Mohammed Hleihel
Summary of Qualifications
CISSP-certified and 12 years of experience in the information security field providing security assurance to multi-million dollar government and private projects. Main expertise is in supporting data protection, security assessments, solution evaluations, risk assessments, and vulnerability management plans for in-house, customized, and COTS products.
Education
MS, Information Assurance and Computer Security, Iowa State University, Ames, Iowa, 2008
BS, Computer Engineering, Iowa State University, Ames, Iowa, 2002
Certifications
(ISC) CISSP
SANS GCIH [Incident Handling]
SANS GWAPT [Web Application Penetration Tester]
EC-Council CHFI [Hacking Forensics Investigator]
Offensive Security (OSCP) and SANS GMOB [Mobile Application Pen Tester] are in progress
Technology
Software
Security-Testing related: Nessus, Qualys (Infrastructure, Web Application), Veracode (Static and Dynamic Scanners), IBM AppScan Source, nmap, Zenmap, Wireshark, ZAP Proxy, Burp Suite, SQLMap, Hydra, W3af, Nikto, TamperData, CookieManager, etc…
Network: IDS\IPS (Sourcefire), WAF (FortiWeb), and SIEM (Arcsight, Logrhythm)
Operating Systems
Programming Languages
Microsoft Platform
.NET Suite (C#, VB), Java
Kali, Ubuntu (Linux)
Python, JavaScript
Governance and frameworks
ISO 27001, ISO 27005, NIST SP 800-53
OWASP (Testing Guide V3), SAMM, OCTAVE
Language / fluency
English, Arabic
Citizenship
United States
Experience
Mary Kay Inc.
Information Security Architect December 2014 – Present
Defined and executed the Application Security Program in Mary Kay Inc - a multinational company with presence in 37 world markets
Reported directly to the Global Information Security Manager (CISO)
Built security policies, standards, procedures, and guidelines to support the security governance program
Established the Secure Project Procedure to ensure security-gap coverage and PMO alignment
Partnered with local and international business teams from China, Russia, and Latin America to conduct comprehensive risk assessment and remediation plans for discovered vulnerabilities
Led in-house and 3rd-party solution security architecture assessments
Security-audited and architected the ongoing move of Mary Kay Inc. eCommerce applications, responsible for $4 Billion in annual revenue, into the AWS Cloud
Founded the Secure SDLC Process by:
Outlining the company strategy to securing software applications
Defining unified software development methodology, practices, and key indicators of success
Collaborating with development teams to define project gates\checkpoints
Defining the proper security metrics to gauge success
Establishing a continuous ISO 27001-based, risk-reduction improvement cycle of Plan-Do-Check-Act
Provided Penetration testing, Vulnerability Assessment, and Incident Response Support
Tested application software for the OWASP Top 10 and SANS CWE Top 25 security problems
Performed manual and automated penetration testing of web and mobile applications and services to proactively discover risks and tracked discovered vulnerabilities to resolution
Conducted root-cause analysis of security issues and identified corporate-wide solutions to address risks
Educated software developers on secure coding practices and helped in providing security awareness training to company employees
Evaluated and recommended new and emerging security products and technologies
Standardized the security assessment and risk evaluation of in-house and 3rd party applications
Participated in incident handling and response to application-based attacks
Qatar Petroleum (QP)
Information Security System Engineer October 2011 – November 2014
Helped in establishing and executing the Information Security Program in Qatar Petroleum
Built security policies, standards, procedures, and guidelines to initiate security governance within QP
Assessed the security posture of applications and systems utilizing automated and manual approaches
Tested application software for the OWASP Top 10 and SANS CWE Top 25 security problems
Conducted white and black box security testing of software applications utilizing manual and automated tools
Partnered with business and support teams to build risk assessment and remediation plans for discovered security weaknesses
Led 3rd-party solution security architecture assessments and provided feedback on proposed designs
Validated company security requirements in in-house and outsourced applications
Built best practices checklists and installation baselines for software developers, database, and web server administrators to standardize security across environment
Served as a member of the company Incident Response team
Co-founded the QP vulnerability management process
Built the QP application vulnerability procedure
Co-built the overall QP vulnerability management procedure that incorporated the mitigation of infrastructure, database, web server, and application security issues
Built automated Qualys WAS scan policies and profiles
Analyzed Qualys-generated (infrastructure and web app scans) security reports
Managed the day-to-day activities of the vulnerability lifecycle
Reported vulnerability management progress and challenges to management
Founded the QP First Responders Forensics Team
Derived technical, logistical, and educational material necessary to establish the forensics team
Built internal team processes and procedures to respond to incidents and to handle forensic evidence
Iowa Secretary of State Office July 2007 – Aug 2011
Information Technology Specialist 5
Provided voter information support for private and State government entities.
Performed automated security assessments of the office network using Nessus and Nikto
Audited software applications for the OWASP Top 10 vulnerabilities (automated and manual dynamic testing)
Reported on the environment security vulnerabilities lifecycle
Built the Office Risk Register and reported the results to the Secretary of State
Built .NET software libraries to standardize security frameworks for application development
Monitored firewall logs and managed Citrix user access
Implemented software solutions for the IVoters application using VB.NET, MS SQL and Oracle.
Converted the IVoters application data access layer from Oracle to MS SQL based and upgraded the application from .NET 1.1 to the .NET 3.5 framework
Managed a State of Iowa and Google joint project to provide voter address-to-polling place mapping services
Iowa Department of Administrative Services (Network Security Team) April 2004 – July 2007
Information Technology Specialist 3
Assisted Network Security engineers with daily security tasks
Developed scripts to monitor computer processes running on state computers
Performed Java and .Net code reviews of the State web and desktop applications
Audited wireless access points on the State campus using Backtrack
Compiled Snort IDS reports and communicated results to management
Audited guest laptops to enforce State government security policies
Conducted penetration testing against State systems