OBJECTIVE:

To work in a remote position to lead an overall security program as a business and thought leader and be responsible for identifying, evaluating security technologies, and reporting on information security risks in a manner that meets compliance and regulatory requirements.

SUMMARY:

• Confidential was the strategic leader in developing and establishing the Application Secure Code Review Process and Pen Testing procedures Confidential Insurance Group. He has worked with many companies such as Paypal, Citigroup, and Confidential assisting development teams through secure software development lifecycle. He has conducted secure code reviews in C, C++, C# .NET, ASP .NET, and Java. He established the program based on OWASP Code Review and integrated it into the OpenSAMM secure software development lifecycle framework.
• He conducted static source code analysis on C/C++, Java, and .NET using both manual and automated code scanning tools that do path traversal and track memory allocations. On the manual approach, dig into source code where the threats were identified by threat modeling and architecture risk analysis. Debuggers were often attached to check memory allocations as well as modifying input values to see application responses in terms of memory mapping, resources, allocations, and application logic.
• Confidential has been writing code since 1981 and is fluent in C and C++. He can read and analyze code Confidential a very deep level. He is versed in writing scripts using Shell, Python, awk, and sed. He taught himself assembly language in 1981 on the Apple computer. He reverse engineered third party vendor security software and able to bypass their anti - piracy, anti-obfuscation, and anti-encryption mechanism. Extensive experience in debugging Windows processes. Reverse engineered mobile applications on Android and iOS mobile phones.
• Confidential has conducted Pen Testing of corporate information systems and applications as well as commercial fat client software using both automated and manual methodologies. Automated tools include Nessus, Retina, HP WebInspect, AppScan, QualysGuard, NetFlow, NetStumbler, Mu Security (DDoS), and War Dialing using PhoneSweep. Manual tools include Burp Suite Pro, Cain and Abel, Ettercap, Metasploit, Meterpreter, Kali Linux, Live RAM Capture, nmap, scapy, Wireshark, NetWitness, snort, THC-Hydra, 010 Editor, Peach Fuzzer, bash, sed, awk, javascript and python scripts. He developed and tested strategic DDoS and APT attacks bypassing Next Gen Firewalls, IPS solutions, and WAF technologies Confidential Fortune 50 Client. He has reverse engineered malware using IDA Pro and monitored their behavior in an isolated VM environment.
• Confidential used threat modeling, fuzzing, reverse engineering, vulnerability hunting, static code analysis, and run-time monitoring and debugging, to pinpoint critical security vulnerabilities that needed to be fixed. These included stack and heap overflows, memory corruption, integer overflows, function pointer overwrites, and use after free vulnerabilities.
• On the web side, critical and high level web application security vulnerabilities in important portals (Cross Site Scripting, Phishing, Cross Site Request Forgery, Command Injection, etc.) were found. OWASP Methodology included. Manual web pen testing was conducted using parameter tampering, cookie poisoning, session hijacking, command injection and privilege escalation. Confidential has found critical vulnerabilities in commercial application software and demonstrated how to take remote control of these systems.
• Conducted a successful deep penetration of a highly secure banking infrastructure. The intrusion detection and prevention systems were bypassed without detection and gained access to servers on the core network.
• Confidential was responsible for identifying security risks in software applications and vendor products Confidential the business proposition stage through the application lifecycle Confidential Paypal, Confidential, Confidential, Citigroup, and Confidential . He made sure that high risk issues were addressed and mitigated effectively prior to go live dates.
• Confidential made recommendations to Law Enforcement agencies and Fortune 500 clients regarding network security architecture, design, and implementing security solutions. He identified security gaps in processes, policies, and network architecture. Worked with QRadar to set security policies, monitoring, and logging of security events.
• Confidential has more than 25 years of professional experience in the IT field. Confidential is a strong and natural leader with personable people skills. He is a visionary with strong goal setting capabilities backed up by hard discipline and passion to follow through and get the vision accomplished. Confidential has a deep passion for computers and computer technologies. He is responsible for implementing the security processes within a multi-billion dollar corporation and integrating the full secure development lifecycle framework to meet Confidential DSS 2.0 Compliance.
• Confidential ’s background in IT and information security runs deep. He has been an avid hacker since 1981 when he started hacking his Apple computer while in elementary school. He taught himself assembly language then so he could create custom ROM routines and defeat the BIOS. He wrote his own custom DBMS (database management system) while still a freshman in high school which included a low level high-performance database engine and a record management system with indexed retrieval with advanced searching and sorting capabilities. He began writing computer games while in high school. He has been fascinated with computers since an early age. Confidential has conducted penetration tests, security assessments, and risk assessments Confidential many large companies including three of the largest banks in the United States and high tech companies such as Palo Alto Networks and Paypal. He has prototyped new security attacks and products Confidential & Confidential - Research and has authored research papers on Mobile Security.
• More recently, Confidential has been responsible for leading the security efforts in multi-billion dollar organizations such as Confidential, Confidential & Confidential - Research, Citigroup, Confidential Insurance Exchange, and Confidential . His responsibility was to lead the organization to a secure information technology posture. His responsibilities included securing high risk applications and enterprise infrastructure.
• Confidential ’s many roles including being a security evangelist and often gives security briefings, presentations, and training sessions to all information technology members in an organization. He shares his passion and promotes security within the organization and provides the leadership necessary to unite the organizational units to a single unifying vision. Many of his briefings are given to executive management for decision making.
• Confidential has a strong background in IT and Security and often works as an advisor to executives giving strategic guidance on information technology, vendor selection, production evaluation, and implementing a process to integrate the enterprise model and business processes with information technology to produce a highly cohesive and efficient work environment.

TECHNICAL SKILLS:

Platforms: Windows, BackTrack, Red Hat Linux, Fedora, Solaris, HP-UX, AIX Mac OS X, Mac OS 6 & 7, Apple IIe

Languages: T-SQL, MySQL Python, Perl, C, C++, x86 Assembly, VAX Assembly, 6502 Assembly, Visual C++, C# .NET, ASP.NET, Borland C++, Visual Basic, Fortran, HTML, XML, Ada, Pascal, JavaScript, PHP, VBScript, Regular Expressions

DATABASES: Microsoft SQL Server, MySQL

WORK EXPERIENCE:

Founder/Consultant

Confidential, Phoenix, Arizona

Responsibilities:

• Pentesting of Application, Network, and Cloud Security Architecture

Technologies Used: WhiteHat Sentinel, JIRA, Nexus IQ, Tripwire IP360 (nCircle), Metasploit Pro, Nexpose Enterprise, Kali, AppSpider ( Confidential Spider), Burp Suite, WebInspect

Sr. Security Consultant

Confidential, Ft Lauderdale, Fl

Responsibilities:

• Penetration Testing and Security Assessments of Fortune 500 and High Tech companies including Palo Alto Networks, banks, casinos, law enforcement, and US military
• Conducted network penetration testing, application security, mobile security assessments, physical security, and social engineering
• Make recommendations to Law Enforcement agencies and Fortune 500 clients regarding network security architecture, design, and implementing security solutions
• Identify security gaps in processes, policies, and network architecture.

Cloud Security Architect

Confidential, Chandler, Arizona

Responsibilities:

• Evaluate enterprise information security technologies that help secure a large global enterprise infrastructure
• Lead Red Team efforts in conducting risk, security assessments and attacks on critical banking infrastructure
• Conduct penetration tests of enterprise information security systems, cloud platform infrastructure, and high risk applications
• Architect security solutions with OAuth, OpenID, Ping Identity, Web SSO, Identity Federations, and SAML.

Technologies Used: QualysGuard Private Cloud Platform, Tanium, Burp Suite Pro, HP WebInspect, OWASP

Application Security Architect

Confidential, Glendale, Arizona

Responsibilities:

• Lead multi-billion dollar organization to a secure posture meeting and exceeding Confidential DSS 2.0 standards
• Write policies, controls, security standards, and processes for risk assessment, penetration testing, peer code review, secure code development, secure web services, remediation, server hardening, end user deployment, and securing Confidential Trust Zones
• Identify and conduct penetration test of high risk applications, infrastructure devices, and zone security
• Establish new security testing guidelines for QA Security as well as manual secure code checklists.
• Establish and maintain a conducive partnership with Security Operations, Software Development, Quality Assurance, Compliance Teams, Infrastructure Services, and Environment Management
• Architect security solutions with OAuth, OpenID, Ping Identity, Web SSO, Identity Federations, and SAML.

Technologies Used: Burp Suite Pro, AppScan, QualysGuard, Fortify360, OpenSuse, Backtrack

Senior Mobile and Web Security Architect

Confidential, Fort Lauderdale, Florida

Responsibilities:

• Work as a Security Evangelist, promoting security within the organization and educating senior developers on security
• Application security, penetration testing, and risk assessments of mobile platforms for J2ME, Android, iOS, and Blackberry.
• Evaluation and testing of OAuth, OpenID, Web SSO, SAML, and Identity Federations

Technologies Used: Android SDK, iOS SDK, Fortify360, OWASP

Embedded Security Team Lead

Confidential, Dallas, Texas

Responsibilities:

• Work as Information Security Leader and Evangelist, promoting and educating software development and systems engineering teams on security
• Lead an embedded security research team to focus on deep dive security analysis of security threats, hardware and software reverse engineering of mobile devices, desktop, and web applications
• Build strong cross-organizational relationships and effectively influencing staff across the IT organization and broader enterprise and product groups
• Work to implement Secure SDLC into software development lifecycle
• Perform security assessment on threat landscape
• Plan for the resolution of identified vulnerabilities and issues and design appropriate security controls
• Implement licensing, digital rights management, obfuscation, and anti-tampering on mobile devices.
• Android, iOS, and Nucleus security research for mobile devices.
• Analysis and hardening of mobile hardware security architecture
• Scripting to automate integration of static code analysis of with build and source control
• Static Code Analysis of low level C code and Java. Understanding of programming mistakes and how to exploit them.

Technologies Used: Android, iOS, Nucleus, JTAG, IDA Pro, Coverity, MSVC, FTK Toolkit, OWASP

Senior Security Researcher

Confidential, Austin, Texas

Responsibilities:

• Conduct vulnerability research on bleeding edge threat landscape HP TippingPoint Intrusion Prevention System
• Threat research included the latest attacks on mobile, Windows, Linux, and Unix machines affected by botnets, worms, Java, web, DNS tunneling, phishing, samba, MS-RPC, adobe reader and shockwave attacks.
• Perform network protocol analysis and develop signatures for the TippingPoint IPS
• Write customer advisories for vulnerabilities
• Install, configure, administer vmware vSphere and virtual servers

Technologies Used: IDA Pro, OllyDbg, x86 Assembly, Python, PHP, Perl, Ruby, Javascript, vmware vSphere, OWASP

Senior Ethical Hacker

Confidential, Dallas, Texas

Responsibilities:

• Find security vulnerabilities in online banking, credit card, and brokerage applications
• Write customized attacks against web applications to exploit security vulnerabilities
• Effect unauthorized funds transfer to different accounts by exploiting vulnerabilities
• Work with developers to resolve vulnerability issues
• Develop security policies and procedures to prevent future exploitation

Technologies Used: Burp Suite Pro, Python, AppScan, WebInspect, Firebug, ViewState Decoder, BackTrack, THC-Hydra, TamperData, OWASP

Security Researcher

Confidential, Middletown, New Jersey

Responsibilities:

• Research and prototype new ideas, products, and cyber attacks.
• Demonstrate prototypes to Senior Executives
• LightSpeed ( Confidential &T U-verse Service) infrastructure security testing
• Perform Red Team analysis and attacks on critical infrastructure
• Develop DDoS mitigation strategies
• Find vulnerabilities for command and control in personal consumer devices
• Write customized botnets for remote command and control of mobile devices
• Infect cell phones and video game consoles, with malicious code to create botnet armies for proof of concept demonstrations to management
• Write scripting tools to do UDPflood, SYNflood, and HTTPflood in C and Python

Technologies Used: Wii, Linux, devkitpro, Visual Studio 2008, Diversifeye Shenick, Mu Security, OWASP

Security Researcher

Confidential, Dallas, Texas

Responsibilities:

• Research new vulnerabilities in the TI product line and develop proof of concept exploits
• Threat Modeling to find areas of vulnerability in mobile applications
• Testing mobile applications against various injection vectors to compromise security of software such as injecting malicious input
• Reverse engineer and defeat anti-piracy, digital rights management, and activation mechanism of security products on mobile and Windows platforms
• Develop tools in Python, awk, sed for security testing on Mac OS X and Windows platforms
• Work with security vendors to resolve security issues found through testing
• Write Network security test suite for TI's proprietary protocol
• Write advanced generation based fuzzers based on dissecting application protocol

Technologies Used: Nucleus, OllyDbg, IDA Pro, Visual Studio Compiler, Xcode, VMWare, Peach, Spike, Python, FTK Toolkit, OWASP