Kwesi Asiedu

Active IRS MBI Clearance, TS/SCI in progress for the last 6 months.

Professional Overview

Solutions-focused and analytical IT and security expert offering extensive experience steering cybersecurity administration, security optimization, and risk management. Twelve (12) years of experience in the IT industry and 8+ years of experience performing Web application, Mobile, API, and Networking penetration testing and security assessments. I perform (DAST), (SAST) testing and analyses of web and mobile applications. Perform (Internal/External network security testing), Red teaming, and API security testing. Proficient in understanding application-level vulnerabilities like XSS, SQLi Injection, CSRF, HTTP Flooding, SSRF, XXE, CORS, JWT attacks, Authentication bypass, Weak Cryptography, Authentication flaws, etc. Experienced with penetration testing tools Metasploit, Burp Suite, Nmap, etc. Possess the ability to define and develop processes, policies, and procedures and establish best practices to support security governance and compliance with regulatory requirements and standards.

Professional Experience

Technical Lead: Cyber Security & Penetration Tester 07/2023 – Present

eTelligent Group LLC

Provided strategic direction for application and network penetration testing teams to develop growth of the services solution and manage client engagements.

Conducted Risk assessments and Analysis of the various clouds and the data center environments to ensure all data and information are secured and safe.

Conducted Dynamic and Static Application Security Testing (SAST & DAST) using Veracode, Burp-Suite, Manual Techniques, AppScan, Zap, Acunetix, Netsparker, Checkmarx, Contrast Scan, and many more.

Performed vulnerability assessment and penetration testing on Networks and Applications.

Performed REST API and mobile testing. Using Postman, katalon Studio, JMeter, Appium, MobSF, Burp-Suite, and Manual Techniques.

Certification and Authorization (C&A) analyzing and Information Systems Management while utilizing popular industry frameworks and standards such as ISO 27001/2, FIPS, NIST SP 800-37 Rev 1, NIST SP 800-53 Rev 4, NIST 823, FISCAM, FedRAMP, Regulatory Compliance, Audit and System Security Management, Internal Controls Compliance, Customer Data Confidentiality, Penetration Testing Execution Standard (PTES), and Information Systems Security Assessment Framework (ISSAF) and Budgetary Control.

Analyzed and modified cybersecurity system by detecting vulnerabilities and security measures.

Led and Maintained Red Cell infrastructure.

Developed and maintained Bash, Python, NCAT, PHP-Shell, PowerShell and JavaScript.

Assessed system security configurations.

Performed Security Architecture Risk Analysis (SARA) / Security Design Reviews (SDR) of applications and assess their designs against known and emerging threats.

Led large-scale programs that span the enterprise to deploy and manage dynamic scanning solutions.

Followed up and ensured the closure of the raised vulnerabilities by revalidating and providing 100% Closure.

Assisted customers in understanding risk and threat levels associated with vulnerability so that customers may or may not accept risk concerning business criticality.

Developed team, test plan, and risk management through the complete SDLC and created security test cases.

Communicated technical vulnerabilities and remediation steps to developers and management.

Ensure the smooth Continuous Integration and Continuous Deployment (CI/CD) activities to integrate and automate security tools within DevOps processes.

Wireless and Mobile Device (Android, IOS) Security penetration testing exercises were done using mobile application penetration testing methodology and OWASP mobile security project standard. The methodology included discovering the open sources intelligence information, platform been used, client and server-side information. Analysis and assessment of the results obtained from discovery. These include static, active, local files, network analysis, reverse engineering, inter-processes, and communication. Exploitation was done based on the analysis. Using the OWASP mobile security project as a guideline, the following vulnerabilities were checked and exploited:

Insecure transmission of data to determine how encryption has been implemented and enforced during transit on the transport layer.

Insecure data storage to check if the data is in plaintext or encrypted.

Lack of binary protection to determine if the Apps rung the mobile device enforces any anti-reversing, debugging techniques.

Research into and validate client-side vulnerabilities to determine weaknesses such as cross-site scripting, or JavaScript Injection

Check for the possibility of threat actors using hard-coded passwords/keys stored on the mobile device can be used as an attack surface for compromise.

Weak server-side controls

Client-side injections

Improper session handling

Unintended data leakage

Poor authorization and authentication

Client-side injection and Security decisions through untrusted inputs

Technical Lead & Manager: Cloud and onsite Penetration Tester 01/2022 – March 2023

KPMG

Supported multiple customers in the monitoring, analysis, and enhancement of system and network.

security

Remotely conducted penetration tests including Red Team assessments, vulnerability, and risk

assessments to determine security deficiencies and vulnerabilities within the network infrastructure.

Effectively managed the handling of flows from "black box" to "grey box" to "white box" testing per

customers' needs

Articulated and defined requirements for information security solutions and performed reviews of

application designs and source code

Determined test strategies to help design, develop, and implement penetration tools and tests, along with

using existing ones to oversee penetration testing activities.

Executed attack simulations on company systems and web applications to determine and exploit.

security flaws, uncover weaknesses and security gaps to formulate solutions and recommendations to

drive improvement and mitigate risks.

Partnered with engineers and IT teams to provide in-depth reviews of architectural and networking.

designs and applications to determine potential risks to the security posture of the existing system.

Managed changes to information systems and assessed the security impact of those changes.

Lead - Senior Penetration Tester 01/2020 – 12/2021

National Institute of Health

Led and managed onshore manual and offshore automated testing teams.

Led SIT and UAT functional testing for 200 plus software applications and managed project milestones, teams, and work streams.

Communicated technical vulnerabilities and remediation steps to developers and management.

Worked with application developers to validate, assess, understand root causes, and mitigate vulnerabilities.

Performed Web application, API, Social engineering, Network (Internal/External), and Mobile penetration tests within the parameters defined by rules of engagement coordinated with the client.

Conducted Dynamic and Static Application Security Testing (SAST & DAST). Manual and automation.

Analyzed and modified cybersecurity system by detecting vulnerabilities and security measures.

Maintained Red Cell infrastructure.

Developed and maintained Bash, Python, NCAT, PHP-Shell, PowerShell and JavaScript.

Assessed system security configurations.

Prepare a risk report for each Threat Modeling assessment listing attack surface, threats, and flaws and providing remediation guidance.

Conducted security assessment of PKI Enabled Applications.

Conducted white/grey box penetration testing on the financial systems and applications.

Worked with external vendors to perform penetration tests on network devices, operating systems, databases, and Applications as necessary.

Assist in vulnerability remediation efforts across various projects by proposing remediation Strategies.

Senior Cyber Penetration tester 02/2018 – 01/2020

IBM

Played a key leadership role supporting 1500+ internal personnel and 30,000 customers through the delivery, management, and enhancement of system security.

Provided technical and strategic oversight, steering all aspects of security, including intrusion detection alerts, email security, VPN tunnels, and WAN/LAN security.

Served as technical lead and liaison got problem resolution and manage the relationships with external vendors when required.

Applied effective methodologies and defined strategies to lead projects.

Designed and developed solutions to improve security management and monitoring.

Steered and managed penetration testing weekly on systems, monitored log-in activities in the environment, and managed the deployment of new technologies.

Conducted Risk assessments and Analysis of the various clouds and the data center environments to ensure all data and information are secured and safe.

Researched all emerging information security threats, vulnerabilities, determine countermeasures, implement the countermeasures to ensure any forms of intrusions and attacks.

Researched, analyzed Designed and implemented technical solutions for network protection, endpoint protection system, access control, auditing, and log management.

Conducted assessment of the implemented controls to ensure that they are done correctly based on the standard used. If these controls were implemented correctly and are effective in preventing attacks. The standards used include the NIST-CSF, ISO, and the CIS Benchmark.

Led all teams around the globe to ensure an efficient and effective response to all incidence and security threats. These include effective monitoring, detection, response, and remediation of all security threats.

Supported systems owners, data owners and other senior leadership to evaluate, assess and adopt new systems into the firm’s environments.

Worked and collaborated closely with all internal and external users and groups to understand the objective of their various businesses. This gives the platform to offer effective advice, ensuring efficiency in mitigation response to all threats.

Ensured that all new products and systems to be installed are evaluated based on security standards using SDLC to ensure its consistency with the current infrastructure and architecture, threats, its impacts, and the resultant risk levels.

Led teams and provided effective project and program management within an Agile/Scrum environment.

Manual audit of information technology systems to ensure compliance with company policies, standards, and processes.

Critical systems and their functions were continually validated to ensure smooth business operations, efficiency, and effectiveness.

Implemented privacy procedures, systems, and processes within the firm’s secure environments. This was done to ensure the firm does not violate any privacy regulations and standards, ensuring a smooth business alignment and operations. This involves planning, coordinating, and designing requirements, and reconciling it with the specifications required by the standard.

Executed Risk Management Framework (RMF), identified Applicable Security Controls, reviewed security documents, and categorized Information Systems.

Part of the team that conducted Security Assessment of Information, Certification and Authorization (C&A) analyzing and Information Systems Management while utilizing popular industry frameworks and standards such as ISO 27001/2, FIPS, NIST SP 800-37 Rev 1, NIST SP 800-53 Rev 4, NIST 823, FISCAM, FedRAMP, Regulatory Compliance, Audit and System Security Management, Internal Controls Compliance, Customer Data Confidentiality, Penetration Testing Execution Standard (PTES), and Information Systems Security Assessment Framework (ISSAF) and Budgetary Control.

Reviewed and updated System Security Plan (SSP), Updated Plan of Action and Milestones (POA&M) to remediate weakness.

Prepared and submitted Security Assessment Plan (SAP) for approval Security Assessment Report (SAR) and Contingency Plan Development or Evaluation

Provided technical direction, guidance, and analysis of cybersecurity matters to senior leadership. This enabled the leadership to make effective and efficient decisions to enhance the smooth running of the firm.

Tested client’s architecture and managed initial requirements gathering through the client questionnaire administration.

Created and updated, annually, the information security polices for the firm. All procedures, process and strategies were also updated based on changes within the firm such personnel changes, promotions, threat landscape, changes in organization network structure.

Identified risks, assessments, analysis, response, KPI, KRI are continually determined to ensure the firm is always within its risk’s appetite, or within the risk tolerance and reduction of threats levels. Furthermore, all SIEMS systems were monitored continually to ensure all threats are proactively discovered, tracked, and mitigated.

Senior Network Engineer 01/2010 – 02/2018

Icon Systems Inc

Supported clients in the monitoring, analysis, and enhancement of system and network security.

Remotely conducted penetration tests, vulnerability, and risk assessments to determine security deficiencies and vulnerabilities within the network infrastructure.

Effectively managed the handling of flows from “black box” to “grey box” to “white box” testing per clients’ needs.

Conducted tests of form factors and technologies based on scopes of work.

Executed attack simulations on company systems and web applications to determine and exploit security flaws, uncover weaknesses and security gaps to formulate solutions and recommendations to drive improvement, and mitigate risks.

Delivered astute leadership in the design, implementation, and maintenance of projects primarily focusing on Security, WAN, LAN, AND WLAN, along with working on projects relating to Physical Access Control Systems, Electronic Security Systems, and Building Automation Systems. Served as Project Lead for Radware, Web secure, Websense, Wireless, Face Time, McAfee Intrushield, IDS/IPS.

Education, Certifications, and Training

Education:

Master of Science, Applied IT, Towson University, May 2016

Post Baccalaureate Certificate, Information Security and Assurance, Towson

University, May 2016

Post Baccalaureate Certificate, Database Management Systems, Towson

University, May 2016

Bachelor of Science, Computer Science, Programming and Systems Analysis,

oUniversity of Science and Technology, Ghana, Mar 2000

Certifications:

Global Information Assurance Certification (GIAC) Penetration Tester

Certification (GPEN), Exam Scheduled March 29, 2024

CompTIA PenTest+, Apr 2023 - Apr 2026

ISACA, Certified in Risk and Information Systems Control (CRISC),May 2021 - Jan 2025

ISACA, Certified Information Security Auditor (CISA), Feb 2021 - Jan 2025

ISACA, Certified Data Privacy Solutions Engineer (CDPSE),Feb 2021 - Jan 2025

ISACA, Certified Information Security Manager (CISM), Jan 2020 - Dec 2024

EC-Council, Certified Ethical Hacker (CEH), Feb 2015 - Feb 2024

Splunk Core Certified Power User

Splunk Certified Admin

Training:

Master Certificate: Information Security & Assurance

Master Certificate: Advanced Database Management Systems

EXPERIENCE

14 Years of Total Relevant Experience in IT

5 Years Total Relevant Experience in Program/Project Management

8 Years Total Relevant Experience in Penetration Testing

Skills:

Application security testing (SAST and DAST)

Functional Testing

Networking penetration testing

Red Teaming

Mobile App Penetration Testing

PCI Penetration Testing

GraphQL API testing

Training on Wireless penetration testing REST API Penetration Testing

Web Application Vulnerability Scanning

Physical Penetration Testing

Threat Modeling

Communication, Customer service, Leadership, Adaptability

Manual Web App Testing

Thick Client Penetration Testing

Training on Code Review

Web services

Reconnaissance

Social Engineering

Cloud Penetration

Testing Intermediate experience in Python Scripting

Veracode Platform Experience

Conflict Resolution and Decision Making

Communication, Customer service, Leadership, Adaptability

Manual Web App Testing

Thick Client Penetration Testing

Training on Code Review

PowerShell

Python

NCAT

PHP-Shell

NIST Cybersecurity Framework

NIST 800-5

PCI-DSS

ISO 27001/0

SQL

SYBASE

ORACLE

Active Director

Windows Server

Networking

System Administration

VMware

Microsoft Office

Windows

Mac OSX

Linux/Unix

Red Hat

Debian

Ubuntu

Fedora

Backtrack

Kali Linux

Symantec

Norton

McAfee Antivirus

AntiSpyWare

AppDetective Pro

SOX, General Data Privacy Regulation (GDPR)

Tenable Nessus

Qualys

Nmap

Cisco

Tripwire

AlienVault

Netwrix Auditor

NYS DFS 23 NYCRR Part 500

ArcSight

Splunk

Burpsuite

Juniper vsr

Pulse Secure Cisco AnyConnect

Cisco

Carbon Black Response

Cisco ASA

OpenVass

Cisco umbrella

Crowdstrke

Symantec Endpoint Protection

Netspacker

Metasploit

Framework

IBM

ServiceNow and RSA Archer for compliance

Rational AppScan

Suite Dynamic Application Scanner

Paros

Google Hacking

Juniper NetScreen

SRX Firewalls

IDP

Palo Alto

Fortinet (Fortigate, Fortianalyzer, Fortimanager

Wireshark, Maltego

Dscove

MSFC

Trojan

Backdoor

Veil

SQLi,MITMf

Crunch

Meterpreter

Beef

Apache

Nmap

SQLMap

Python, Socket

Scapy

Pynput

Keylogger

QRadar

Contact this candidate