SUMMARY: I am a motivated information security professional and researcher with over 10 years of professional security experience. Throughout my career, working in federal government, consulting and retail, I have gained experience with application security, security architecture design, vulnerability management, risk assessments and penetration testing. I am proficient in security frameworks and regulations as PCI, SOX, GLBA, HIPAA, COBIT and NIST. I am a motivated and passionate professional seeking an information security position with professional growth opportunities.

WORK EXPERIENCE:

confidential

• Lead Penetration Tester of the National Incident Response Team
• Active U.S. Government Security Clearance
• Act as a national security subject matter expert t all 12 Federal Reserve Banks and the United States Treasury
• Manage and conduct vulnerability assessments, penetration tests and risk assessments for the Federal Reserve System and United States Treasury
• Manage all client-related aspects of engagements including communicating risks and solutions through presentations and reports
• Create threat models and use them t develop plans for assessment and testing
• Participate on various Federal Reserve System workgroups analyzing new technology risks and designing new security solutions
• Present new security solutions t senior executives
• Develop whitepapers regarding latest security topics and share findings with the team
• Lead team members in vulnerability analysis, testing techniques, career paths and hiring
• Identify and implement improvements t processes and methodologies

confidential

Application Security Consultant, Contract

• Performed and managed GLBA, SOX, and PCI application risk assessments and penetration tests:
• Assessed applications against compliance requirements, determined threat vectors and quantified risk
• Performed manual testing for common vulnerabilities such as SQL Injections, Cross-Site Scripting and other OWASP top ten vulnerabilities
• Assessed application design and architecture for potential security flaws Worked with development teams on proper remediation strategies
• oProvided risk ratings and rolled up reports for upper management
• Consulted on the strategic direction of application security within the enterprise:
• Provided technical leadership and analysis t application owners t ensure security best practices and regulation compliance occur during design, development and
• implementation stages
• Created internal security service offering methodologies penetration testing, application security assessment
• Determined best approach for embedding security int all phases of the SDLC
• Created and maintained security policy and position papers:
• Wrote document outlining secure coding guidelines and secure code inspection for developers
• Proposed security solutions, advised developers on necessary steps t bring applications int compliance and resolved security audit findings
• Wrote security design documents on technologies and their secure implementation encryption, web services

confidential

Information Security Technical Analyst

• Performed application assessments, penetration tests and code reviews for pre and post production environments
• Performed root cause analysis t correlate multiple technical vulnerabilities int non-technical, management terms
• Tracked identified vulnerabilities t assure resolution
• Developed and executed enterprise security controls IDS, ESM, Internet Filtering, and Vulnerability Management systems
• Implemented application firewall and managed WAF rules for enterprise e-commerce applications
• Assisted in annual PCI and SOX audits
• Developed and implemented security checks t the software development life cycle
• Developed secure coding awareness and practices through presentations and learning groups
• Participated in system design reviews t ensure security
• Administered and enforced corporate security policies and procedures based on COBIT and ITIL
• Advised in security software and hardware evaluations and acquisitions
• Implemented Tw Factor Authentication for corporate remote access
• Implemented corporate PKI
• Configured and managed inline spam filtering appliances
• Implemented a load balanced, fully redundant internet proxy clusters that serve 1200 stores and 5000 corporate office users
• Participated in Security Privacy board and Enterprise Architecture board

confidential

Information Systems Technician

• Supported corporate network, hardware and software
• Tested security patches before implementation
• Provided incident response for security related events
• Developed and secured corporate images
• Projects: Participated in incident security response team, helped lock down corporate desktop with group policy and automated desktop build process

SYSTEMS PROFICIENCY:

• Training/Certifications: A , ACSA, Visa PCI training, Senspost Ethical Hacking, Foundstone Web App. Security, Blackhat, Defcon, CanSecWest, SANS Advanced Exploit Development
• Operating Systems: Windows, AIX, Solaris, Red Hat, Debian, Gentoo, OS X, iOS
• Languages: C , Visual Basic, HTML, Java, Java Script, SQL, ASP.NET, PHP, Perl, Python
• Software: Nessus, Nmap, Snort, Nikto, Netcat, Webinspect, AppScan, Burp, SQLmap, Nipper, Core Impact, Metasploit, Canvas, Kismet, Scapy, Hashcat, IDA Pro, WireShark, Ettercap, Ollydbg, Immunity Debugger

IACRB

• Certified Expert Penetration Tester CEPT - 2008
• Certified Application Security Specialist CASS - 2008