- Experience auditing a wide variety of systems, including nuclear power plants, power grids/sensors, military hospitals, stock exchanges, satellite - based intelligence systems, electronic election/voting systems, cryptocurrency, PTZ video surveillance, medical and life support devices, infusion management devices/systems, deadly reagent superstores, national disaster management, video games, smart home/IoT devices, operational control systems, supervisory control and data acquisition (SCADA) systems, radiological emergency management, and Wi-Fi enabled coffee pots.
- Possesses a rare combination of skills in both code review and application pentesting, rooted in software engineering (rather than networking).
- Expert performing security assessments using formal methodology (e.g. OWASP, PTES) - web apps, thick-clients, web services, cloud, mobile (iOS/Android), Citrix-hosted, and physical devices.
- Able to audit applications written in most languages - .NET, ASP, VB, C#, Java, JSP, PHP, Objective-C, C/C++, etc.
- Skilled using popular dynamic and static analysis tools - AppScan, WebInspect, Fortify, Nessus, Qualys, ZAP, Burp.
- Experience performing formal risk analysis using NIST/CVSS, as well as formal threat modeling using STRIDE and Microsoft Threat Modeling Tool.
- Expert in open source research (OSR)/intelligence gathering (OSINT) - Dark web, deep web, surface web.
- Experience testing difficult-to-access applications (e.g. VNC or VDI -> jump box -> PuTTY/SSH -> VM -> Citrix).
- Skilled technical writer, capable of writing organized, readable, professional reports requiring almost no editing.
- Well-spoken, especially for an engineer - adept at leading technical and non-technical discussions, as well as scoping, kickoff, and delivery meetings.
- Significant experience developing security assessment methodology and security training materials.
- Has an electronics lab and able to interface with and analyze security of many hardware devices, including IoT.
- Active member of the security community; regularly attends DEF CON, SecureWorld and other conferences.
- Contributor to major industry projects, including the OWASP Mobile Top 10, OWASP Mobile Apps Checklist, Android Testing Cheat Sheet, OWASP Testing Project, and ESAPI.
- Maintains an enormous application vulnerability database that I use for code reviews, pentesting, and report writing.
- Maintains an extensive library of home-grown information security policies, standards, procedures, guidelines, forms, checklists, and vulnerability templates that can be customized.
- Highly flexible schedule and generally able to work late nights/weekends as necessary, on short notice.
- With experience on many security teams, I am able to provide valuable insight as well as strategic vision, based on the efficiencies and shortcomings observed within other environments.
Security Testing Tools: AppScan, WebInspect, Burp Suite Pro, OWASP ZAP, Nessus, Metasploit, Kali. Also nmap, netcat, thc hydra, john the ripper, Cain & Abel, hashcat, sqlmap, BeEF, Core Impact, OpenVAS, Frida, APKAnalyser, drozer, APKTool, oTool, SSL Kill Switch, Ettercap, SwfScan, MobiSec, BackTrack, Samurai Web Testing Framework, WebScarab, Charles Proxy, Fiddler, Wikto, Nikto, IDA Pro, JAD, SSLScan, sslyze, openssl, curl, Firefox w/add-ons, Google, Tor, Shodan, Maltego, Wireshark, Ethereal, TCP dump, PhoneSweep, puttytel, Warvox/Warvox2, Phishing Frenzy, LUCY, Gophish, Social-Engineer Toolkit (SET), utilities from FoundStone, NirSoft, SysInternals, PCMag, etc., plus many tools/scripts I've developed
Code Review Tools: Fortify SCA, AppScan Source, Visual Studio, Eclipse, Notepad++, UltraEdit, Beyond Compare 2, CodeScout, plus many tools/scripts I've developed Familiar Checkmarx, Veracode
Development Tools: Visual Studio, Eclipse, Xcode, Dreamweaver, SD Elements, GitHub, SVN, Jenkins, Maven
Platforms: Windows, Linux (Kali, Ubuntu, Debian, Fedora), Mac, iOS, Android. Also BlackBerry
Databases: MS SQL Server, Oracle, MySQL, Microsoft Access. Limited AS/400
General: Microsoft Office, Visio, Acrobat, VMware, ActivePerl, Cygwin, PuTTY/SSH, WinSCP, Python, PGP/GPG, Winrar, 7-Zip, wget, OpenVPN, DigitalOcean, AWS, Microsoft SDL Threat Modeling Tool
Confidential, West Bloomfield, MI
Principal Security Consultant
- Performed application security assessments (largely .NET, VB, C#, ASP, Java, JSP, PHP) using static and dynamic analysis tools (e.g. Fortify, AppScan, WebInspect, Burp Suite Pro, Nessus, Qualys) and manual techniques
- Performed rigorous security testing on new hardware products in a lab environment (IoT/Smart Home, Wi-Fi cameras, Wi-Fi smoke/CO2 detectors, alarms, critical infrastructure sensors/monitors, medical devices, infusers, mobile devices, Wi-Fi coffee pots, smart refrigerators, etc.)
- Effectively helped organizations develop a framework for application security, complete with application/database security policies, procedures, standards, guidelines, forms, and templates
- Ensured software, databases, and supporting infrastructure were securely designed, implemented, and operated
- Worked closely with development and testing teams to identify security weaknesses and integrate security into the SDLC (using OpenSAMM, BSIMM, NIST), as well as within testing and approval processes
- Collaborated with business units to analyze business processes, identify risk, and build security requirements
- Worked with Operations, Audit, Legal, and Compliance teams to understand security requirements, support information security needs, and manage risk
Senior Application Security Engineer
- Subject Matter Expert (SME) on many security topics, including app pentesting, phishing, deep web/dark web, etc.
- Performed extremely detailed penetration testing and vulnerability assessments using automated tools (e.g. WebInspect, Burp Suite Pro, Nessus, Qualys), custom tools/scripts, and manual techniques
- Conducted extremely detailed secure code reviews using automated tools (e.g. Fortify), custom rules/scripts, and manual techniques
- Used formal methodology, especially from OWASP/NIST, in addition to probably the most detailed custom methodologies and checklists in the industry
- Developed comprehensive code review and penetration testing methodologies; developed detailed checklists and guidelines for assessing web, desktop, and mobile applications, as well as cloud applications and physical devices.
Information Security Engineer
- Served as a key member of the Enterprise Application Security Team (EAST) aka Security Code Review (SCR)
- Thoroughly audited several dozen banking applications against corporate security policies and control standards, relevant laws and regulations, and security best-practices
- Provided expert security remediation advice and ongoing security consultation after each risk assessment project; verified issues were adequately mitigated
- Successfully led many large application risk assessment projects as a Subject Matter Expert (SME)
- Efficiently worked in teams and individually in a fast-paced, high volume, deadline-driven environment
- Consulted with dozens of security experts on one of the most advanced application security teams in the industry
- Contributed to weekly team meetings by researching and communicating new threats, vulnerabilities, and risks
Confidential, Detroit, MI
Application Security Manager
- Rapidly promoted to Security/Business Continuity Group as the Application Security Manager
- Aggressively assessed and managed security of dozens of internal and public-facing applications
- Successfully identified and developed a robust set of security policies, standards, procedures, guidelines, forms, templates, and checklists to promote secure software development and improve software assurance
- Spearheaded the Coding Conventions Task Force to establish County-wide standards for application development and security, resulting in more secure applications as well as more efficient security audits
- Created a C&A process, established data classifications, risk metrics, and an application vulnerability taxonomy
- Contributed to risk management, business continuity planning (BCP), disaster recovery planning (DRP), business restructuring, and business process re-engineering (BPR)
Confidential, Detroit, MI
Security Programmer / Analyst
- Served as the Subject Matter Expert (SME) on all application/database security topics
- Seamlessly implemented security throughout the software development lifecycle
- Contributed to secure software design & development (.NET, Classic ASP, SQL) as well as security remediation; project manager for many development projects
- Increased team value by assisting developers with secure ASP/.NET/SQL development, secure coding practices, and defensive strategies
- Selected by the CIO to champion the department’s most significant development project - A “dashboard” to facilitate the management of all County technology assets, products and services, and the security of each
- Recognized by County Executive Robert Ficano, the CIO, and FEMA for outstanding efforts after Hurricane Katrina; received an award for leading a major development project to provide emergency support for survivors