Security Management
Resume:
Dr. Anthony L. Gottlieb
Las Vegas, NV 89128
*******@*****.***
SUMMARY
. Full lifecycle web application security architect, application security
Instructor, Java developer and tester.
J2EE security: authentication (identity management), authorization
(access management), class loader/verifier, Java2 permission model and
security manager, JCE & JCA, JSSE JAAS authentication & authorization,
PKE and PKI.
. Professional experience in web application software assurance including
assessments, security requirements capture, threat model construction,
role engineering, secure software design, code review and safe
programming practices in Java/J2EE.
. Trained professional developers in OWASP 10 defenses and safe programming
practices in Java.
Platforms: Sun Solaris, HPUX, Linux, Windows
Tools: Security requirements using SQUARE. Artifact creation of use
cases, abuse cases, UML, Burp, misuse cases, attack trees and
data flow diagrams, threat modeling employing STRIDE, access
control modeling using RBAC, ABAC,
Experience
Self-Improvement in application security
04/2012 - Present
. Developing application security courseware
. Developed strategies for training developers in application security
. Writing a book on application security
. Developed an OWASP cheat sheet on JAAS authentication
. Writing Java programs implementing JCE/JCA, SSL, JSSE: for PKI
Authentication
. Installed, configured and populated LDAP Apache Directory Studio using
the GUI
. Programmed against the LDAP Apache Directory in Java in support of
identity and access management.
. Integrated the Apache LDAP API into JAAS login modules.
BAE Systems Inc. 11/2011 - 4/2012
Project Security Architect
. Co-authored software design document (SDD).
. Consulted on RBAC role engineering.
. Integrated RBAC roles into identity management and access control
strategies.
. Trained Java programmers in security code review and security control
implementation in Java.
. Designed application security controls based on the applications threat
model.
. Assembled developer training materials on mitigating and testing OWASP
attacks.
. Developed threat model using STRIDE based on architectural artifacts
and other system specific considerations.
. Coordinated with client security officer to satisfy security
regulatory compliance requirements.
. Designed the implementation of RBAC authorization using Windows
Authorization Manager
Booz Allen Hamilton 07/2009 - 4/2011
Associate
. Developed partial PKI functionality in Java.
. Consulted on J2EE declarative security in xml.
. Authored sections of the DOD PKI documentation
. Developed plan to implement the SQUARE security requirements
methodology
. Developed sub-plan to integrating STRIDE into the SQUARE methodology .
. Prepared executive presentation on PKE later delivered at a conference.
. Lead Java/J2EE security code review for client training class.
. Authored test plan / test cases in Rational TestManager
. Tested SiteMinder implementation of identity management and access
control strategy.
. Provided customer training and tech support on 2-factor authentication
solution .
STG Inc. The U.S. Army Research laboratories (ARL) 12/2007 - 07/2009
Web Application Security Analyst
. Instructed on the steps used to gather security requirements using the
SQUARE/SQUARE Lite methodologies.
. Instructed on web application authentication mechanisms and RBAC
access control model implementation.
. Instructed on identifying the web vulnerabilities(code review) in
Java/J2EE programs.
. Constructed threat model for a web application upon which secure design
and coding decisions were made.
. Conducted web and client/server application security assessments on
numerous applications.
. Designed curriculum and delivered instructor led training in Java &
ColdFusion safe programming practices.
. Authored security requirements SDLC standard operating procedures (SOP)
workflow documentation.
INDEPENDENT Consultant 10/2006 - 12/2007
Application Security Architect with J2EE Enterprise Security and Oracle
Security
. Consulted on the correct usage of the Java2 permission model.
. Designed security requirements solicitation including questionnaire and
personal interview techniques.
. Retrofitted security into J2EE application after conducting application
security assessment..
. Designed Identity management & fine grained access control strategies
using Oracle JAZN.
. Reviewed current specification for J2EE authentication using, LDAP &
Oracle Single Sign-on.
. Implemented delegation using doAsPrivileged & doAs programmatically
and using the runas xml element declaratively.
Computer Associates 07/2006 - 10/2006
Instructor
. Teach CA internal courses related to IT security.
. Learned the SiteMinder web server security product.
The Sytex Group/Lockheed Martin 04/2004 - 02/2006
Senior Security Research Analyst
. Oversaw development of new information warfare and IT security software
assurance procedures utilizing the J2EE and Java2 security specifications
in support of research in static analysis for security.
. Introduced static analysis techniques to identify software
vulnerabilities.
. Researched new approaches to access and identity management policies
based on current single sign on technology.
. Integrated encryption technologies into J2EE development environment.
. Formed J2EE security policies using both declarative and programmatic
strategies.
. Authored deployment descriptor authorization, login and principal
delegation hints.
. Knowledge of Java class loader & class verifier security responsibilities
and the java2 permission model and the access-control model including
JAAS for authentication and authorization.
. vulnerability detection and exploit analysis of server and client side
software.
Pace University 09/2001 - 04/2004
Doctoral Student
. Completed all course work toward doctorate in computing (Agile
development methodologies (XP), Design Patterns, Web Services, Emerging
Technologies, Data Mining, Data Communications & Networking.
. Experience in administering Unix systems such as Solaris, HPUX and Linux
includes dynamic analysis of program behavior with Intrusion Detection
systems.
. Dissertation was in static analysis for security, which attempts to
discover how a program will behave by analyzing the source code; Java in
this case.
Complete Solutions Inc. 1990 - 2001
Principal
. Conception, requirements, design, coding, testing and marketing of a
computer based training software product. Covering Unix fundamentals.
Over 100,000,lines of C, 40 module makefile, 500 GUI screens (xview &
motif), 250 graphically interactive, 67 fortune 500 customers.
. Developed CBT package hailed as outstanding in June, 1995 issue of Sun
Expert Magazine
MAJOR CONTRACTS
Barnes & Noble 2000 - 2001
Host based security administrator for UNIX Systems
. Handled all aspects for ensuring security of UNIX (HPUX) servers
. Supported application development groups.
. Coordinated with senior management regarding UNIX system
administration requirements all servers, including all security-
related system management components.
. Ensured optimal security for multiple network applications,
including NFS, DNS, TCP/IP.
. Established procedures for implementing production server security,
including Gauntlet firewall, Single Sign-on; increased security
levels of HPUX server farm.
. Prepared the HPUX server farm for Y2K.
AT&T Solutions 1998 - 2000
Project Manager for Unix systems
. Responsible for promoting adoption of AT&T IT solutions to Fortune
500 companies, including UNIX-based IP management, backup/restore
and desktop management services.
. Coordinated closely with internal marketing executives and senior
management of prospective clients to secure status of exclusive
vendor for IT services.
. Managed application and web development server farm of
Sun, HP UNIX servers with Apache web server, and
developed system for evaluating vendor products.
. Successfully chose vendors for IP service offering to AT&T
customers.
SIAC (Securities Industry Automation Corporation) 1996 - 1997
Network Firewall administrator
. Handled comprehensive testing of new technologies for mission-
critical production systems at New York Stock Exchange, with
additional responsibility for providing system administration and
security services to application development groups.
. Installed, configured and tested 1st version of Gauntlet firewall
software, tested password cracking software, ran performance tests
on UNIX Sendmail, and managed disks, backup/restore and system
performance.
Nynex Science & Technology 1994 - 1996
UNIX System Administrator & GUI Programmer
. Fulfilled multiple, simultaneous system administration functions,
including system installations, user and password management, disk
introduction and management, shell scripting and backup/restore.
. Developed dialer and system monitoring component of digital video-
conferencing system.
. Compiled and configured ftp & sftp on Solaris.
Lockheed Information Management Systems 1988 - 1990
System administrator
. Administered distributed inter-state commercial vehicle registration
application.
. Responsible for remote system installation and configuration, remote
backup & restore, scripting, program turnover
. Implemented remote access programming protocol
Burroughs/Unisys Corporation 1984 - 1988
Senior Customer Education Instructor
. Taught customer education classes ranging from personal productivity
tools such as word processing and spreadsheets to advanced programming
and system administration.
. Responsible for curriculum development, management of the customer
education computing facilities, development of customized course student
materials and training assessments.
. Selected to teach Burroughs personnel new courses prior to being
available to customers.
. Exercised creativity in developing in-class examples of highly complex or
unintuitive material.
Distinctions
. OWASP Presenter
. Member OWASP Global Education Committee
Clearances
. Top Secret (inactive)
. Secret (inactive)
. IRS
Education
. Pace University, White Plains, NY
o D.P.S. in Computing,
o Master of Science in Computer Science
. Tri-State University, Angola, IN
o Bachelor of Science in Management
Contact this candidate