SUMMARY:

• Experienced Application Security Risk Management professional specializing in Application and Software Security Development and Testing. As an AppScan Enterprise SME he has created the first AppScan Enterprise Cloud offering called AppCurity which is AppScan as a Service.
• His skill sets include Application and Software Security Assessments, Implementations and Integration. He has been responsible for providing Secure Software Development Lifecycle guidance, securing web applications developed in Java, Ruby, .net and PHP utilizing known secure coding best practices. He has lead
• Application Security Testing activities utilizing Confidential AppScan Enterprise version 9.0, HP Web Inspect, Burp Suite, HP Fortify SCA, Confidential Security AppScan Source for Analysis, Veracode, Checkmarx, Netsparker and NTOSpider. He utilizes the OWASP’s Top Ten list as the framework for all of his projects, as well as incorporating the OWASP ESAPI Library and F5 WAF as a primary software security solutions. Mr. Sheppard has extensive experience planning and implementing security testing efforts, while leading Security Testers
• QA Engineers and Software Developers. His for multiple security s along with his drive to apply technology and processes to identify, manage, and resolve risk will make him an excellent addition to your team. He is available for immediate consideration.

TECHNICAL SKILLS:

• Confidential App Scan v 8 - 9
• HP Web Inspect v 10.0
• Cenzic Hailstorm Ent
• Burp Suite Pro
• Qualys WAS v 2.0
• Tamper Data
• HP Fortify SCA v 3.1 - 4.0
• HP Fortify 360 Server
• Netsparker
• App Detective Pro
• Confidential App Scan Ent v9.0
• CheckMarx
• Firebug
• ModSecurity WAF
• Metaploit Pro
• BeEF
• Imperva WAF
• Confidential Security AppScan Source for Analysis
• SQL Map
• Pinata CSRF Tool
• Nmap ver 5.0
• XSS Proxy
• OWASP DirBuster
• Veracode
• Akamai WAF
• Paros
• NTOSQL Invader
• F-5 WAF
• OWASP ESAPI
• NTOSpider
• Acunetix WVS
• Parasoft
• BackTrack 5
• WebScarab

PROFESSIONAL EXPERIENCE:

Confidential

Application Security Practice Lead

Responsibilities:

• Implemented and Deployed Confidential AppScan Enterprise and Confidential Security AppScan Source for Analysis, Development and Automation ver. 9.0 across multiple client environments.
• Integrated Confidential AppScan Enterprise and Confidential Security AppScan Source for Analysis, Development and Automation ver 9.0 into QRadar, Site Protector, Treadfix, Microsoft TFS, Jenkins, Jira, F5 WAF and Imperva WAF.
• Conducted Dynamic, Static, Mobile and Manual application security testing using Confidential AppScan Enterprise, Confidential Security AppScan Source and Burp Suite Pro.
• Provided Intermediate and Advanced Confidential AppScan Enterprise and Confidential Security AppScan Source ver 9.0 End-User .
• Provided Intermediate and Advanced Java and.net Secure Coding to client development organizations.
• Provided Internal Sales Teams with Pre-Sales Engineering Support for Confidential AppScan Product Demo’s and Confidential AppScan Proof-of-Concept (P.O.C) trials.
• Produced Application Security Documentation (Security Requirements, Secure Coding Guidelines, Standards, Policies, Process Documents and Guides).

Confidential

Sr. Application Security Manager

Responsibilities:

• Lead Americas, EMEA and APAC Application Development, QA, PMO, Risk, Infrastructure and Security teams with all Application Security Initiatives and projects.
• Provided Executive Summaries and Risk Advisement to Executive VP’s and CIO.
• Managed all 3rd Party Application Security Vendors (Trustwave, Veracode, Confidential and Coalfire).
• Coordinated with Sr. Level Management to integrate Application Security into Risk, Development, Q/A, Infrastructure, Security and PMO organizational processes.
• Implemented and Integrated Confidential AppScan Security Source for Analysis, Remediation, Developer and Automation into Continuous Build Integration for SAST. (Maven, TFS and Jenkins)
• Implemented Confidential AppScan Enterprise ver 9.0.1 for DAST in Global Enterprise
• Implemented Application Security into Global SDLC Toll Gate PMO Process
• Developed Application Security Vulnerability Management Program, Standards and Policies including Remediation and Risk Acceptance into Global Risk Management Process
• Interviewed, Hired, and Lead Sr. Application Security Architect, SAST/DAST SME, Software Security Developer, Ethical Hacker and Application Security Engineer to achieve organizational goals.
• Developed Global Application Security Awareness Program
• Served on the Global Change Control Committee
• Developed 2015 Global Application Security budget which included vendors, staff resources, technology purchases, etc.
• Reduced Global Business Risk 40% by implementing Global Application Security Management.
• Developed Global Application Security Business Risk KPI metrics
• Developed Global Application Security Program which aligned to Global Business Goals, Milestones and Objectives.
• Environment: Confidential AppScan Enterprise Premium 9.0.1, Confidential Security AppScan Source for Analysis (Development, Automation and Remediation), Confidential Rational License Key Server and Administrator, SQL Server 2008, Microsoft Windows Server 2K8 and 2K12, IIS 7, AD, Visual Studio ver 14.0 and .net 4.0.

Confidential

AppScan Security Source for Analysis SME

Responsibilities:

• Architect, Set-up, Install, Configure, Deploy and Administrate Confidential AppScan Enterprise Premium ver. 9.0.0.1 on Four Virtual 2008 and 2012 Windows Servers.
• Architect, Set-up, Install, Configure, Deploy and Administrate Confidential Security AppScan Source for Analysis ver. 9.0.0.1.
• Install and configure Confidential Security AppScan Source for Development (Visual Studio Plug-in).
• Install and configure Confidential Security AppScan Source for Development (Eclipse Studio Plug-in).
• Deliver Maven 3.2.1 and Confidential Security AppScan Source for Automation Integration.
• Development of SBC Application Security SSDLC PMO Tollgate Process
• Create Confidential AppScan Enterprise and Confidential Security AppScan Source for Analysis Runbook
• Create Confidential AppScan Enterprise and Confidential Security AppScan Source for Analysis End-User Guides
• Develop SBC Application Security Requirements
• Develop SBC Secure Coding Guidelines
• Deliver Confidential AppScan Enterprise and Confidential Security AppScan Source for Analysis End-User for VB.net, Java and I-Series RPG development teams.
• Deliver Confidential AppScan Enterprise End-User for SBC Q/A teams
• Provide Application Security SSDLC Tollgate Process to SBC PM’s
• Provide Secure Coding to SBC VB.net, Java and I-Series RPG development teams
• Conduct Confidential AppScan Enterprise and Confidential Security AppScan Source for Analysis DAST and SAST testing on Sallybeauty.com and Cosmoprof.com
• Develop SBC Web Application Security Testing Methodology
• Perform PCI 3.0 Requirement 6 Gap Analysis for SBC
• Develop Confidential AppScan Enterprise and Confidential AppScan Source for Analysis Implementation \ Secure Coding Program Work Breakdown Structure (WBS)
• Environment: Confidential AppScan Enterprise Premium 9.0.0.1, Confidential Security AppScan Source for Analysis (Security, Automation and Development), Confidential Rational License Key Server and Administrator, SQL Server 2008, Microsoft Windows Server 2K8 and 2K12, IIS 7, AD, Visual Studio ver 14.0 and .net 4.0.

Confidential

Sr. Application Security Manager

Responsibilities:

• Install, Configure, Deploy, Support and Administrate Confidential AppScan Enterprise Premium 9.0 on RackSpace cloud environment.
• Perform Dynamic Application Security Testing and Exploitation (UI and Web Services) on all LesConcierges web applications, and 3rd Party Client sites (Visa, Amex, JPMC and Bank of America) using Confidential AppScan Enterprise Premium 9.0, Burp Suite Pro, Confidential Source for Analysis and Netsparker utilizing OWASP and WAHH Testing Methodology.
• Provide security vulnerabilities (XSS, CSRF, SQLi, DDOS, etc.) remediation support to Java, .net, ASP.net and Salesforce developers.
• Provide Secure Coding to software development teams using LC Secure Coding Guidelines and Requirements.
• Lead PCI DSS 2.0 / 3.0 Compliance Project to ROC and AOC.
• Environment: Confidential AppScan Enterprise 9.0, Burp Suite Pro, Confidential Source for Analysis, License Key Administrator, SQL Server 2008, Microsoft Windows Server 2K8, IIS 7 and MS .net 4.0

Confidential

Sr. Application Security Tester

Responsibilities:

• Perform Dynamic Application Security Testing and Exploitation (UI and Web Services) on Wells Fargo banking web applications using Confidential AppScan Enterprise Premium 9.0, Burp Suite Pro, HP Fortify SCA 4.0 and Netsparker utilizing OWASP and WAHH Testing Methodology.
• Environment: Confidential AppScan Enterprise Premium 9.0 and Burp Suite Pro.

Confidential

Sr. Information Security Engineer

Responsibilities:

• Perform HP FOD Standard and Premium Application Security Testing and Exploitation (UI and Web Services) on 100 Nestle and Genworth Financial web applications using HP Web Inspect, Burp Suite Pro, HP Fortify SCA 4.0 and Netsparker utilizing METHOS and WAHH Testing Methodology.
• Environment: HP Web Inspect, Burp Suite Pro and HP Fortify SCA v 4.0

Confidential, San Francisco CA

Sr. Information Security Engineer

Responsibilities:

• Lead all Application Security Testing and Exploitation (UI and Web Services) using AppScan Standard v 8.6, NTOSpider, Netsparker, SQLmap and Burp Suite Pro in Agile SDLC utilizing WAHH, OWASP Testing Guide and OSSTM Methodology.
• Working with Developers, QA Engineers, Project Managers and Business Owners to educate and implement industry best practices for remediating software security vulnerabilities.
• Creating and managing an Application Security Metrics Dashboard, using Sharepoint, Splunk, MongoDb, google charts and fusion charts.
• Environment: Confidential App Scan Standard v8.6, Burp Suite Pro, NTOSpider and Netsparker

Confidential, Foster City CA

Sr. Information Security Specialist / Application Security Test Lead (Green Team)

Responsibilities:

• Lead all Application Security Testing and Exploitation (UI and Web Services) using AppScan Enterprise v 8.6 and Burp Suite in Agile SDLC utilizing WAHH, OWASP Testing Guide and OSSTM Methodology.
• Conduct Threat Modeling Analysis for V.me personal, business, developer, VDC, VPP and Visa.com
• Perform Manual Code Reviews using Firebug, Eclispe and CheckMarx
• Review, Analysis and Validation of AppScan Dynamic Security testing findings
• Provide security vulnerabilities (XSS, CSRF, SQLi, DDOS, etc.) remediation support to Java, .net, PHP and Ruby developers
• Review, Analysis and Validation of Veracode Static Code Analysis findings
• Lead Planning, Installation, Deployment and Support of AppScan Enterprise v 8.6 Platform throughout Visa, Cybersource, Playspan, Fundemo and VPS
• Responsible for conducting manual code review, static code analysis, dynamic security testing and manual penetration testing for V.me and Visa.com which consist of over 60 applications and 36 domains
• Review and Analysis of 3rd Party Web Application Penetration Test Findings prior to implementation
• Deliver AppScan Enterprise v 8.6 Security Testing to Developers and QA Engineers
• Provide OWASP Top Ten to QA Engineers and Software Developers
• Guide usage of ESAPI Encoder, CSRF Guard and Validator of the OWASP ESAPI Library
• Provide support to the Imperva & Akami Web Application Firewall NSWG
• Provide Secure Coding to software development teams using Visa Secure Coding Guidelines
• Deliver Veracode and Confidential Ounce Security Testing to Developers
• Create custom Injection and Scripting attacks/exploits for Application Security Testing
• Environment: Confidential App Scan Enterprise v8.6, Burp Suite v 4, Confidential Ounce and Veracode

Confidential, Detroit MI

Application Security Test and Secure Coding Lead

Responsibilities:

• Lead all Application and Infrastructure Security Testing for Blue Cross Blue Shield of MI
• Lead, Manage, Plan, Support and Implement the Secure Coding Program with in BCBSM
• Manage and Assign security testing projects to Security Testing Team members
• Develop, Validate, Assemble, Submit and Quality Review all Security Testing Draft and Final Reports
• Manage Security Testers and Secure Coding Developers
• Review and Approve all base and project Change Control request through CA-SCM and HP Service Manager
• Create, Design and Implement all Security Test Plans for project and base Security Testing with in BCBSM
• Develop and Document Application Security Testing requirements, guidelines and standards
• Develop and Document all Secure Coding requirements, usage, guidelines, standards and processes
• Develop, Document and Execute all Test Cases for Security Testing
• Utilize and Implement OWASP Top Ten issues, WASC and CWE’s into Security Testing efforts
• Develop and Document Procedures and Methodology for Security Testing efforts
• Implement and Maintain the OWASP ESAPI Library throughout BCBSM
• Implement, Configure, Administrate and Maintain the F-5 Web Application Firewall with in BCBSM
• Perform Static, Dynamic and Manual Security Testing utilizing OWASP Testing Guide Methodology
• Train and Educate all Security Testing Team members using Aspect and Fortify CBT
• Produce weekly, monthly and quarterly security testing and secure coding status reports
• Lead developers, project team members, executive management and vendors through remediation efforts
• Integrating Threat Modeling and Test Case Strategy development throughout the SDLC
• Producing Monthly Metrics, reporting the state of application security programs and programmers of development teams against requirements
• Estimate, Schedule, Coordinate and Scope all Security Testing Projects with in BCBSM
• Track and Record all discovered security testing vulnerabilities into BCBSM Risk Management Tool (Archer and Sharepoint)
• Administrate Fortify SCA, 360 and CBT support for all BCBSM developers and security professionals
• Conducted Application Security Testing on Oracle Peoplesoft, Connecture, TeamConnect, Avanti, Verint, Trizetto, Confidential Initiate, HP Service Manager, Callidus, Mckesson, HDMS, Dr. First, Taleo, Cognos, Google Search Appliance, Google Android Phone and over 100 BCBSM custom designed and developed java and .net applications.
• Create custom Injection and Scripting attacks for Application Security Testing

Environment: Confidential App Scan v 8 - 8.5, Burp Suite v 3.5 - 4, Web Inspect v 9.2, Fortify SCA v 2.5 - 3.1.

Confidential, Troy MI

Sr. Information Security Consultant

Responsibilities:

• Served as GLBA Regulatory Compliance specialist for over 100 different credit unions including Health One Credit Union, River Rouge Credit Union, Meijer Credit Union, and Affinity Group Credit Union.
• Performed Information Security Risk Threat Assessments in line with FFIEC guidelines.
• Performed External and Internal black box and white box Penetration Testing.
• Performed Network Vulnerability Testing, Assessment, and Remediation.
• Managed five Security Engineers, two Security Architects, and two Security Testers.
• Implemented and utilized Open Web Application Security Project’s (OWASP) Top Ten issues as the core frame work for projects.
• Creation of Comprehensive Information Security Programs in line with FFIEC guidelines.
• Creation and Review of Information Technology Policies, Procedures, and Plans.
• Creation and Review of Computer Incident Response Plans and Incident Handling Procedures.
• Creation and Review of Business Continuity / Disaster Recovery Plans and Procedures.
• Performed Staff Information Security Awareness with Suspicious Activities Reporting.
• Creation and Review of Vendor Oversight Program and Due Diligence Policies.
• Performed Compromise Forensics Investigation, Evidence Gathering for Expert Testimony.
• Reviewed of SAS 70 Type II Audits submitted by Data Processors and Third Party Service Providers.
• Produced Sales and Business Development in financial services market; 50K per month quota.
• Performed Project management of Information Technologies Security and Compliance Engagements.
• Prospecting, cold calling, writing engagement proposals, board / Sr. Management presentations, closing.
• Performed Configuring and Administrating Microsoft Windows Workstations utilizing Windows 2K, XP, and 7.
• Performed windows hardening, logon scripts, user policies and profiles)
• Performed Configuration & Administration of Microsoft Windows Server 2K3 / 2K8 (SBS | Enterprise).
• Utilized Active Directory, SMS, WSUS, Terminal, .net, Exchange versions 6.5 and 2K8, and SQL ).
• Set-up, Configuration and Administration of Cisco 1720, 1841, 2601, 2811, and 7200 Routers.
• Wic Card installation and configuration, PDM, ACL, DHCP and Nat.
• Set-up, Configuration and Administration of Cisco Pix Firewalls (501, 506, 515, ASA) (VPN, PDM, ACL, DMZ, Nat).
• Set-up, Configuration and Administration of Sonicwall 0 TZ UTM Appliances (VPN, Nat, DMZ, DHCP).
• Set-up, Configuring and Administration of Checkpoint UTM-1 Security Appliances (VPN, Nat, DMZ, DHCP).

Environment: GFI Languard Network Security Scanner ver. 8, Qualys Guard Security and Compliance Suite, Eeye Retina Vulnerability Scanner Suite, Fortify, Nessus Security Scanner ver. 4, Nmap ver 5.0 / Necrosoft Ncan ver. 0.9 - 2.0 / NSauditor ver. 2 / Look@Lan ver. 3

Confidential, Centerline MI

Computer Instructor / Network Administrator

Responsibilities:

• Teaching Intro to PC’s with windows 98, 2000 and XP to Kramer Middle School students.
• Teaching Office 97, 2000 and 2003 to Kramer middle school students.
• Teaching HTML and JavaScript programming to Kramer middle school students.
• Teaching Graphic Design (Photoshop, illustrator & PageMaker) to Kramer middle school students.
• Teaching PC Building and Windows Networking to UAW/NTC Chrysler employees.
• Teaching Office 97, 2000 and 2003 to UAW/NTC Chrysler employees.
• Teaching Intro to PC’s with windows 98, 2000 and XP to UAW/NTC Chrysler employees.
• Teaching Graphic Design (Photoshop, illustrator & PageMaker) to UAW/NTC Chrysler employees.
• Teaching Intro to PC’s with windows 98, 2000 and XP to Vandyke Adult Ed students.
• Teaching Office 9 7, 2000 and 2003 to Vandyke Adult Ed students.
• Teaching HTML and JavaScript programming to Vandyke Adult Ed students.
• Teaching Graphic Design (Photoshop, illustrator & PageMaker) to Vandyke Adult Ed students.
• Teaching Intro to PC’s with windows 98, 2000 and XP to Chrysler UAW Retirees.
• Teaching Office 97, 2000 and 2003 to Chrysler UAW Retirees.
• Civil Engineering, University of Detroit
• Bachelors of Science, Information Assurance and Security, Capella University
• Projected Graduation 12/17