• As a member of the vendor and application security team within Salesforce Enterprise security I support both internal development efforts as well as assessments of external partners• Perform web and mobile penetration testing using automated and manual tools leveraging the OWASP Web Application Penetration Testing guide• Perform source code reviews for internally developed applications and scripts• Authentication/Authorization reviews for external systems integrating into our internal network• Contractual reviews of security language (focusing on redlines)• On-site security assessments at outsource providers assessing physical security, network security, and endpoint security• Manage and triage externally reported vulnerabilities for our public facing applications• Mentor on boarding employees in Force.com specific and general web application security testing procedures and best practices• Support security awareness with our customers by presenting on security topics and working at the security booth at our Dreamforce conference

• Led of team of 5 contractors performing security test and evaluation (ST&E) against a variety of systems• Acted as a security matter expert for all systems under development ensuring that proper security considerations are taken into account at each step of the software engineering life cycle.• Performed over 30 ST&E technical assessments analyzing the results to provide a risk based security recommendation to the Information System Security Officer (ISSO).• Scanned systems using Tenable Nessus for vulnerabilities and compliance with Defense Information Systems Agency (DISA) Security Technical Implementation Guidance (STIGs) and Center for Information Security (CIS) Benchmarks, manually validating all reported findings.• Analyze source code for ASP.NET, C#, Java, Javascript, ASP.NET, Ruby, Scala, Python, Perl, PHP applications manually and using automated tools such as Fortify, Checkmarx, Brakeman and RATs. • Conducted web application penetration tests using automated and manual tools leveraging the OWASP Web Application Penetration Testing guide.• Assessed and analyzed findings, creating detailed spreadsheets for each assessment with extended information about the finding itself, severity rankings based on the NIST CVSSv2 calculator and remediation recommendations for developers.• Mentored on-boarding team members, providing training in internal ST&E methodology and tool configurations.• Deployed Tenable Security Center: created custom dashboards and reporting templates to provide continuous monitoring support

• Built a sandboxed testing environment to facilitate development, functional and security testing• Deployed a ESXi-based virtual environment consisting of each security tool, as well as virtual machines dedicated to hosting collaboration tools to facilitate information sharing between remote team members during assessments• Enforced secure coding standards by developing secure coding guidance which included input from language-specific security practices as well as SANS TOP 25 and OWASP Top 10• Performed over 20 ST&E engagements against web applications, and COTS products which were tested in a multistage approach focusing on the host, database, network, application, and source code• Leveraged publicly available exploit code from exploit-db or metasploit to demonstrate vulnerabilities uncovered on target systems• Developed java-based application to automate testing and validation by parsing raw output from Nessus, AppDetective, and Fortify into a standard Excel report format.• Obtained and maintained the ATO granted to a application under active development by providing continuous monitoring support and NIST 800-53 control evidence to external auditors• Performed monthly Nessus scans, remediated identified vulnerabilities, audited user accounts, and reviewed system and application logs for signs of malicious activity• Developed custom secure configuration baselines for different version of Linux (Red Hat Linux 5/6, CentOS 5/6, Scientific Linux 5/6, SuSE 10/11, Ubuntu 10.04LTS/12.04LTS, Debian 6) and Mac OS X (10.5/10.6/10.7/10.8) operating systems• Created custom .audit files for use within Tenable Nessus to remotely assess systems against custom baselines, reducing as many false positives to provide actionable findings for auditors• Developed a secure configuration bash script that allowed end users to perform regular self-assessments, and automatically configure their system for compliance

• Prototyped a C# based application store to host mobile applications• Collaborated on the development of a global network security visualization tool which geo-located autonomous systems and provided metadata scraped from spamhaus about the underlying networks