and test apps.
• Built and packaged common services and applications on Windows and Unix platforms using shell scripting, batch programming and various compilers.

Quality Assurance Analyst

Confidential, West Chester, Pa

Responsibilities:

• Test bank cash vault management and e - mail conversion utility software on various platforms, including DOS, Unix, Windows 95, NT, and 3.x for compliance with design and intent, required functionalityinteroperability, usability, reliability, and performance.
• Develop, define and implement quality assurance practices. Maintain error tracking documents.
• Develop manual and automated test plans, scripts, and suites using Reflection Basic and Microsoft Visual Test
• Work closely with project team members and leaders in resolving software errors.
• Manage builds and configuration control for all released software across all platforms; generate release media.
• Review documentation for accuracy and clarity.