• As Senior Subject Matter Expert (SME) reproduced attack payloads using Burp Suite to demonstrate code vulnerabilities to development team. Worked with lead developers to triage and remediate critical & high issues across IRS web applications. Recommended moving beyond OWASP Top 10 to OWASP ASVS as the overarching proactive control framework to hardened application security.• Instrumental in reducing # of High category vulnerabilities discovered across all application domains by 60%. Metrics captured from security reports provides evidence of reduction: Dec 18, 2017 reported (32 Highs); January 29, 2018 after remediation reported (19 Highs).• Developed a monthly actionable Enterprise Security Finding Report that summarized AppSec vulnerabilities to senior IRS executives. This report captured: actions needed to remediate AppSec flaws that keep reoccurring along with why they’re not being resolved; how were vulnerabilities discovered (i.e. SAST, DAST, threat assessment, code review, or pen test); vulnerability trends, and systems that have the highest number of vulnerabilities. Report also identified the most common security coding mistakes that developers make and the proposed plan to prevent these mistakes.• Led the effort with IRS senior management and executives to mature the AppSec process using OWASP’ Software Application Maturity Model (SAMM). This methodology will create a security culture whereby business units can accurately gauge their existing software security practices and steadily improve their security posture through well-defined iterations. • Primary author of SOP guide for how dynamic application security scans are to be conducted across the IRS apps.• Future plans include incorporating Burp Suite to totally address all the requirements documented in NIST SP 800-53 (Rev. 4) SA-11 and to further verify the security posture of customer’s web apps across 19 OWASP Application Security Verification Security (ASVS) control categories.

TriTech (Chief Application Security Architect) 1/2016 - 10/2016Chief Application Security Architect charged with maturing & restructuring AppSec process into a formal program. Improved previous AppSec process that consisted solely of automated security scans:• Developed control gates (i.e. Threat Analysis, S/W Attack Surface Analysis) to formalize manual code review process. • Created new SAMM based AppSec practice areas (e.g. Metrics, Threat Modeling and Design Review: Risk-Based Security Test Plan).• Developed customized attack scripts to Pentest web applications using Burp Suite & OWASP Zap Attack Proxy; these scripts verified ASVS control requirements (which is the industry standard used to validate the security of web applications). • Used PenTest results to develop Risk Based Security Test Plan (i.e.ASVS playbook) so other team testers could reproduce and validate results captured from PenTest efforts.• Developed Risk Heat Map using attack patterns captured from Akamai (WAF) logs• Developed metrics to assign scorecard rating to applications in 17 ASVS control categories. This rating allowed application developers and business owners to assess the degree of trust to place in their web applications.EHR Client (Confidential) - Cybersecurity Architect 5/2010 – 10/2011 and 5/2013 - present• Assisted EHR vendor to get products certified under the Medicare and Medicaid EHR “Meaningful Use” Stage 2. Prepared gap analysis of software development process to instill practices that remediated security defects in developed code to satisfy “Meaningful Use” security compliance mandate.• Enhanced security of vendor product suite by decomposing EHR application and developing coding frameworks to guide software developers to make use of existing security control libraries versus writing their own validation checks.• Conducted vulnerability assessments, threat modeling, and remediated high-risk vulnerabilities for HIPAA accreditation of EHR vendor products.

EHR Clients (Confidential) - Cybersecurity Analyst 5/2010 – 10/2011 and 5/2013 - present• Assisting several EHR vendors to get products certified under the Medicare and Medicaid EHR “Meaningful Use” Stage 1 and Stage 2 Program. Assisted EHR vendor while supporting “primary care provider” in the writing process and the preparation of the package that was submitted on clinical quality measures as specified by the Certification Commission for Health Information Technology (CCHIT). Identified configuration build items that met or surpassed the “Meaningful Use” certification criteria. Assisted vendor in building EHR environment tables: tables, dictionaries, pharmacy lists, provider lists, etc.• Prepared cyber risk assessment and security gap analysis of internet facing applications; developed threat modeling rule engine to help developers “detect” potential vulnerabilities in their code; this activity also contributed in meeting “Meaningful Use” security compliance mandate.• Developed security profiles and trust boundaries to harden and secure application code from threats and vulnerabilities; Enhanced security of EHR vendor product suite by decomposing EHR application and developing coding frameworks to guide software developers to incorporate use of existing security control libraries (i.e. OWASP, Microsoft's Anti-Cross Site Scripting Library) instead of writing their own validation checks.• Conducted vulnerability assessments, threat modeling, and remediated high-risk vulnerabilities for HIPAA accreditation of EHR vendor products. Prepared remediation actionable reports and countermeasures to reduce vulnerabilities in EHR applications and system components.

• Provided Subject Matter Expertise for Continuity of Operations Plan (COOP) for Dept. of Agriculture. Conduct a comprehensive Gap Analysis and Business Impact Analysis (BIA) of the existing COOP Plan to identify areas of deficiencies as compared to Federal Continuity Directives 1 & 2. • Analyzed and mapped business processes and data flows, gap analysis, system conversions, customization and user acceptance testing to verify proper functioning of key components of various applications. • Develop kickoff presentations, storyboards, modeled and documented (“As-Is”) workflow and (“To-Be”) business processes.• Develop UML diagrams to document Business process and workflows using MS Visio.• Provided training and technical guidance to less senior staff, where appropriate, and serving as point-of-contact for problem resolution.

• In preparation for PCI audit Created policy narrative, endpoint architecture & data flow diagrams of Cardholder Data Environment (CDE).• Developed Concept-of-Operation plan to satisfy auditor’s request to expand the number of detection and prevention controls (i.e. NIST 800-53a control mechanisms) for protecting SCADA devices and CDE.• Defined and established system hardening baseline during the acquisition phase of planned systems. Communicated governance and established the policies used to generate custom rules for system scans, application scans, and vulnerability scans to patch weaknesses on agency’s systems.

Baltimore County Government - Business Analyst/Project Manager 5/2008– 4/2010• Led agile development effort to streamline business processes and replace disparate Microsoft Access databases with a centralized Oracle database view of information based on the property location within the Department of Environmental Protection and Resource Management (DEPRM).• Built workflow of existing DEPRM processes using (“As-Is”) and (“To-Be”) models. Identified all business areas and data inputs/outputs required to implement the business process. • Led and performed JAD sessions to develop consensus on requirements between disparate business units and internal and external stakeholders impacted by process redesign. • Developed functional and system requirements documents, screen mock-ups, use cases, requirements traceability matrix, data conversion and interface control documents. Documented, then consolidated and streamlined business process flows resulting in reduction in manual efforts and increase of data availability.• Developed project timelines and projected costs of labor and system resources needed to replace existing DEPRM databases with an integrated Oracle based system.• Performed project audits and business process reengineering, coordinating resources to resolve critical issues. • Contributed to the development of best SDLC practices for business analysis and technical writing team. Played a key role in the planning, user acceptance testing (UAT), and implementing system enhancements and conversions. Developed implementation strategies and schedules to meet project deadlines• Prepared roll-up/ drill-down reports that deliver actionable information to key stakeholders.

• Improved case tracking by developing an enterprise web application that automated access to case records & client tracking statistics. Developed JavaScript’s for the Lotus Domino Workflow Engine (3.x, 4.x) to retrieve data from a backend MS SQL Server Database. • Interacted with stakeholders to review requirement documents, develop system design documents, and review GUI mock-ups for customization of application screens.• Migrated web applications from WebSphere 5.x to 6.x. Installed Webspere Port 6.x, Websphere Application Server. Developed workflow scripts and setup replication schedules between multiple Domino servers. Performed ST&E/Penetration testing on Network infrastructure to determine if security controls were appropriate and effective. • Redesigned Business Processes to streamline management of Air Force Budget financial resources, as well as enhance decision-making and increase the accuracy and flow of information in response to executive and congressional queries. Established collaboration link between 200+ members of the Air Force budget and finance staff at the Pentagon using Lotus Notes/Domino to facilitate real-time workflow among multiple financial analysts. Also responsible for developing comprehensive security infrastructure (i.e. token based authentication, vulnerability management).• Designed segmented networks to protect sensitive internal Windows database servers for Military District of Washington. Used “nmap”and “eEye’s Retina” to conduct Vulnerability Assessment and Penetration testing on Network infrastructure to determine if security controls were effective on new network to support the migration of 1200+ users from UNIX to Windows servers. • Constructed pilot system and developed implementation plan for migrating 50,000+ users of U.S. courts from Novell e-mail and assorted e-mail systems to Lotus Domino and Quickplace.