Risk Management BranchCompleted Tasks: • Led the code review team tasked with performing code reviews for source code findings within HP Fortify Enterprises. • Provided complete administration support for HP Fortify (Enterprise) • Integrated scan capabilities and configurations with GitHub repositories using token authentication, triggered by CI pipelines.• Provided context and false positive support prior to development team engagement.• Developed processes to provide remediation paths with development teams, supporting a streamlined approach to remediation of findings.• Consulted with developments team on best known methods and practices for remediation of findings.• Conducted brownbag seminars on Fortify capabilities and integration within CI/CD as week as the remediation process.• Provided DAST analysis support using HP Web Inspect • Supported monthly scans of authenticated USCIS web application support Major Accomplishments:• Successfully stood up a functional code review program designed to assist development teams in moving software security practices further left within the SDLC. • Reduced USCIS source code finding technical debt (through analysis and false positive assignments) by over twenty-eight thousand and holding an average of less than one thousand findings needing initial review monthly. • Developed a Fortify dashboard within SPLUNK to provide customized visibility to types of vulnerabilities within USCIS’s code base as well as context to application security postures across the division.

Assessments and Classified Operations BranchCompleted Tasks: • Tasked as an application security SME supporting assessments of systems by assessing NIST 800-53 controls relating to application security.• Provided static application security testing and analysis using SonarQube and created a mapping of vulnerabilities to NIST 800-53 controls. • Provided dynamic application security testing and analysis using Burp Suite and provided consultations on remediation efforts with development teams. • Collaborated with CI/CD architect engineers on developing methodologies in providing security gates within CI/CD steps for security scanning tools in support of continuous monitoring and ongoing authorization. Major Accomplishments:• Developed a USCIS wide false positive remediation process integrating multiple division resources in order to properly track and integrate false positive contexts within scanning tools • Facilitated an initiative to integrate CI/CD gates using results from scanning tools triggers by the CI/CD Pipeline, enabling compliance “at a glance” capabilities while streamlining secure production releases. CMASS (continuous monitoring and assessment) Completed Tasks:• Function as a cybersecurity SME• Provide dynamic application security testing analysis and remediation efforts across USCIS for accredited systems using QUALYS.• Work with ISSOs and supporting development team in resolving web application related vulnerabilities by ruling out false positives and providing effective solutions to vulnerabilities. • Conduct static code analysis using Semgrep for new third party or commercial software requests within USCIS. • Provide analysis support for Primacloud container related vulnerabilities. • Conduct ISSO/Development team seminars on third party vulnerabilities and version updates to resolve common third-party vulnerabilities.

Security BranchCompleted Tasks:• Tasked with continuing Application Development training initiative. • Developed and conducted an Appscan/dependency check advanced training course for development teams and project leads.  Appscan introduction and application architecture review Application configuration. Resolving build errors and dependency fulfillment. Defining application language, root folder and type.  Appscan scanning configuration. Reviewing scan options, scan scope, initial scan results walkthrough Analyzing Scan results. Manual review tactics and processes aligned with the Application Security Development (ASD) Standard Technical Implementation Guideline(STIG) Dependency check overview, initial scan and analysis of results • Provided continual SME support to application developments which completed the advanced training. • Provided onboarding support to development teams seeking to integrate appscan within their CI/CD Pipeline, • Developed and implemented threat modeling pilot program, which sampled 6 development teams and supporting management through a newly developed threat modeling course.• Provided support in implementing a DISA STIG implementation outboarding initiative for development teams. Major Accomplishments• Developed accredited Appscan advanced training course, training over eighty development teams.• Developed threat model SOP for development teams to implement.

Application Development BranchCompleted Tasks: • Tasked with standing up an application security program used to support application development teams with their application security posture. • Developed and conducted A five session HCL Appscan basic training course designed to train development teams on conducting effective source code scans• Led the capability maturity model initiative which measured the security posture of the target application based on various development SLDC capabilities and security measures applied by the target development team.• Developed guidance used to integrate Appscan within CI/CD using security gates. • Provided code review SME guidance to development teams with uncommon or complicated findings needing solutions.Major Accomplishments• Developed accredited Appscan Basic training course• Developed Capability Maturity Model Initiative to measure development maturity throughout division

Security Operations BranchCompleted Tasks: • Led the code review team tasked with performing code reviews for source code findings within HP Fortify Enterprises. • Provided complete administration support for HP Fortify (Enterprise) • Integrated scan capabilities and configurations with GitHub repositories using token authentication, triggered by CI pipelines.• Provided context and false positive support prior to development team engagement.• Developed processes to provide remediation paths with development teams, supporting a streamlined approach to remediation of findings.• Consulted with developments team on best known methods and practices for remediation of findings.• Conducted brownbag seminars on Fortify capabilities and integration within CI/CD as week as the remediation process.• Provided DAST analysis support using HP Web Inspect • Supported monthly scans of authenticated USCIS web application support Major Accomplishments:• Successfully stood up a functional code review program designed to assist development teams in moving software security practices further left within the SDLC. • Reduced USCIS source code finding technical debt (through analysis and false positive assignments) by over twenty-eight thousand and holding an average of less than one thousand findings needing initial review monthly. • Developed a Fortify dashboard within SPLUNK to provide customized visibility to types of vulnerabilities within USCIS’s code base as well as context to application security postures across the division.

Application Software Security Engineer Lead responsible for performing trend analysis and providing security related recommendations based on the analysis of source code software projects; reviewing and making recommendations to revise the existing software review process; identifying and recommending additional tools that can be leveraged for deeper and more thorough analysis of test targets.Application Development background within a DoD Software Development or Test & Evaluation environment and is expected to champion security review projects to completion. Perform tasks in the key areas of writing applications using the following languages: Java, JavaScript, C/C++, PL/SQL, T-SQL, XML, HTML, JSP, Perl, and CSS. In-depth understanding of the System Development Lifecycle and how Information Assurance integrates into the SDLC. Familiarity with network and system topologies is an absolute must, as troubleshooting problem areas on the fly will be key to remaining on the provided review schedule. Experience with HP Web Inspect and Fortify 360Detail oriented writing experience to ensure technical verbiage is easy to understand by the layperson. Superior Knowledge of Department of Defense Information Assurance procedures necessary to defending the finding reports. Experience in the Installation and Configuration of various commercial and open source products, including configuration and familiarity of various software assurance and code quality tools like SonarQube, Maven, Eclipse IDE, Java SDK, Windows workstation configuration, Sonar-Runner, and MINGW (including Linux commands and file structure knowledge), grep and other Linux-based search tools, et cetera. Continually analyze vulnerabilities and perform threat analysis in the context of the assigned target and exercise the keen ability to research and rule out false findings.

This position is responsible for operating as an expert in administrating Windows Server, Active Directory and IIS in several highly-virtualized heterogeneous environments. Perform server administrations tasks to ensure optimal uptime for environments and best-practice application and infrastructure implementations. Provide daily support and maintenance of Windows Server 2003 R2 and 2008 R2. Must be accomplished in the areas of Active Directory domain administration, Windows Server, general problem resolution, shell scripting and project support. Create and maintain detailed installation and configuration documentation and architecture diagrams. Retain current knowledge of DoD security and technical guidelines and the organization-specific policies. Provide support for production, test and development environments. After-hours support is required for maintenance, patching, upgrades and unplanned outages. Work closely with vendors, customers, developers and team members to solve complex technical problems. Provide technical expertise and innovation while developing technical solutions and problem solving. Develop and contribute to the organization's process improvements efforts

.NET developer/Systems Engineer position working onsite at their client's location near Fort Belvoir, VA. The developer does both development and maintenance using C#, VB.NET, ASP.NET 3.5, and SQL Server 2005. Systems engineer taking ownership of systems providing support for projects on site. Tasks include but are not limited to: systems integration, software maintenance, hardware maintenance, VM test environment support, product system revision test, approval and release. This position is responsible for working on a number of projects in the geospatial community by supporting intelligence applications.