• Payment Card Industry Data Security Standard PCI DSS
• Health Insurance Portability and Accountability Act HIPAA
• National Institute of Standards and Technology NIST SP800 Series Computer and Information Security
• Office of Management and Budget OMB -A130 Management of Federal Information Resources
• National Industrial Security Program Operating Manual NISPOM
• Federal Information Processing Standards FIPS 140-2 Security Requirements for Cryptographic Modules
• Federal Information Security Management Act FISMA , FIPS 199 Standards for Security Categorization of Federal Information and Information Systems , FIPS 200 Minimum Security Requirements for Federal Information and Information Systems
• IEEE P2600 IEEE Standard for Information Technology: Hardcopy Device and System Security

Operating Environments Expertise

• Linux
• Windows
• OS/X
• HP-UX
• OpenVMS
• Solaris

Software Network Security Expertise

• Security Development Lifecycle SDL
• Open Web Application Security Project OWASP Security Controls in Web Application Development Lifecycle
• Microsoft Threat Modeling Tool

Software Systems Development Methodologies Expertise

• Software Engineering
• Object Oriented Analysis/Design
• Agile Development, Scrum
• Test Driven Development TDD

Programming/Scripting Languages Expertise

• Java
• C/C
• C
• Perl
• Python/Django
• Shell scripting for sh, bash, csh, ksh
• Windows PowerShell scripts, cmdlets

Application Frameworks Expertise

• J2EE
• Spring
• Hibernate
• JSP
• JSF
• .NET Entity Framework
• ASP.NET Model View Controller MVC , Model View View Model MVVM

Database/Datastore Expertise

• Oracle
• PostgeSQL
• MySQL
• SQL Server
• SQL Azure
• NoSQL, MongoDB
• Azure Table storage, Blob storage
• Berkeley DB
• Extensible Stylesheet Language Transformations XSLT , XQuery, XPath
• Java Database Connectivity JDBC , Open Database Connectivity ODBC

Software Lifecycle Management and Continuous Integration Expertise

• Subversion
• Jira
• Crucible
• Jenkins, Hudson
• Maven
• Nexus
• Mock

Networking of Expertise

• Simple Network Management Protocol SNMP
• Internet Protocol Security IPsec
• ASP.NET
• Active Directory AD , Active Directory Federation Services ADFS
• Samba, Common Internet File System CIFS
• Lightweight Directory Access Protocol LDAP
• Windows Communication Foundation WCF
• Web Services, Representational State Transfer REST , Simple Object Access Protocol SOAP
• Simple Mail Transfer Protocol SMTP , Postfix

Patents Received

• U.S. Patent 7,020, 875 Mechanism for selecting representatives from program patch chains based on user roles

Roles and Responsibilities

• Designed, developed, and supported Data Loss Prevention DLP products.
• Developed and adapted SDL for products. Collaborated with security champions in product groups to adapt SDL to their development and Quality Assurance QA processes.
• Designed, implemented, and maintained automated vulnerability scanning of products integral to QA processes. Participated in monthly meetings with product security champions to review vulnerabilities found, and plan for product release and bug fix verification.
• Obtained requirements, architected, and designed projects to make products available as Managed Services using on-site appliances.

Achievements

• Designed and implemented Active Directory/ Lightweight Directory Access Protocol LDAP support for DLP product.
• Designed and implemented Multi Router Traffic Grapher MRTG via Simple Network Management Protocol Version 3 SNMPv3 update and patch for product.
• Designed, implemented, and maintained Continuous Integration CI with Jenkins for product development.
• Adapted and championed SDL for products.
• Initiated and maintained automated vulnerability scanning of products as standard QA process.
• Provided end-to-end architecture and design for making existing products available as Managed Security Services.

Skills Utilized

• Products developed and deployed on Intel-based hardware appliances running Linux.
• Products developed and deployed on Intel-based hardware running Windows.
• Product development in C/C , J2EE/Java with Spring and Hibernate.
• Prototypes and tools development in Perl, Python, and Shell scripts.
• Agile development, and test-driven development utilized to improve software quality.

Tools Utilized

• Subversion, Jira, and Crucible for agile software lifecycle management.
• Jenkins, Maven, and Mock for continuous integration.
• Microsoft Threat Modeling Tool for creating and evaluating Threat Models.

Roles and Responsibilities

• Designed and developed networking components for printer control units.
• Provided support and consulting for network and application security and compliance.
• Designed and implemented SNMPv3 support for multifunction device control.
• Designed and implemented IPsec for multifunction device secure access in untrusted environments.
• Updated Secure Sockets Layer SSL communications to be FIPS 140-2 level 2 compliant.
• Researched and managed compliance to regulations and standards, including IEEE P2600 and common criteria. Communicated compliance issues relating to products to management and development teams.
• Supported certification and accreditation efforts.

Achievements

• Designed and implemented disk volume encryption management for printer control unit.
• Designed and implemented SNMPv3 capabilities for printer control unit.
• Designed and implemented IPsec capabilities for printer control unit.

Skills Utilized

• Products developed and deployed on Intel-based hardware running Linux.
• Products developed primarily with C/C with Java and Flex UI.
• C/C development for Linux daemons.
• Object Oriented Analysis and Design for all development.
• Agile development, test driven development utilized to improve software quality.
• Network protocol analysis and reverse engineering to assure robust communication.

Tools Utilized

• CMVC IBM internal for software lifecycle management.
• Wireshark for network packet analysis, troubleshooting, and reverse engineering.

Roles and Responsibilities

• Designed, implemented, maintained, and provided engineering support for Safe Access Network Access Control NAC product.
• Provided on-site engineering support for NAC pilot installations in U.S. Department of Defense environments.
• Designed and implemented mechanism for accessing Microsoft Windows systems remotely via Common Internet File System CIFS File Access Protocol, a subset of the Server Message Block SMB Protocol, in order to test for policy compliance. This involved researching when information was available and reverse engineering when information was not available for Microsoft networking protocols.
• Designed and implemented interface components to make Safe Access interoperate with Microsoft Network Access Protection NAP .
• Updated SSL communications to be FIPS 140-2 level 2 compliant.
• Researched and managed compliance to Federal regulations and standards, including FISMA, NIST SP800, OMB-A130, NISPOM, FIPS 199 and 200. Communicated compliance issues relating to products to management and development team.
• Supported certification and accreditation efforts.

Achievements

• Designed and implemented a facility for load testing Safe Access with large numbers 30000 of Windows network endpoints simultaneously using only a single Linux server running customized Samba servers to simulate Windows CIFS behavior.
• Optimized open source JCIFS Java interface to Samba libraries to improve performance and stability by adding connection pooling and improving notification on cache updates. Submitted updates to JCIFS project.
• Added support for Windows Vista and Windows 2008 Server in Safe Access compliance testing.

Skills Utilized

• Products developed and deployed on commercial off-the-shelf COTS hardware running Linux.
• Sensors, interfaces, and plugins developed and deployed on Windows and OS/X.
• Product development primarily using J2EE, Java Server Pages JSP and Java Server Faces JSF .
• C/C development for Linux daemons, Windows applications/services and OS/X agents.
• Object-oriented analysis and design for all development
• Shell script, Perl, Python, and Groovy used for development, prototyping, and test automation.
• Agile development, test-driven development utilized to improve software quality.
• Network protocol analysis and reverse engineering to assure robust communication.
• VMware virtualization for easily accessible and configurable testing.
• Compliance standards expertise, including FISMA, NIST SP800, OMB-A130, NISPOM, FIPS 140-2, 199 and 200.

Tools Utilized

• Eclipse for integrated J2EE, C and Python development.
• Microsoft Visual Studio for Windows C development.
• Subversion integrated with Eclipse for revision control.
• Wireshark for network packet analysis, troubleshooting and reverse engineering.

Roles and Responsibilities

• Designed, implemented, maintained, and provided engineering support for Dynamic Root Disk DRD HP-UX utility. DRD enhanced the availability and integrity of high availability HP-UX systems by allowing a clone of an active system to be created, updated i.e. patched , and validated while the system remained operational.
• Served as the Security Architect for DRD, preparing and presenting Commercial Application Threat Assessment CATA security requirements and threat assessments.
• Designed, implemented, maintained and provided engineering support for patch and firmware content distribution and deployment.
• Prepared application security requirements for patch deployment applications.

Achievements

• Prototyped functionality to obtain customer feedback as early as possible. Redesigned several critical areas based on this feedback.
• Promoted abuse case testing to discover weaknesses in use models.
• Promoted Agile practices and other productivity enhancements throughout the lab via knowledge sharing sessions and white papers.
• Received U.S. Patent 7,020, 875 Mechanism for selecting representatives from program patch chains based on user roles .

Skills Utilized

• Applications developed and deployed on HP hardware running Linux and Unix HP-UX .
• High-volume customer-facing web application developed in J2EE deployed on BEA Weblogic.
• C/C development for HP-UX commands and utilities.
• Interface protocols, configuration and presentation using XML and XSLT.
• Object-oriented analysis and design for all development.
• Shell script and Perl used for development, prototyping and test automation.
• Microsoft SQL Server used for Data warehouse experimentation.
• Agile development, Industrial XP adaptive agile utilized to improve SDLC.
• Application Threat Analysis used to improve application quality and security.

Tools Utilized

• Eclipse used for C development on Linux host for HP-UX target.
• Microsoft Visual Studio .NET for Windows applications.
• Subversion, CVS, TrueCM for software revision control.
• ClearCase, ClearQuest, Rational Rose, Requisite Pro used in SDLC.