Chief Application Security Architect
Current• As Senior Subject Matter Expert (SME) reproduced attack payloads using Burp Suite to demonstrate code vulnerabilities to development team. Worked with lead developers to triage and remediate critical & high issues across IRS web applications. Recommended moving beyond OWASP Top 10 to OWASP ASVS as the overarching proactive control framework to hardened application security.• Instrumental in reducing # of High category vulnerabilities discovered across all application domains by 60%. Metrics captured from security reports provides evidence of reduction: Dec 18, 2017 reported (32 Highs); January 29, 2018 after remediation reported (19 Highs).• Developed a monthly actionable Enterprise Security Finding Report that summarized AppSec vulnerabilities to senior IRS executives. This report captured: actions needed to remediate AppSec flaws that keep reoccurring along with why they’re not being resolved; how were vulnerabilities discovered (i.e. SAST, DAST, threat assessment, code review, or pen test); vulnerability trends, and systems that have the highest number of vulnerabilities. Report also identified the most common security coding mistakes that developers make and the proposed plan to prevent these mistakes.• Led the effort with IRS senior management and executives to mature the AppSec process using OWASP’ Software Application Maturity Model (SAMM). This methodology will create a security culture whereby business units can accurately gauge their existing software security practices and steadily improve their security posture through well-defined iterations. • Primary author of SOP guide for how dynamic application security scans are to be conducted across the IRS apps.• Future plans include incorporating Burp Suite to totally address all the requirements documented in NIST SP 800-53 (Rev. 4) SA-11 and to further verify the security posture of customer’s web apps across 19 OWASP Application Security Verification Security (ASVS) control categories.