Mohammed Hleihel

Summary of Qualifications

CISSP-certified and 12 years of experience in the information security field providing security assurance to multi-million dollar government and private projects. Main expertise is in supporting data protection, security assessments, solution evaluations, risk assessments, and vulnerability management plans for in-house, customized, and COTS products.

Education

MS, Information Assurance and Computer Security, Iowa State University, Ames, Iowa, 2008

BS, Computer Engineering, Iowa State University, Ames, Iowa, 2002

Certifications

(ISC) CISSP

SANS GCIH [Incident Handling]

SANS GWAPT [Web Application Penetration Tester]

EC-Council CHFI [Hacking Forensics Investigator]

Offensive Security (OSCP) and SANS GMOB [Mobile Application Pen Tester] are in progress

Technology

Software

Security-Testing related: Nessus, Qualys (Infrastructure, Web Application), Veracode (Static and Dynamic Scanners), IBM AppScan Source, nmap, Zenmap, Wireshark, ZAP Proxy, Burp Suite, SQLMap, Hydra, W3af, Nikto, TamperData, CookieManager, etc…

Network: IDS\IPS (Sourcefire), WAF (FortiWeb), and SIEM (Arcsight, Logrhythm)

Operating Systems

Programming Languages

Microsoft Platform

.NET Suite (C#, VB), Java

Kali, Ubuntu (Linux)

Python, JavaScript

Governance and frameworks

ISO 27001, ISO 27005, NIST SP 800-53

OWASP (Testing Guide V3), SAMM, OCTAVE

Language / fluency

English, Arabic

Citizenship

United States

Experience

Mary Kay Inc.

Information Security Architect December 2014 – Present

Defined and executed the Application Security Program in Mary Kay Inc - a multinational company with presence in 37 world markets

Reported directly to the Global Information Security Manager (CISO)

Built security policies, standards, procedures, and guidelines to support the security governance program

Established the Secure Project Procedure to ensure security-gap coverage and PMO alignment

Partnered with local and international business teams from China, Russia, and Latin America to conduct comprehensive risk assessment and remediation plans for discovered vulnerabilities

Led in-house and 3rd-party solution security architecture assessments

Security-audited and architected the ongoing move of Mary Kay Inc. eCommerce applications, responsible for $4 Billion in annual revenue, into the AWS Cloud

Founded the Secure SDLC Process by:

Outlining the company strategy to securing software applications

Defining unified software development methodology, practices, and key indicators of success

Collaborating with development teams to define project gates\checkpoints

Defining the proper security metrics to gauge success

Establishing a continuous ISO 27001-based, risk-reduction improvement cycle of Plan-Do-Check-Act

Provided Penetration testing, Vulnerability Assessment, and Incident Response Support

Tested application software for the OWASP Top 10 and SANS CWE Top 25 security problems

Performed manual and automated penetration testing of web and mobile applications and services to proactively discover risks and tracked discovered vulnerabilities to resolution

Conducted root-cause analysis of security issues and identified corporate-wide solutions to address risks

Educated software developers on secure coding practices and helped in providing security awareness training to company employees

Evaluated and recommended new and emerging security products and technologies

Standardized the security assessment and risk evaluation of in-house and 3rd party applications

Participated in incident handling and response to application-based attacks

Qatar Petroleum (QP)

Information Security System Engineer October 2011 – November 2014

Helped in establishing and executing the Information Security Program in Qatar Petroleum

Built security policies, standards, procedures, and guidelines to initiate security governance within QP

Assessed the security posture of applications and systems utilizing automated and manual approaches

Tested application software for the OWASP Top 10 and SANS CWE Top 25 security problems

Conducted white and black box security testing of software applications utilizing manual and automated tools

Partnered with business and support teams to build risk assessment and remediation plans for discovered security weaknesses

Led 3rd-party solution security architecture assessments and provided feedback on proposed designs

Validated company security requirements in in-house and outsourced applications

Built best practices checklists and installation baselines for software developers, database, and web server administrators to standardize security across environment

Served as a member of the company Incident Response team

Co-founded the QP vulnerability management process

Built the QP application vulnerability procedure

Co-built the overall QP vulnerability management procedure that incorporated the mitigation of infrastructure, database, web server, and application security issues

Built automated Qualys WAS scan policies and profiles

Analyzed Qualys-generated (infrastructure and web app scans) security reports

Managed the day-to-day activities of the vulnerability lifecycle

Reported vulnerability management progress and challenges to management

Founded the QP First Responders Forensics Team

Derived technical, logistical, and educational material necessary to establish the forensics team

Built internal team processes and procedures to respond to incidents and to handle forensic evidence

Iowa Secretary of State Office July 2007 – Aug 2011

Information Technology Specialist 5

Provided voter information support for private and State government entities.

Performed automated security assessments of the office network using Nessus and Nikto

Audited software applications for the OWASP Top 10 vulnerabilities (automated and manual dynamic testing)

Reported on the environment security vulnerabilities lifecycle

Built the Office Risk Register and reported the results to the Secretary of State

Built .NET software libraries to standardize security frameworks for application development

Monitored firewall logs and managed Citrix user access

Implemented software solutions for the IVoters application using VB.NET, MS SQL and Oracle.

Converted the IVoters application data access layer from Oracle to MS SQL based and upgraded the application from .NET 1.1 to the .NET 3.5 framework

Managed a State of Iowa and Google joint project to provide voter address-to-polling place mapping services

Iowa Department of Administrative Services (Network Security Team) April 2004 – July 2007

Information Technology Specialist 3

Assisted Network Security engineers with daily security tasks

Developed scripts to monitor computer processes running on state computers

Performed Java and .Net code reviews of the State web and desktop applications

Audited wireless access points on the State campus using Backtrack

Compiled Snort IDS reports and communicated results to management

Audited guest laptops to enforce State government security policies

Conducted penetration testing against State systems

Contact this candidate