over 20 years of hands-on, professional experience in software development to his work and knowledge base as an Application Security Engineer. Having spent over a decade 13 years to be specific as a professional Java/J2EE developer and another 8 years as a .Net ASP.Net/C and VB.Net developer he has an outstanding knowledge of the languages with which he works as a Security Engineer. Additionally he has over a decade of hands-on, professional experience in the web technologies stack JavaScript, HTML/CSS and has a professional focus as an Application Security Engineer in AJAX/JavaScript Jess is also primarily focused on Java Secure Coding/Security issues and can readily perform and has extensive experience in manual secure code reviews in the core Java language and the J2EE APIs. Additionally Jess has 2 years Python scripting experience which he has used extensively to enhance, extend and customize Burp Suite Pro, OWASP's ZAP and IBM's AppScan and of course write custom scripts for automated secure testing purposes Jess is the Subject Matter Expert at his current position in Web Technologies, Secure Code Reviews, IBM's AppScan and OWASP's ZAP Jess is an OWASP member and has outstanding knowledge of the OWASP Top 10, the ESAPI and other OWASP initiatives Among his skill set and experience includes manual secure code reviews in the aforementioned languages Vulnerability Scanning and Web Application Penetration Testing as well as extensive experience with Fortify Static, Dynamic and Hybrid scans and analysis. Jess can and has worked closely with development teams in both Waterfall and Agile methodologies to ensure the delivery of as secure a code base as possible.

SKILLS:

Programming/Scripting Languages:

Python

Java

HTML

JavaScript

XML

ASP.Net/C /Visual Basic/VB.Net

CSS

C

ColdFusion

Perl

JQuery

XAML

Silverlight

Other:

Microsoft Visual Studio

Eclipse

NetBeans

JUnit

Hibernate

AJAX

EntitySpaces

NUnit

Job Functions and/or Capabilities:

1. Web and Mobile Application Vulnerability Assessment

2. Web and Mobile Application Penetration Test

3. Manual Secure Code Review in Java, JavaScript, C , VB.Net J2EE/Java Web Apps ASP.Net

4. Ability to integrate into various SDLC's and work closely with developers, PM's and ScrumMasters

5. Secure App Architecture/Design and Best Practices

6. Compliance-based testing: HIPAA PCI, etc...

7. Offer direct, code-based remediation of vulnerabilities

8. Ability to assist in prioritizing discovered vulnerabilities in relation to client needs and priorities

9. Special Areas of Focus: JavaScript/AJAX Security Java Secure Coding Best Practices, ASP.Net Secure Coding Best Practices

10. Ability to perform Security testing of Web Services both SOAP and RESTful 11. Ability to extend and customize both Burp Suite and OWASP ZAP using Java 12. Excellent ability to document findings and discuss at both high level and detailed, technical level to both executives/business shareholders and software architects/developers/engineers

13. Solid knowledge of major networking concepts and excellent knowledge of HTTP protocol

Example of Daily/Weekly Job Assignments and Tasks/Activities:

1 Perform manual secure code review for applications in various stages of SDLC Review Fortify SCA findings for accuracy before discussing issues with Development Team

2 Perform AppScan Vulnerability assessment using AppScan Standard Edition on apps and web services in various states of development or in production Vet for accuracy the findings and implementing specific attacks as PoC to plausibility study to determine threat level of findings

3. Perform remediation confirmation for security issues previously uncovered and reported to Dev Assist Developers with Secure Coding guidance in Java, JavaScript, ASP.Net/C /VB.Net, ColdFusion or PhP

4. Deliver report on status of various high-profile assets or projects 'in-flight' to management and related project stakeholders

5. Work with NetSec Engineers to configure F5 WAF for application specific rules Create custom iRules as needed in TCL

6. Understand priority of management in regards to projects under development and in production.

7. Perform Application Penetration Tests to verify existence and exploitability of previously discovered security issues in application under test

8. Track various projects in flight and understand the security needs around each of them and prioritize and perform related work as necessary

9. Interface with NetSec to discuss security issues relevant to app sec and across the company

10 Various other tasks and assigned activities as they are given.

Tools:

1. Zed Attack Proxy OWASP ZAP

2. Burp Suite Professional

3. IBM App Scan Standard Edition 8.8

4. Paros Proxy

5. Wireshark

6. Kali/Backtrack Linux

7. Comfortable and effective user of both Linux and Windows OS's

EXPERIENCE:

Confidential

oded several aspects of the front-end for the advisor management application using KnockoutJS, Bootstrap, CSS3 and HTML5. Work included all front-end code required for the user stories assigned to him for the sprints Agile methodology as well as developing the first Grunt build scripts to be utilized by this team. Additionally he worked to revamp the front-end using Bootstrap to be a responsive layout helped to roll the use of the Less precompiler into the project, and has acted as the JavaScript SME for the team The status of the project he is assigned to currently is unknown moving forward, hence the desire to seek potential other opportunities in Front-End Development.

Confidential

Securing the company's key trading platform/application as well as various other high-profile web applications and web based applications such as a thick client Java based trading application running over the Internet backbone.

Performing manual Secure Code Reviews in C ASP.Net Framework and Java as well as all web related technologies and languages - Integrated closely with developers to remediate code-level vulnerabilities as early in the development process as possible

Specifically tasked with knowledge of JavaScript and AJAX/ Web 2.0 related security issues - Worked numerous projects as sole App Sec Engineer including high profile/high value sites as Investment Management Performing application vulnerability assessments and penetration tests of web applications in QA, Dev and production environments using a variety of automated manual techniques - Automated vulnerability scanners such as IBM AppScan Standard Edition

Tasked with being the Team SME Subject Matter Expert Developing an 'expert-level' knowledge of IBM AppScan and teaching it's Best Practices to other Application Security Engineers on the team

Setting up Fortify Static Code Analyzer for use in various projects

Maintaining excellent knowledge of emerging Web Applications Security Issues - Wrote extensions/modules/custom tests for ZAP, Burp Suite and AppScan and has extended/customized all three for ST internal use

Integrated as an App Sec Engineer in both a Waterfall and Agile environment Developed numerous Evil User Stories during Agile projects

Lead App Sec Team Web Vulnerability researcher tasked with keeping up with emerging web threats.

Outstanding knowledge of client-side security issues with particular focus on JavaScript

Trained by Fishnet/7Safe as Certified Ethical Hacker Trained by InfoSec Institute in Web Application Penetration Testing Holds certification from Fishnet/7Safe as C.E.H Certification from InfoSec Institute in Web Application Security and Penetration Testing

Confidential

Support Engineer/Developer for Access Media 3/AMP Customer Support Application. Written in VB.net MVC 3, JQuery 1.7, MS SQL Server 2010, Fluent NHibernate and Visual Studio 2010. Wrote code under guidance of application Architect located in Los Angeles to support and enhance functionality of Customer Support application for mid-sized Media Access provider located in several states. The application is used by internal Customer Service Representatives to schedule, track and confirm all support calls and issues and service calls to the customer's home or office. - Application made extensive use of JQuery, NHibernate and Castle Windsor IOC container and was coded using the MS ASP.Net MVC 3 API. - Wrote Controller actions, created and modified Views, created and modified the Repository layer which acted as an interface into the database - Wrote code to specifications of Architect but was left to implement the specifications to programmer discretion, within the framework of existing application coding conventions and standards. Worked with SVN as source code control. Project ended upon completion of scheduled work.

Confidential

Developed HR Employee Directory Intranet application using ASP.Net API in C . Application managed employees in both a database and MS Active Directory and allowed for searching for employee's by name, Date Hired, etc. Updated managed user account information in MS Active Directory through C code. - Extensive use of Telerik controls. Designed and implemented the relational database in MS SQL Server 2008. Wrote all C code, all JavaScript/JQuery code, all HTML, all T-SQL for entire application. Extensive server-side application logic in C including limiting which fields could be updated on a company by company basis. Was the only programmer on the entire application life-cycle saw the project through from inception to installation. Responsible for all application tiers from HTML/JavaScript/JQuery and CSS on front end to business rules in C in the middle tier to all Stored Procedure's/T-SQL on Back-end data repository tier. Environment: ASP.Net 3.5 Web Forms C T-SQL, MS-SQL Server 2008 JavaScript/JQuery HTML CSS Nimbus, EMR, LLLP. - St. Louis, MO June 2011 June 2012 Sr. Engineer Worked on Nimbus' flagship product, an Electronic Health Record using Silverlight, C , LINQ to Entiry Framework and RIA Services. Coded many applications features and enhancements including Diabetic Monitoring Screen, Daily Activity Report and others using XAML, C . Responsible for implementation of architectural designs, initial testing and requirements gathering. Worked closely with product shareholders throughout process of design and implementation of systems features. Wrote several back-end RIA Services in C to retrieve data from SQL Server database. Extensive use of XAML for Silverlight UI design and implementation. Took mock-ups of UI specs translated them into working UI implementations according to specification requirements. Extensive use of LINQ to Entity Framework. Environment: Microsoft C , .Net 3.5, Silverlight, XAML, HTML, RIA Services, LINQ to Entity Framework, SQL Server, Visual Studio 2010, SQL.

Confidential

Engineer Consultant Lead Developer and QA Engineer for CUSIP Reach App which coordinated the transmission of Financial Certificates from Stifel clients to Standard Poor's in New York for clearance and verification. - Designed, implemented and tested all aspects of application. - Participated in use case design, unit testing and functional testing of application from development to release. Coded enhancements and tested functionality of SN Dashboard application which tracked and presented financial services data to end users. Participated in creation of new functionality, enhancement of existing functionality and full, round trip testing of application before deployment to end users Developed Acuity PnL Report for online viewing using ASP.Net API, T-SQL and C . Developed SharePoint Web Part control to access approved users for secure document viewing. Environment: Microsoft C , .Net 3.5, T-SQL, HTML, CSS, JavaScript, SQL Server 2008 Visual Studio 2010, ASP.Net 3.5, SharePoint 2010

Confidential

Engineer Consultant Lead Developer for Data Management Administration Tool Upgrade and Enhancement project. - Responsible for all functional code re-writes, additions and ameliorations to existing application suite code base. - Wrote all C code for the suite of web based applications that comprise the Data Management Admin Tool for these series of fixes and functional enhancements. Wrote the Functional System Design specification in conjunction with the Technical Lead. - Responsible for final version full text with approval by Tech Lead. - Worked with Architectural Reviewer to confirm system design prior to implementation. Wrote functional enhancement of DMT to allow for end user to view and manipulate On Hold Deliveries. - This required new user interface in HTML/JavaScript/MS AJAX as well as the code-behind in C - Additionally needed to create Data Access Class for new data type - Also coded the new Entity to represent the class and the Collection class to contain them adhering to all previous code and architecture standards in place at Wells/Wachovia. - Finally wrote all necessary Oracle SQL for manipulating data in the database. - This included several joins and transactions. Acted in close conjunction with the Data Modellers to realize full database requirements and architectural goals are met to the satisfaction of applications development team. Managed the development of the software development schedule for the development team internally to keep on track of delivering the software on time and to specification. Fixed numerous bugs and functional issues with existing application. - Coded all necessary fixes in C to the ASP.Net 3.5 specification. Participated in the migration of the application code base from Microsoft ASP.Net 2.0 to .Net 3.5 Created several custom user controls to satisfy user presentation requirements. - Controls created in HTML, JavaScript with code behind in C . Environment: Microsoft C , .Net 3.5, Oracle SQL, HTML, CSS, JavaScript, ASP.Net 3.5

Confidential

Consultant Responsible for development and implementation of Lanter Automotive Scan Track Software for Ford Detroit, GM Denver and other locations throughout the United States. - The application consisted of a device tier handheld wireless scanner a web service layer hosted on a PC in the warehouse sending SOAP/XML over HTTP to a desktop application hosting a MS SQL Server 2008 instance. - The software tracked automotive parts from distributor to dealer. Wrote all code in C for the device layer including presentation issues, scanning logic devices were hand held Motorola MC-3090 scanners and other functionality. Participated in the development of .Net Web Service to transport data from hand held device to desktop application. Responsible for serialization of data in client device using .Net XML Namespace. Responsible for maintenance and administration of and additional development on Lanter Delivery Systems/John Deere Web Invoicing application in C , MS SQL Server 2008. Wrote queries in T-SQL for reporting - Created and modified existing stored procedures and views used in application. Extensive application support and client contact. Environment: Microsoft C , .Net 3.5. .Net 3.5 Compact Framework. Windows CE, Windows XP, SQL Server 2008, EntitySpaces, T-SQL, and XML, ASP.Net 3.5

Confidential

Software Engineer Participated in the design, development and implementation of Enterprise Health Record intranet based application based on Microsoft ASP.Net 3.0 Technologies. Responsible for application user interface development including JavaScript/DHTML/CSS and AJAX Functionality. Coded C application which queried LDAP to retrieve manager and user data from Active Server Directory. Developed all user interface elements in C .Net as well as application business logic. Participated in design, development and deployment of JDIM and JHIM - Jail Diversion Instant Messenger and Jail Hospital Instant Messenger web based applications for Dallas Municipal County. - The applications used SameTime Chat technology as underlying messaging service to alert on line users about change in clients processing status. - This includes monitoring of Jail book-ins for returning clients who may need processing or diversion as well as managing the care of clients already in the prison or prison hospital system. - System developed in Java 5 API in conjunction with IBM SameTime Messaging Software. Responsible for coding company flagship product, Automated Help Bots in Java 1.2 and Lotus SameTime APIs using chat interface and text based menus to process patients through Dallas MetroCare Health System. - Application was sold to and utilized by 3 main municipalities to track and manage prisoners through healthcare procedures. - Application tracked patients by categories across numerous data points including diagnostic axis, medications, SS and patient ID. Handled thousands of patients over 3 main physical locations. - Application developed in Java 5 using a distributed, layered component model. Environment: Microsoft C .Net 2.0 Framework, ASP.Net, Java 5, Lotus SameTime APIs, JavaScript, T-SQL, LotusScript, LDAP, Active Directory, IIS, MS SQL Server 2008, HTML, CSS, Hibernate Framework, Spring Framework, Windows XP.

Confidential

development and maintenance of Orbitz Service Adapter OSA a web services implementation of Orbitz.com web site. - OSA was an XML over HTTP application that performs lookup, content, reservation booking and cancelling services for white label sites such as Lodging.com or Yahoo.com. - Implemented as Java RPC-style Web Service. - Developed Content Retrieval Application referred to as the Uber Content Application. - Written in Java 1.4 it parsed gzipped CSV files, extracted Property Codes and used them to construct URLs, which it then passed to OSA's content service. - Upon receipt of a reply it parsed the files into a large XML gzipped file for distribution to clients via caching at an affiliate site. - This served to reduce traffic on Orbitz.com main sites. Fixed numerous issues and contributed to functional enhancements of several applications critical to the ongoing daily operations of the Orbitz.com web site and related properties. Participated in team meetings, helped establish project timelines and contributed Functional Systems Designs on several application upgrades and enhancements. Worked closely with database administrators and developers to write Oracle SQL necessary for application functionality. Environment: Java 1.4, Web Services, Hibernate, Spring Framework, HTML, CSS, XML, Linux OS, Shell Scripts, Oracle 8i

Confidential

Participated in the design, development and maintenance of Enterprise B2C Ecommerce web site using Microsoft .Net Technologies including C .ASP, MS SQL Server 2000 and the .Net 1.1 Framework. Participated in implementation of telecommunications software used in conjunction with Microsoft LiveMeeting. Coded all applications logic for emulation of user loads during different usage scenarios. Application interfaced with Microsoft LiveMeeting and provided centralized voice meeting capabilities in conjunction with desktop based software written in Java Swing. Application managed user subscriptions, rights and validation and permissions management. Extensive use of Java threading API. Environment: Microsoft C ASP.Net 1.1 Framework, Java1.4, JavaScript, T-SQL, IIS, MS SQL Server 2000, HTML/DHTML, CSS, Windows 2000.

Confidential

Participated in the enhancements of Card Member Services application for Discover Financial Services client using Java and MQSeries as interface to legacy application running on AIX. - Used MQSeries interface to gain access to services on AIX based Cobol application. Environment: Java 1.4, AIX, Shell Scripts. Oracle 8i