• As Senior Subject Matter Expert (SME) reproduced attack payloads using Burp Suite to demonstrate code vulnerabilities to development team. Worked with lead developers to triage and remediate critical & high issues across IRS web applications. Recommended moving beyond OWASP Top 10 to OWASP ASVS as the overarching proactive control framework to hardened application security.• Instrumental in reducing # of High category vulnerabilities discovered across all application domains by 60%. Metrics captured from security reports provides evidence of reduction: Dec 18, 2017 reported (32 Highs); January 29, 2018 after remediation reported (19 Highs).• Developed a monthly actionable Enterprise Security Finding Report that summarized AppSec vulnerabilities to senior IRS executives. This report captured: actions needed to remediate AppSec flaws that keep reoccurring along with why they’re not being resolved; how were vulnerabilities discovered (i.e. SAST, DAST, threat assessment, code review, or pen test); vulnerability trends, and systems that have the highest number of vulnerabilities. Report also identified the most common security coding mistakes that developers make and the proposed plan to prevent these mistakes.• Led the effort with IRS senior management and executives to mature the AppSec process using OWASP’ Software Application Maturity Model (SAMM). This methodology will create a security culture whereby business units can accurately gauge their existing software security practices and steadily improve their security posture through well-defined iterations. • Primary author of SOP guide for how dynamic application security scans are to be conducted across the IRS apps.• Future plans include incorporating Burp Suite to totally address all the requirements documented in NIST SP 800-53 (Rev. 4) SA-11 and to further verify the security posture of customer’s web apps across 19 OWASP Application Security Verification Security (ASVS) control categories.

TriTech (Chief Application Security Architect) 1/2016 – 9/2016Chief Application Security Architect charged with moving team toward a common vision of application security. Matured & restructured AppSec process into a formal program. Worked within KanBan Agile methodology to improve previous AppSec process that consisted solely of automated security scans:• Developed control gates (i.e. Threat Analysis, S/W Attack Surface Analysis) to formalize manual code review process. • Created new SAMM based AppSec practice areas (e.g. Metrics, Threat Modeling and Design Review: Risk-Based Security Test Plan).• Developed customized attack scripts to Pentest web applications using Burp Suite & OWASP Zap Attack Proxy; these scripts verified the security status of customer’s web apps across 17 OWASP ASVS control categories (which is the industry standard used to validate the security of web applications).. • Used PenTest results to develop Risk Based Security Test Plan (i.e.ASVS playbook) so other team testers could reproduce and validate results captured from PenTest efforts. • Used Burp Suite Fuzzing extensions to weaponize payloads to test exposure of client’s websites to Zero-Day SQL & XSS (code injection) and OS Command Injection attacks.• Knowledge and experience applying common penetration testing methodologies (i.e. OWASP Testing Guide and PTES).• Decoded and analyzed pen-testing log output from web application firewalls (Akamai), Unix/Windows OS, and network appliances.• Developed metrics to assign scorecard rating to applications in 17ASVS control categories. This rating allowed application developers and business owners to assess the degree of trust to place in their web applications.

EHR Clients (Confidential) - Cybersecurity Analyst 5/2010 – 10/2011 and 5/2013 - present• Assisting several EHR vendors to get products certified under the Medicare and Medicaid EHR “Meaningful Use” Stage 1 and Stage 2 Program. Assisted EHR vendor while supporting “primary care provider” in the writing process and the preparation of the package that was submitted on clinical quality measures as specified by the Certification Commission for Health Information Technology (CCHIT). Identified configuration build items that met or surpassed the “Meaningful Use” certification criteria. Assisted vendor in building EHR environment tables: tables, dictionaries, pharmacy lists, provider lists, etc.• Prepared cyber risk assessment and security gap analysis of internet facing applications; developed threat modeling rule engine to help developers “detect” potential vulnerabilities in their code; this activity also contributed in meeting “Meaningful Use” security compliance mandate.• Developed security profiles and trust boundaries to harden and secure application code from threats and vulnerabilities; Enhanced security of EHR vendor product suite by decomposing EHR application and developing coding frameworks to guide software developers to incorporate use of existing security control libraries (i.e. OWASP, Microsoft's Anti-Cross Site Scripting Library) instead of writing their own validation checks.• Conducted vulnerability assessments, threat modeling, and remediated high-risk vulnerabilities for HIPAA accreditation of EHR vendor products. Prepared remediation actionable reports and countermeasures to reduce vulnerabilities in EHR applications and system components.

USDA (Dept. of Agriculture), Washington, DC - Senior Analyst 6/2005 – 09/2014• Provided Subject Matter Expertise for Continuity of Operations Plan (COOP) for Dept. of Agriculture. Conduct a comprehensive Gap Analysis and Business Impact Analysis (BIA) of the existing COOP Plan to identify areas of deficiencies as compared to Federal Continuity Directives 1 & 2. • Analyzed and mapped business processes and data flows, gap analysis, system conversions, customization and user acceptance testing to verify proper functioning of key components of various applications.• Develop kickoff presentations, storyboards, modeled and document (“As-Is”) workflow and (“To-Be”) business processes.• Develop UML diagrams to document Business process and workflows using MS Visio.

Washington Metro Area Transit Authority (WMATA), DC - Cybersecurity Compliance 10/2011– 4/2013• Provided leadership in security risk assessments, continuous monitoring and compliance strategy in supporting governance processes and initiatives. • Worked as project lead to implement a PCI DSS (Payment Card Industry Digital Security Standard System) to secure cardholder data inside a secure environment. Used cybersecurity Capability Maturity Model (C2M2) to develop protected domains. Created technical & policy narrative and architectural diagrams of Cardholder Data Environment (CDE).• Developed Concept-of-Operation plan to satisfy auditor’s request to expand the number of detection and prevention controls (i.e. NIST 800-53a control mechanisms) for protecting SCADA devices and CDE.• Configured and ran vulnerability scans. Performed risk assessments and audited agency’s web applications for PC DSS compliance running on HTML, Asp.Net, J2EE, Oracle, Crystal Reports and SQL environment. Check for data leakage, firewall misconfiguration, and encryption methods for secure transmission of data. Hardened DNS servers, web/mail gateway servers and other services in the DMZ facing the Internet.

Baltimore County Government, Baltimore, MD - Business Analyst/Technical Project Manager 5/2008– 4/2010• Led agile development effort to streamline business processes and replace disparate Microsoft Access databases with a centralized database view of information based on the property location within the Department of Environmental Protection and Resource Management (DEPRM).• Built a model of the existing DEPRM process (“As-Is”). Identified all business areas and data inputs/outputs required to implement the business process. Built a model of the proposed improved DEPRM business process (“To-Be”); Presented recommendations to executive and senior management.• Led and performed JAD sessions to develop consensus on requirements between disparate business units and internal and external stakeholders impacted by process redesign. • Developed functional and system requirements documents, screen mock-ups, use cases, requirements traceability matrix, data conversion and interface control documents. Documented, then consolidated and streamlined business process flows resulting in reduction in manual efforts and increase of data availability.

Synex, Inc., Multiple Locations in US (Clients: IBM, Air Force, US Army) Principal Architect 03/2000– 6/2005• Coded C++ JavaScript modules used to connect for the Lotus Domino Workflow Engine (3.x, 4.x) to develop web application that automated access to case records & client tracking statistics retrieve data from a backend MS SQL Server Database. • Migrated web applications from WebSphere 5.x to 6.x. Installed Webspere Port 6.x, Websphere Application Server. Developed workflow scripts and setup replication schedules between multiple Domino servers. Performed ST&E/Penetration testing on Network infrastructure to determine if security controls were appropriate and effective. • Provided technical management and guidance to develop and integrate IBM Web Portal/Lotus Domino knowledge solutions to multiple financial programs. Established collaboration link between 200+ members of the Air Force budget and finance staff at the Pentagon using Lotus Notes/Domino to facilitate real-time workflow among multiple financial analysts. Also responsible for developing comprehensive security infrastructure (i.e. token based authentication, vulnerability management).• Designed segmented networks to protect sensitive internal Windows database servers for Military District of Washington. Used “nmap”and “eEye’s Retina” to conduct Vulnerability Assessment and Penetration testing on Network infrastructure to determine if security controls were effective on new network to support the migration of 1200+ users from UNIX to Windows servers. • Constructed pilot system and developed implementation plan for migrating 50,000+ users of U.S. courts from Novell e-mail and assorted e-mail systems to Lotus Domino and Quickplace.