SUMMARY:

• Application Security Specialist for the Library of confidential
• Penetration Tester for the Citigroup Multinational Investment Banking & Financial Services (PCI DSS)
• Penetration Tester for the largest U.S. health insurance company,  Confidential Group (HIPAA)
• Mobile Application Security Specialist for Confidential  Medical
• Penetration Tester for the Confidential 
• Security Analyst for the U.S. Marine Corps Headquarters Network Operations and Security Center
• Systems Security Engineer for The University of Pittsburgh Medical Center
• Web Application Penetration Tester (GWAPT) - Global Information Assurance (GIAC)
• OWASP DevOps - The Open Web Application Security Project
• BLACK HAT: The Web Application Hacker’s Handbook Live Edition
• SANS SEC542: Web Application Penetration Testing and Ethical Hacking
• Bachelor’s degree in Information Systems Management with a concentration in information security
• Certified Information Systems Security Professional (CISSP) - ISC² (IAM Level III)
• Certified Ethical Hacker (CEH) - EC-Council member (DOD CNDSP Auditor)
• Project Management for IT Professionals, University of Maryland University College
• CompTIA Security+ & CompTIA Network+ (DOD 8570.01-M IA Security Engineer IAT)
• Customer focus and leadership experience in working with diverse and multicultural personnel.
• Expert in time management, multi-tasking, and prioritization under pressure in fast paced environments.
• Recognized for team building, motivating others, problem solving and goal oriented initiatives.

TECHNICAL SKILLS:

• Burp Suite, HP fortify SCA / SSC
• HP WebInspect, IBM Security AppScan
• AWS DevOps, Whitehat, Nessus & Nexpose
• Metasploit Framework/Pro, SQLMap, BeEF
• BackTrack/ Kali Linux, Saint, Paros, Acunetix, ZAP, Nmap
• Wireshark, Core Security Core Impact, Nikto, W3af, Brutus
• Cain & Able, Social Engineering Toolkit, Putty/ SSH, Eclipse tool, iAuditor and Androwarn for Android, iOS Snoop-it and iNalyzer Framework
• SIEM (Splunk, Nitro and HP ArcSight)
• McAfee ePolicy Orchestrator
• (McAfee ePO), IDS/IPS -intrusion detection/prevention technologies
• (NSM Intrushield and HBSS)
• Symantec Enterprise Anti-Virus, BlueCoat
• Check Point, and Fortinet technologies including firewalls packet analyzers, proxies, and filters.

PROFESSIONAL EXPERIENCE:

Penetration Tester/DevOps Security

Confidential

Responsibilities:

• Performing risk assessments throughout the DevOps / S-SDLC including OWASP manual penetration testing of mobile / web applications on Amazon web services (Docker / Kubernetes).
• Performing Architectural Risk Assessment (ARA) and generating threat models (STRIDE).
• Performing automated Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST) utilizing HP Fortify / Burp Suite as well as manual code reviews (Java / Spring).
• Conducting vulnerability analysis including mobile (iOS / Android) device forensics and reverse engineering.
• Mitigating identified risks through incident handling and forensics (including emergency response).
• Researching and developing security policies / documentation for evaluating nonstandard & new technologies using industry best practices / GRC compliance guidelines (CWE, CVSS, NVD-CVE, NIST, etc.).
• Managing security projects and working with stakeholders including GRC teams to develop policies / procedures.
• Developing & delivering assessment presentations, secure coding, corresponding remediation guidelines and documentation.

Security Analyst / Penetration Tester

Confidential

Responsibilities:

• Penetration testing a variety of systems including mobile / web applications and services, operating systems and databases (hybrid, automated and manual penetration testing).
• Performing and managing full scope application risk assessments throughout the Secure Software Development Life Cycle (SSDLC).
• Performing Dynamic Application Security Testing (DAST) & Static Application Security Testing (SAST) as well as manual source code reviews.
• Security testing: Input and Access handling, SQLi - SQL Injection, XSS - Cross Site Scripting, CSRF - Cross-Site Request Forgery, Session / Cookie Manipulation, Logic Flaws, Buffer Overflows, & etc.
• Conducting mobile device vulnerability analysis including forensics and reverse engineering.
• Working with development teams to provide security requirements and for design improvements.
• Working with stakeholders to develop security requirements and secure design documentation.
• Researching and developing policies, procedures and security plans for evaluating nonstandard & new medical technologies using industry best practices / compliance guidelines. (HIPAA, OWASP, ESAPI, CWE, CVSS, NVD-CVE, PCI DSS, SOX, NIST, etc.)
• Working with stakeholders to develop security requirements and secure design documentation.
• Performing Architectural Risk Assessment (ARA) and generating threat models.
• Developing & delivering full scope SDLC security in addition to generating detailed secure coding guidelines and remediation documentation for Governance, Risk and Compliance (GRC).
• Testing a variety of systems including Medical systems with a broad range of technologies: Java/J2EE, ASP.NET, C#, VB.NET, PHP, SQL, MSSQL, MySQL, Oracle, HTML5, JavaScript, JSON, AJAX, XML, SOAP, REST, Apache Webserver, MS IIS, Websphere and others.
• Security testing various environments (QA / Production) and authentication types (OAuth, SAML, etc.)
• Generating and presenting detailed / management level reports that include methods, findings, conclusions and recommendations for remediation and secure coding practices.

Systems Security Engineer

Confidential - Pittsburgh, PA

Responsibilities:

• Penetration testing web applications, web services and mobile applications.
• Performing Dynamic Application Security Testing (DAST) & Static Application Security Testing (SAST) as well as penetration testing (hybrid, automated and manual penetration testing).
• Security testing: Input and Access handling, SQLi - SQL Injection, XSS - Cross Site Scripting, CSRF - Cross-Site Request Forgery, Session / Cookie Manipulation, Logic Flaws, Buffer Overflows, & etc.
• Testing a variety of systems that include financial (PCI / SOX) & Medical systems with a broad range of technologies: Java/J2EE, ASP.NET, C#, VB.NET, PHP, SQL, MSSQL, MySQL, Oracle, HTML5, JavaScript, JSON, AJAX, XML, SOAP, REST, Apache Webserver, MS IIS, Websphere and others.
• Conducting host vulnerability analysis including forensics and reverse engineering.
• Determining and ranking security vulnerabilities using threat categorization methodologies such as STRIDE.
• Performing system risk assessments throughout the System Development Life Cycle (Agile SDLC).
• Generating security controls for user requirements and developing secure architecture / design documentation for multitier applications.
• Performing Architectural Risk Assessment (ARA), threat modeling and source code reviews.
• Researching and developing security plans for evaluating new technologies using industry best practices / compliance guidelines. (PCI DSS, SOX, COBIT, COSO, HIPAA, OWASP, ESAPI, CWE, CVSS, NVD-CVE)
• Security testing various environments (QA / Production), non-standard networks and communication electronics from internal and external locations with different types of authentications (OAuth, SAML, etc.)
• Managing system security plans and working with information owners to ensure that adequate security questionnaires are developed and also appropriate vulnerability remediation occurs.
• Developing & delivering full scope SDLC security in addition to generating detailed remediation guidelines and documentation for secure coding practices.
• Generating and presenting detailed / management level reports that include methods, findings, conclusions and recommendations for information security polices and industry best practices for secure coding.

Information Security Analyst

Confidential, WI

Responsibilities:

• Analyzing the complete application environment for security risks through design reviews, code reviews and dynamic application security testing.
• Recommending security measures to safeguard applications and information assets using threat modeling, OWASP, CWE, CVSS and NVD-CVE.
• Providing consulting and compliance guidance to project teams and developers regarding industry regulations and best practices for secure coding.
• Performing and managing system vulnerability assessments and application security tests.
• Performing dynamic application security analysis & static application security analysis for a wide range of vulnerabilities in mobile / web applications and services, operating systems and databases.
• Testing vulnerabilities include: SQL Injections, Cross Site Scripting, Cross-Site Request Forgery, Cookie Manipulation, Logic Flaws, Buffer Overflows, & etc.
• Testing technologies include: databases (MSSQL, MySQL, Oracle, DB2), server side technologies such as Java/J2EE, ASP.NET (C# & VB.NET), PHP, Apache Webserver, MS IIS, Websphere and other technologies like HTML5, JavaScript, JSON, AJAX, XML, SOAP & etc.
• Analyzing business impact and exposure based on emerging security threats, vulnerabilities, and risks.
• Conducting risk assessments to ensure security posture, security breach management, research and remediation.
• Presenting the final reports that include methods used, findings, conclusions, and recommendations.

Security Analyst

Confidential

Responsibilities:

• Analyzing security architecture and design controls for web applications, web services, mobile applications, operating systems, databases and recommending secure coding practices.
• Reviewing code and evaluating applications for vulnerabilities such as SQL Injection, Cross Site Scripting, Cross-Site Request Forgery, & etc.
• Testing Application / network security and providing appropriate course of actions for remediation.
• Mitigating identified risks through incident handling and forensics (including emergency response).
• Ensuring all vulnerabilities & mitigations are accurately documented and presented in the final report.

Application Security Specialist

Confidential - Washington, DC

Responsibilities:

• Performing and managing application risk assessments throughout the Software Development Life Cycle.
• Generating security requirements and evaluating architecture to develop threat models.
• Reviewing design documentation and prioritizing remediation based on threat modeling (STRIDE).
• Performing Dynamic Application Security Testing (DAST) & Static Application Security Testing (SAST) as well as manual source code reviews for cloud based applications, Amazon Web services (AWS).
• Identifying application security vulnerabilities and developing mitigation plans to meet business security needs.
• Developing system security plans, security assessment plans and security assessment reports consistent with the National Institute of Standards and Technology (NIST) Risk Management Framework. ( & )
• Performing automated vulnerability assessments and manual penetration tests.
• Using black-box techniques, hybrid / manual code review and a variety of tools including python scripts and self-developed manual tools to test for vulnerabilities in web applications, web services, mobile applications, databases and operating systems.
• Testing access control and code injection flaws, SQL Injection, Cross Site Scripting, Cross-Site Request Forgery, Session / Cookie Manipulation, Logic Flaws, Buffer Overflows, & etc.
• Providing remediation guidance to system engineers, administrators, end users and developers.
• Researching and Developing (R&D) guidelines for information security policies and secure coding practices using industry best practices. (ISO27001/2, ESAPI, PCI DSS, HIPAA, COBIT, COSO, SOX, CMMI, ITIL, ISACA)
• Presenting the final reports that include methods used, findings, conclusions, and recommendations.

Communications and Security Specialist (Security - Engineer)

Confidential

Responsibilities:

• Developing & delivering application security .
• Planning and assessing security controls for enterprise application platforms such as Java/J2EE & .Net.
• Using code reviews and OWASP guidelines to identify, analyze & report application security vulnerabilities such as code injections and access controls flaws.
• Generating detailed security test reports & recommending risk mitigation solutions based on OWASP, CWE, CVSS and NVD-CVE.
• Presenting reports that including findings and remediation recommendations.

IT integrator - Software Developer

Confidential - Glen Burnie, MD

Responsibilities:

• Working in Agile (Scrum) team to develop enterprise level applications (Java, SQL, few .NET/C#).
• Analyzing requirements and developing secure design patterns (UML) to meet security and usability standards for multitier applications.
• Analyzing coding errors and refactoring using object oriented design.
• Performing code reviews and debugging applications to resolve errors and vulnerabilities such as SQL Injection, Cross Site Scripting, and Cross-Site Request Forgery, etc.
• Generating summery reports for manager and detailed report for technical customers.