SUMMARY

• Sixteen years of professional information technology experience encompassing information security, web application security, software development, and project management, with a primary focus on application security.

TECHNICAL SKILLS

Operating Systems: Microsoft Windows 3.11/95/98/2000/ XP/2003, Linux, Solaris, IRIX, BSD, SVR4, HP - UX, NeXT, Novell 3.x/4.x, MS-DOS 3.x-6.22, VMS

Programming Languages: C/C++, Java, Vsual Basic, Pascal, Assembler (80x86, 68k, VAX 6430), Perl, ARexx, VBScript, VBA, Active Server Pages, JavaScript, CFScript, Fortran, InstallScript, Wise Script, SQL, XML, DHTML, HTML, CUDA

Applications/Services: MS SQL 6.5/7.0/2000 , Sybase, Oracle 7.x-8i, Exchange Server 5/5.5/2000/2003 , MS Visual Studio, Source Safe, CVS, IIS 4.x-6.x, Netscape Enterprise Server 3.x-iPlanet, RSA ClearTrust, MS Site Server, Websphere Application Server, Websphere Portal Server

Security Applications/Tools: Firewalls (Cisco PIX, IP Chains, Symantec Enterprise, ISA), Proxy Servers (MS Proxy 1.x-2.x, SQUID), F5 Systems BIG/IP, Ghost, IDS (Snort, NetProwler), packet/network analysis (TCPDump, Spynet/CaptureNet, IRIS, Ethereal, Network Monitor), Vulnerability/System Scanners (Nessus, Nmap, Retina, ISS Internet Scanner, Watchfire AppScan), Password Vulnerability Scanners (Crack, NTCrack, PWDump, L0phtCrack), MD5

Network Protocols/Services: TCP/IP, IPX/SPX, VPN, WEP, SSH, SSL, PKI, IPSEC, HTTP, FTP, SMTP, POP3, WINS, DNS, LDAP, Active Directory, Kerberos, NFS, SOAP

PROFESSIONAL EXPERIENCE

Confidential, Seattle, WA

Senior Security Engineer

Responsibilities:

• Work closely with development teams providing security reviews of high profile externally facing web applications, web services, and client device integrations.
• Accountable for all security functions within the Software Development Life Cycle (SDLC) including complete end - to-end security reviews, threat modeling, functional and non functional security requirements, architectural recommendations, code reviews, application penetration testing, and mitigation recommendations.
• Consulted and trained internal teams on the secure development of client platforms including iPod Touch/iPhone, Android, Blackberry, and Kindle.
• Performed security reviews of the implementation and integration of Amazon technologies such as Amazon Web Services (AWS) which includes, but is not limited to, Simple Storage Service (S3), Elastic Compute Cloud (EC2), and Simple Queue Service(SQS).
• Provide application security coverage for Amazon, Amazon subsidiaries, and Amazon merchant partners including: IMDb, Audible, Target, Endless, Marks & Spencer, Sears Canada, Bebe, Reflexive, and Askville.
• Cover technology areas such as video streaming, code signing, web services security, cryptographic implementation, authentication and authorization systems, and web application security.
• Assess web applications and consult with teams on common vulnerabilities such as XSS, CSRF, SQL Injection, authentication/authorization problems and less common vulnerabilities as appropriate.
• Work daily in a rapid, fast moving environment with hard deadlines such as launches tied to Super Bowl ads (PepsiStuff/Amazon MP3 points campaign), highly visible technologies such as Kindle and Cloud Computing, and a 24/7 high availability web presence.

Confidential, Columbus, OH

Information Security Consultant

Responsibilities:

• Responsible for all security functions within the development lifecycle.
• Communicate risk to the business at all levels of management including C level reporting directly to the CEO. This is accomplished through formal analysis and documentation of the risk and face to face presentations.
• Produce enterprise wide documentation on secure application development including guidelines for developers and architects with a strong focus on OWASP recommendations.
• Evaluate vendor applications for integration within the Nationwide environment including enterprise class applications and smaller components for integration within development projects.
• Assess third party business partners connecting to Nationwide networks or hosting Nationwide data. This process involves a comprehensive review of all standard security controls within their environment.
• Participate in enterprise committees and working groups for long term corporate security initiatives.
• Perform automated security vulnerability assessments on corporate applications with third-party tool (Watchfire’s AppScan), and interpret/present results to development project teams and project stakeholders. Provide guidance to vendor regarding tool improvements that support better results and overall use in corporation.
• Effectively demonstrate exploits to developers to assist them in understanding the security issue rather than the theoretical advisory.
• Monitor industry trends in application security such as more recent exploits in ORM tools, AJAX and XML.
• Adhere to and communicate the enterprise information security policy (based on ISO 17799) and pertinent regulations on a project basis such as PCI, state regulations, and SOX.
• Architect security solutions including but not limited to interoperability between J2EE/Websphere and WinDNA/.Net platforms, Single Sign On (SSO), Identity and Access Management (IAM), Web Services/MQ Service Oriented Architectures (SOA), RSA ClearTrust, SAML, and custom authorization and identity repositories.
• Accountable for all application security aspects of multiyear projects with budgets in the tens of millions.

Confidential, Columbus, OH

Sr. Software Engineer

Responsibilities:

• Migrated a legacy windows application into a web based multi-tier Learning Management System (LMS) in C++ as a member of a two person engineering team that evolved into the company’s core product architecture.
• Wrote software primarily in C++ utilizing multi-threaded multi-tier architectures with communication based on TCP sockets between presentation and application/business logic tiers and standard ODBC communication functions for back end database transactions.
• Assisted in custom application development integrating existing LMS authentication system into Defense Enrollment Eligibility Reporting System (DEERS) for the Navy Learning Network/Navy Advanced Distance Learning initiative (NLN/NADL).
• Consulted in disaster recovery plans of NADL systems and redundant off site hot systems for severed network based on integration into infocon policy.
• Developed software installation code for entire application suite including installation authorization and protective measures.
• Created component delivery mechanisms and managed security architecture for ActiveX and Netscape plug-in downloadable software components including code/object signing and ensuring Safe For Scripting compliance.
• Coded application authentication and security transaction logging.
• Reviewed and analyzed product architecture for security vulnerabilities.
• Assisted QA in testing procedures including introduction of Ghost into test environment for ‘clean’ machine replication and baseline testing.
• Automated build procedures and maintained product escrow requirements.
• Reverse engineered several internal virus/Trojan/worm outbreaks and wrote utility programs to assist MIS in pre-patch repair.

Sr. Consultant

Responsibilities:

• Performed custom development for single sign on authentication integrating into customer environments utilizing LDAP, Novell, and NT Domain Authentication.
• Analyzed security architecture and integration into customers existing WANs including complicated environments dealing with military contractors requiring access to online courseware requiring secret clearance, law enforcement agencies requiring complex record of course access, medical customers such as hospitals and insurance agencies complying with HIPAA standards, and environments requiring internal and external access to the LMS.
• Responsible for architecture and coding of several Ecommerce web sites including secure credit card purchase and authentication for immediate courseware delivery and class registration.
• Custom development of database logging functions using SQL database triggers.
• Conducted stand up classroom training on specific system components for both technical and non-technical audiences.
• Provided SSL integration of LMS for clients requiring extended security.
• Managed technical aspects of most integration projects in the services group.
• Scoped technical integration projects for consulting resources, system requirements, and security parameters.

Confidential

Network/System Engineer

Responsibilities:

• Provided full support for 130 node LAN providing VPN solutions for several national and global offices.
• Upgraded internet connection from 56k leased line to full T1, changed all internal workstations to non-routable IP addresses and protected formally exposed LAN with Microsoft Proxy Server.
• Maintained test facilities for software engineering consisting of Windows 3.11, 95, NT, HP-UX, Linux operating systems and Sybase, Microsoft, and Oracle database servers.
• Created and maintained network back up policies and procedures.
• Implemented and maintained anti-virus software deployment and procedures.
• Conducted risk assessments on network topology changes and vender application integration.
• Introduced redundancy for email servers utilizing weighted MX DNS records and multiple Exchange Servers.

Confidential, Lewis Center, OH

Consultant/Owner

Responsibilities:

• Provided complete system and LAN solutions for businesses including security, custom software coding, networking, and backup procedure/policy creation and implementation.
• Analyzed security architecture and design of applications including authentication and access control.
• Performed application penetration testing and mitigation strategies.
• Recovered systems when security prevented access due to forgotten passwords, corrupted authentication/authorization tables, and other circumstances.
• Coded custom applications using C++ and DirectX API’s for 3D visual animation of statistical and report data.
• Architected security solutions including risk analysis, access controls, and business continuity planning.