- To be a leading member of a team that provides expert services in the area of web application security that ensures adequate protection of an organization’s information system assets through security management processes with an overall goal of ensuring the confidentiality, integrity, and availability of corporate information and information systems, that is not only efficient but also cost effective.
- A Self - motivated, client and service focused professional, with over 18 years of experience in Information Technology that encompasses all phases of the Systems Development Life Cycle.
- My primary focus is in the Application security area (former developer) with extensive experiences in Secure SDLC integration and Implementation, vulnerability Assessment through threat modelling, dynamic and static code analysis including, but not limited to manual code reviews to ensure proactive approach to web app. security mitigations.
- Excellent in developing Vulnerability Management Processes and Exception processes that includes effective remediation strategies in both Agile and traditional Waterfall development environments.
IT Security Tools: HP Fortify SCA/FoD, HCL Rational AppScan, Veracode, Qualys (WAS, VM), HP WebInspect.
Web Services: Parasoft SOATest
Database: Oracle PL/SQL Programming
Languages: Java, .NET, PowerBuilder, VB, SQL, HTML, XML
Back-End Tools: Oracle 10g, Sybase SQL Anywhere, DB2, TOAD
Security Lead - Web Application Security Architect
- Driving the implementation and management of secure Software Development Life Cycle (secure SDLC) Program across the different brands of Confidential ’s group of companies.
- Ensures that security assessments are conducted early in the definition, design and development phases to ensure that security requirements are captured and properly addressed through security requirements definition, threat modelling and static analysis.
- Serving as the Point of Contact for all web application security related initiatives including but not limited to secure coding best practices, application security improvement strategies, effective and actionable remediation plans, exception process and developer secure training.
- Managing all pre-deployment web application security assessment functions such as static code reviews and dynamic analysis.
- Reviews scan results to determine validity of reported issues, excluding False positives through suppressions and providing feedback to, and remediation guidance on false positive challenges by developers
- Prioritizing remediation efforts based on exploitability, potential business impact and, compliance needs
- Documents, assigns, tracks, and maintains identified application security vulnerabilities utilizing the organization’s vulnerability management system.
- Works directly with the development teams to provide vulnerability remediation guidance as needed
- Performs post remediation validations through rescans and/or manual source code reviews to determine effectiveness of remediation actions
- Conducts pre-deployment assessments via dynamic scans
- Continuously update application risk postures and communicate same to application owners and senior management.
- Works directly with the compliance team to identify application security vulnerabilities tied to specific compliance mandates
- Lead the evaluation, selection, and acquisition of the corporate static code and Mobile application analysis tool by liaising with both vendors and stakeholders of Confidential ’s North American brands.
- Directly works with vendors to address environment or tool related issues.
Confidential, West Chester, PA
Sr. Application Security Engineer
- Served as the Technical Lead in the development and implementation of the secure SDLC global security project
- Co-Lead the introduction and integration of security control gates into the SDLC process
- Developed a simplified Global Threat modelling tool with security controls that are based on system and operating environments
- Worked with both the Business Analysts and Application Solution Architects, to review and derive security requirements from the business requirements documentation and technical design specifications respectively in the design phase.
- Participated in architectural and design discussions during the build phase of e-commerce application projects and provided guidance on security best practices.
- Acted as liaison between application developers and customer relations team to ensure functional requirements are in-line with security objectives
- Defined and evangelized secure coding best practices throughout the application development lifecycle.
- Lead application vulnerability assessments initiatives to identify potential security holes and provided solutions for effective mitigation.
- Performed manual source code reviews with developers and provided remediation guidance as needed.
- Worked with Lead application Developers and architects to review existing application security posture and identified areas for improvement
- Developed a comprehensive source code review checklist that provides guidance to application developers and architects as to what to build into their system and source code in order to satisfy Confidential ’s application security goals and objectives. In addition to the above, the checklist also serves as a yardstick with which to assess the degree of trust that can be placed in Confidential ’s applications developed in-house
- Acted as mentor to Associate Security Engineer.
Confidential, Dallas, TX
Sr. Software Security Engineer
- Served as the Technical Lead in the implementation of SWA’s enterprise Secure SDLC project
- Evangelized security and secure coding practices throughout the application development lifecycle.
- Configured and setup static and dynamic analysis application scanning tool in a SaaS environment
- Created application level policies in the Veracode environment
- Reviewed static code analysis findings, analyze results for false positives, rank vulnerabilities based on exploitability and potential impact; assist application owners in interpreting identified vulnerabilities during application development phase
- Provided guidance on appropriate remediation actions necessary to mitigate identified application security flaws prior to deployment
- Acted as liaison between application developers and PCI coordinators to ensure compliance
- Coordinate external penetration testing activities of internal applications that are subject to PCI compliance
- Worked with external security partners to conduct security assessments and penetration tests of vendor applications that interface with SWA’s servers.
- Work with application developers and architects to provide guidance and support for remediate existing vulnerabilities
- Provided guidance and participated in architectural review discussions during the design and build phase of SWA’s international flight booking application.
- Oversee the remediation efforts of identified vulnerabilities and facilitates their remediation
- Evaluated, track, and ensure remediation of medium to critical rated vulnerabilities; develop, maintain and update scorecards to reflect vulnerability state of applications and communicate to application owners.
IM/IT Programmer Analyst / Web Application Security Subject Matter Expert
- Conducted dynamic and static code analysis of Web application using IBM Rational AppScan and HP Fortity SCA respectively
- Conducted Web Services Penetration and Performance testing
- Conducted manual code reviews to identify security flaws
- Categorized identified vulnerabilities and provide fix recommendations
- Measured and monitored application resource utilization as part of performance testing
- Thorough knowledge of, and experience with OWASP top 10 vulnerabilities
- Demonstrated knowledge of Application Security Maturity Models (OpenSAMM, BSIMM)
- Provided timely, technical and professional support to departmental application owners as needed to ensure applications continues to meet all functional and operational requirements
- Evaluated web application performance under load to detect performance degradation and provided timely and accurate advice on technical issues to minimize operational disruption
- Conducted business requirements analysis and risk assessment to develop specific application functionality
- Conducted feasibility studies of application requirements to support system improvements
- Prepared technical design specs based on business requirements
- Analyzed impact of proposed functional changes on applications
- Performed application enhancement activities, based on business requirements specifications
- Conducted technical training in security tool usage