Kwesi Asiedu
Active IRS MBI Clearance, TS/SCI in progress for the last 6 months.
Professional Overview
Solutions-focused and analytical IT and security expert offering extensive experience steering cybersecurity administration, security optimization, and risk management. Twelve (12) years of experience in the IT industry and 8+ years of experience performing Web application, Mobile, API, and Networking penetration testing and security assessments. I perform (DAST), (SAST) testing and analyses of web and mobile applications. Perform (Internal/External network security testing), Red teaming, and API security testing. Proficient in understanding application-level vulnerabilities like XSS, SQLi Injection, CSRF, HTTP Flooding, SSRF, XXE, CORS, JWT attacks, Authentication bypass, Weak Cryptography, Authentication flaws, etc. Experienced with penetration testing tools Metasploit, Burp Suite, Nmap, etc. Possess the ability to define and develop processes, policies, and procedures and establish best practices to support security governance and compliance with regulatory requirements and standards.
Professional Experience
Technical Lead: Cyber Security & Penetration Tester 07/2023 – Present
eTelligent Group LLC
Provided strategic direction for application and network penetration testing teams to develop growth of the services solution and manage client engagements.
Conducted Risk assessments and Analysis of the various clouds and the data center environments to ensure all data and information are secured and safe.
Conducted Dynamic and Static Application Security Testing (SAST & DAST) using Veracode, Burp-Suite, Manual Techniques, AppScan, Zap, Acunetix, Netsparker, Checkmarx, Contrast Scan, and many more.
Performed vulnerability assessment and penetration testing on Networks and Applications.
Performed REST API and mobile testing. Using Postman, katalon Studio, JMeter, Appium, MobSF, Burp-Suite, and Manual Techniques.
Certification and Authorization (C&A) analyzing and Information Systems Management while utilizing popular industry frameworks and standards such as ISO 27001/2, FIPS, NIST SP 800-37 Rev 1, NIST SP 800-53 Rev 4, NIST 823, FISCAM, FedRAMP, Regulatory Compliance, Audit and System Security Management, Internal Controls Compliance, Customer Data Confidentiality, Penetration Testing Execution Standard (PTES), and Information Systems Security Assessment Framework (ISSAF) and Budgetary Control.
Analyzed and modified cybersecurity system by detecting vulnerabilities and security measures.
Led and Maintained Red Cell infrastructure.
Developed and maintained Bash, Python, NCAT, PHP-Shell, PowerShell and JavaScript.
Assessed system security configurations.
Performed Security Architecture Risk Analysis (SARA) / Security Design Reviews (SDR) of applications and assess their designs against known and emerging threats.
Led large-scale programs that span the enterprise to deploy and manage dynamic scanning solutions.
Followed up and ensured the closure of the raised vulnerabilities by revalidating and providing 100% Closure.
Assisted customers in understanding risk and threat levels associated with vulnerability so that customers may or may not accept risk concerning business criticality.
Developed team, test plan, and risk management through the complete SDLC and created security test cases.
Communicated technical vulnerabilities and remediation steps to developers and management.
Ensure the smooth Continuous Integration and Continuous Deployment (CI/CD) activities to integrate and automate security tools within DevOps processes.
Wireless and Mobile Device (Android, IOS) Security penetration testing exercises were done using mobile application penetration testing methodology and OWASP mobile security project standard. The methodology included discovering the open sources intelligence information, platform been used, client and server-side information. Analysis and assessment of the results obtained from discovery. These include static, active, local files, network analysis, reverse engineering, inter-processes, and communication. Exploitation was done based on the analysis. Using the OWASP mobile security project as a guideline, the following vulnerabilities were checked and exploited:
Insecure transmission of data to determine how encryption has been implemented and enforced during transit on the transport layer.
Insecure data storage to check if the data is in plaintext or encrypted.
Lack of binary protection to determine if the Apps rung the mobile device enforces any anti-reversing, debugging techniques.
Research into and validate client-side vulnerabilities to determine weaknesses such as cross-site scripting, or JavaScript Injection
Check for the possibility of threat actors using hard-coded passwords/keys stored on the mobile device can be used as an attack surface for compromise.
Weak server-side controls
Client-side injections
Improper session handling
Unintended data leakage
Poor authorization and authentication
Client-side injection and Security decisions through untrusted inputs
Technical Lead & Manager: Cloud and onsite Penetration Tester 01/2022 – March 2023
KPMG
Supported multiple customers in the monitoring, analysis, and enhancement of system and network.
security
Remotely conducted penetration tests including Red Team assessments, vulnerability, and risk
assessments to determine security deficiencies and vulnerabilities within the network infrastructure.
Effectively managed the handling of flows from "black box" to "grey box" to "white box" testing per
customers' needs
Articulated and defined requirements for information security solutions and performed reviews of
application designs and source code
Determined test strategies to help design, develop, and implement penetration tools and tests, along with
using existing ones to oversee penetration testing activities.
Executed attack simulations on company systems and web applications to determine and exploit.
security flaws, uncover weaknesses and security gaps to formulate solutions and recommendations to
drive improvement and mitigate risks.
Partnered with engineers and IT teams to provide in-depth reviews of architectural and networking.
designs and applications to determine potential risks to the security posture of the existing system.
Managed changes to information systems and assessed the security impact of those changes.
Lead - Senior Penetration Tester 01/2020 – 12/2021
National Institute of Health
Led and managed onshore manual and offshore automated testing teams.
Led SIT and UAT functional testing for 200 plus software applications and managed project milestones, teams, and work streams.
Communicated technical vulnerabilities and remediation steps to developers and management.
Worked with application developers to validate, assess, understand root causes, and mitigate vulnerabilities.
Performed Web application, API, Social engineering, Network (Internal/External), and Mobile penetration tests within the parameters defined by rules of engagement coordinated with the client.
Conducted Dynamic and Static Application Security Testing (SAST & DAST). Manual and automation.
Analyzed and modified cybersecurity system by detecting vulnerabilities and security measures.
Maintained Red Cell infrastructure.
Developed and maintained Bash, Python, NCAT, PHP-Shell, PowerShell and JavaScript.
Assessed system security configurations.
Prepare a risk report for each Threat Modeling assessment listing attack surface, threats, and flaws and providing remediation guidance.
Conducted security assessment of PKI Enabled Applications.
Conducted white/grey box penetration testing on the financial systems and applications.
Worked with external vendors to perform penetration tests on network devices, operating systems, databases, and Applications as necessary.
Assist in vulnerability remediation efforts across various projects by proposing remediation Strategies.
Senior Cyber Penetration tester 02/2018 – 01/2020
IBM
Played a key leadership role supporting 1500+ internal personnel and 30,000 customers through the delivery, management, and enhancement of system security.
Provided technical and strategic oversight, steering all aspects of security, including intrusion detection alerts, email security, VPN tunnels, and WAN/LAN security.
Served as technical lead and liaison got problem resolution and manage the relationships with external vendors when required.
Applied effective methodologies and defined strategies to lead projects.
Designed and developed solutions to improve security management and monitoring.
Steered and managed penetration testing weekly on systems, monitored log-in activities in the environment, and managed the deployment of new technologies.
Conducted Risk assessments and Analysis of the various clouds and the data center environments to ensure all data and information are secured and safe.
Researched all emerging information security threats, vulnerabilities, determine countermeasures, implement the countermeasures to ensure any forms of intrusions and attacks.
Researched, analyzed Designed and implemented technical solutions for network protection, endpoint protection system, access control, auditing, and log management.
Conducted assessment of the implemented controls to ensure that they are done correctly based on the standard used. If these controls were implemented correctly and are effective in preventing attacks. The standards used include the NIST-CSF, ISO, and the CIS Benchmark.
Led all teams around the globe to ensure an efficient and effective response to all incidence and security threats. These include effective monitoring, detection, response, and remediation of all security threats.
Supported systems owners, data owners and other senior leadership to evaluate, assess and adopt new systems into the firm’s environments.
Worked and collaborated closely with all internal and external users and groups to understand the objective of their various businesses. This gives the platform to offer effective advice, ensuring efficiency in mitigation response to all threats.
Ensured that all new products and systems to be installed are evaluated based on security standards using SDLC to ensure its consistency with the current infrastructure and architecture, threats, its impacts, and the resultant risk levels.
Led teams and provided effective project and program management within an Agile/Scrum environment.
Manual audit of information technology systems to ensure compliance with company policies, standards, and processes.
Critical systems and their functions were continually validated to ensure smooth business operations, efficiency, and effectiveness.
Implemented privacy procedures, systems, and processes within the firm’s secure environments. This was done to ensure the firm does not violate any privacy regulations and standards, ensuring a smooth business alignment and operations. This involves planning, coordinating, and designing requirements, and reconciling it with the specifications required by the standard.
Executed Risk Management Framework (RMF), identified Applicable Security Controls, reviewed security documents, and categorized Information Systems.
Part of the team that conducted Security Assessment of Information, Certification and Authorization (C&A) analyzing and Information Systems Management while utilizing popular industry frameworks and standards such as ISO 27001/2, FIPS, NIST SP 800-37 Rev 1, NIST SP 800-53 Rev 4, NIST 823, FISCAM, FedRAMP, Regulatory Compliance, Audit and System Security Management, Internal Controls Compliance, Customer Data Confidentiality, Penetration Testing Execution Standard (PTES), and Information Systems Security Assessment Framework (ISSAF) and Budgetary Control.
Reviewed and updated System Security Plan (SSP), Updated Plan of Action and Milestones (POA&M) to remediate weakness.
Prepared and submitted Security Assessment Plan (SAP) for approval Security Assessment Report (SAR) and Contingency Plan Development or Evaluation
Provided technical direction, guidance, and analysis of cybersecurity matters to senior leadership. This enabled the leadership to make effective and efficient decisions to enhance the smooth running of the firm.
Tested client’s architecture and managed initial requirements gathering through the client questionnaire administration.
Created and updated, annually, the information security polices for the firm. All procedures, process and strategies were also updated based on changes within the firm such personnel changes, promotions, threat landscape, changes in organization network structure.
Identified risks, assessments, analysis, response, KPI, KRI are continually determined to ensure the firm is always within its risk’s appetite, or within the risk tolerance and reduction of threats levels. Furthermore, all SIEMS systems were monitored continually to ensure all threats are proactively discovered, tracked, and mitigated.
Senior Network Engineer 01/2010 – 02/2018
Icon Systems Inc
Supported clients in the monitoring, analysis, and enhancement of system and network security.
Remotely conducted penetration tests, vulnerability, and risk assessments to determine security deficiencies and vulnerabilities within the network infrastructure.
Effectively managed the handling of flows from “black box” to “grey box” to “white box” testing per clients’ needs.
Conducted tests of form factors and technologies based on scopes of work.
Executed attack simulations on company systems and web applications to determine and exploit security flaws, uncover weaknesses and security gaps to formulate solutions and recommendations to drive improvement, and mitigate risks.
Delivered astute leadership in the design, implementation, and maintenance of projects primarily focusing on Security, WAN, LAN, AND WLAN, along with working on projects relating to Physical Access Control Systems, Electronic Security Systems, and Building Automation Systems. Served as Project Lead for Radware, Web secure, Websense, Wireless, Face Time, McAfee Intrushield, IDS/IPS.
Education, Certifications, and Training
Education:
Master of Science, Applied IT, Towson University, May 2016
Post Baccalaureate Certificate, Information Security and Assurance, Towson
University, May 2016
Post Baccalaureate Certificate, Database Management Systems, Towson
University, May 2016
Bachelor of Science, Computer Science, Programming and Systems Analysis,
oUniversity of Science and Technology, Ghana, Mar 2000
Certifications:
Global Information Assurance Certification (GIAC) Penetration Tester
Certification (GPEN), Exam Scheduled March 29, 2024
CompTIA PenTest+, Apr 2023 - Apr 2026
ISACA, Certified in Risk and Information Systems Control (CRISC),May 2021 - Jan 2025
ISACA, Certified Information Security Auditor (CISA), Feb 2021 - Jan 2025
ISACA, Certified Data Privacy Solutions Engineer (CDPSE),Feb 2021 - Jan 2025
ISACA, Certified Information Security Manager (CISM), Jan 2020 - Dec 2024
EC-Council, Certified Ethical Hacker (CEH), Feb 2015 - Feb 2024
Splunk Core Certified Power User
Splunk Certified Admin
Training:
Master Certificate: Information Security & Assurance
Master Certificate: Advanced Database Management Systems
EXPERIENCE
14 Years of Total Relevant Experience in IT
5 Years Total Relevant Experience in Program/Project Management
8 Years Total Relevant Experience in Penetration Testing
Skills:
Application security testing (SAST and DAST)
Functional Testing
Networking penetration testing
Red Teaming
Mobile App Penetration Testing
PCI Penetration Testing
GraphQL API testing
Training on Wireless penetration testing REST API Penetration Testing
Web Application Vulnerability Scanning
Physical Penetration Testing
Threat Modeling
Communication, Customer service, Leadership, Adaptability
Manual Web App Testing
Thick Client Penetration Testing
Training on Code Review
Web services
Reconnaissance
Social Engineering
Cloud Penetration
Testing Intermediate experience in Python Scripting
Veracode Platform Experience
Conflict Resolution and Decision Making
Communication, Customer service, Leadership, Adaptability
Manual Web App Testing
Thick Client Penetration Testing
Training on Code Review
PowerShell
Python
NCAT
PHP-Shell
NIST Cybersecurity Framework
NIST 800-5
PCI-DSS
ISO 27001/0
SQL
SYBASE
ORACLE
Active Director
Windows Server
Networking
System Administration
VMware
Microsoft Office
Windows
Mac OSX
Linux/Unix
Red Hat
Debian
Ubuntu
Fedora
Backtrack
Kali Linux
Symantec
Norton
McAfee Antivirus
AntiSpyWare
AppDetective Pro
SOX, General Data Privacy Regulation (GDPR)
Tenable Nessus
Qualys
Nmap
Cisco
Tripwire
AlienVault
Netwrix Auditor
NYS DFS 23 NYCRR Part 500
ArcSight
Splunk
Burpsuite
Juniper vsr
Pulse Secure Cisco AnyConnect
Cisco
Carbon Black Response
Cisco ASA
OpenVass
Cisco umbrella
Crowdstrke
Symantec Endpoint Protection
Netspacker
Metasploit
Framework
IBM
ServiceNow and RSA Archer for compliance
Rational AppScan
Suite Dynamic Application Scanner
Paros
Google Hacking
Juniper NetScreen
SRX Firewalls
IDP
Palo Alto
Fortinet (Fortigate, Fortianalyzer, Fortimanager
Wireshark, Maltego
Dscove
MSFC
Trojan
Backdoor
Veil
SQLi,MITMf
Crunch
Meterpreter
Beef
Apache
Nmap
SQLMap
Python, Socket
Scapy
Pynput
Keylogger
QRadar