Starting, implementing and automating a DevSecOps application security program in an Azure cloud environment utilizing Azure Functions, Logic Apps, and Terraform.

Automation Engineer utilizing Python and PowerShell scripts to create workflow for the Qualys suite of tools. Duties include problem solving security engineer issues, automating existing manual processes, script performance enhancement, and implementing DevOps and Agile development processes.

Duties include selecting, implementing, and operating SAST (Checkmarx, Coverity) and DAST (Netsparker, Qualys WAS, Burp) scanning technologies, CI/CD integration activities, and operation of infrastructure vulnerability scans using Qualys VM.

Lead Information Security Engineer responsible for conducting in depth application security vulnerability assessments for new and existing applications via SAST and DAST scanning technologies. Responsible for training developers on the use of static code analysis tools (AppScan Source for Analysis) utilizing monthly developer workshops. Responsible for AppScan Enterprise database table mapping for selective exportation of vulnerability data to third party visualization tools for the production of application security metrics. Other duties include automation of common tasks via PowerShell.

Information Security Architect position responsible for conducting in depth security risk assessments for new and existing applications to identify weaknesses or security exposures. Duties aligned with the OWASP SAMM (Software Assurance Maturity Model) verification step to include design review, code review, and security testing. Specialized in web service / application security utilizing OWASP ASVS (Application Security Verification Standard) in concert with automated IBM AppScan assessments.

Evaluation and creation of policies, procedures, and technical work instructions for compliance with FISMA and NERC-CIP requirements. Application security evaluation of intranet applications to include governance, risk and compliance (GRC) middleware.

Contracted to perform ST&E for C&A of all ORNL unclassified systems utilizing NIST SP 800-53 rev. 3 control framework. Evaluated scientific and nuclear research technology for cyber security compliance and risk to include the nuclear High Flux Isotope Reactor (HFIR) and High Performance Computing.

Various Tasks, including:

Served as a Technical Lead for a team of auditors who conducted independent risk assessments, penetration testing, and cyber security assessments utilizing NIST SP 800-53 control framework. Created SSPs and analyzed policies and procedures for compliance with FISMA/C&A requirements. Identified threat/vulnerability pairs and evaluated compliance of management, technical, and operational controls for electric power generation control systems to ensure confidentiality, integrity, and availability of critical applications and infrastructure.

Review policies, procedures, and guidelines to ensure multi-regulatory compliance. Security control evaluation (gap analysis) using COBIT and ISO 27001 control frameworks. Evaluate compliance with physical security requirements, backup and recovery operation requirements, logical access control requirements, configuration management requirements, audit trail logging and review requirements, security awareness training procedures, SDLC process review and recommendations. Java code review on proprietary financial applications, security testing with Canvas, and change management requirements as each pertains to ITGC of the Sarbanes-Oxley Act and NIST 800 Series FISMA requirements. Mentor other auditors and teach control framework and testing methodologies.

Translate bank regulatory requirements into business and technical requirements. Develop policies, procedures, standards, and guidelines to meet diverse regulatory requirements. Provide guidance and support to configure hardware and software systems to meet requirements of ISO, GLBA, and PCI compliance under a common GRC framework. Perform security control evaluation (gap analysis) using COBIT, NIST, and ISO 27001 control frameworks. Evaluate compliance with physical security requirements, backup and recovery operation requirements, logical access control requirements, configuration management requirements, audit trail logging and review requirements, security awareness training procedures, SDLC process review and recommendations.

Conduct security control evaluation using NIST 800-53 control framework. Mentor other auditors and perform FISMA compliance evaluations. Evaluate compliance of physical security requirements, application security implementation, effectiveness of backup and recovery procedures, effectiveness of logical access control, effectiveness of configuration management, compliance with audit trail logging and review requirements, existence of security awareness training procedures, effectiveness of SDLC management, existence of risk assessment procedures, and other controls related to protecting the confidentiality, integrity and availability of critical applications and infrastructure

ST&E based upon NIST 800-53A, NIST 800-37, NIST 800-30 and DOE guidelines. Systems evaluated included firewalls, Unix systems, Windows systems, IDS, Mainframe, and proprietary scientific applications. Assisted with creation and testing of COOP. Developed and executed custom UNIX scripts to determine extent of vulnerabilities. Conducted network penetration testing and vulnerability analysis in compliance with NIST 800-53A. Rated findings using risk scale and documented results and recommendations in final Security Assessment Report to allow Authorizing Official to make final approval to operate decision.

Performed ST&E testing on various NOAA information systems. Performed analysis of all NIST 800-53 controls by reviewing security policies and procedures, reviewing information security plans, reviewing server configurations, performing vulnerability assessments utilizing tools such as Nessus, Paros Proxy, and Canvas, interviewing information system representatives, and physically reviewing site where information systems reside.