Application Security Web

Location:

Granbury, TX

Posted:

August 30, 2024

Contact this candidate

Resume:

Victor Blake, Web Application Security Assessment Engineer

**** ******** *****, ********, ** 76048

******.******.*****@*****.***

719-***-****

** ***** ** ********** ***********, procuring, maintaining, functionality testing, vulnerability scanning, penetration testing, & performing event data analysis on communications network infrastructures for DoD, VA, & CSPs.

PREVIOUS SECURITY CLEARANCE:

Top Secret: (SSBI, Expired: Mar 2019)

EDUCATION:

M.S. IT Management; Touro University, (Summa Cum Laude) Jun’04 B.S. Business Administration; Abilene Christian University, May ‘98 A.A.S Instructor of Technology; Air Force Community College; May ‘95 A.A.S Computer Systems Technology; Air Force Community College; May ‘92 Cisco Certified Network Professional (CCNP); 2006

Microsoft Certified Systems Engineer (MCSE); 2003

Comptia Security + Certification

Test & Evaluation, Level I Certification

Systems Engineering Level I Certification

Program Management Level I Certification

Certified Information Systems Security Professional (CISSP); Jan 2018 Information Technology Infrastructure Library (ITIL) Foundations Certified; Sep 2015 Penetration Testing and Ethical Hacking 8 Nov 2018 Demonstrated experience in the following areas:

Training:

FedRAMP training courses completed:

• Introduction to FedRAMP

• FedRAMP System Security Plan (SSP) Required Documents (200-A) (Mandatory for CSPs)

• Security Assessment Plan (SAP) (200-B) (Mandatory for 3PAQs)

• Security Assessment Report (SAR) (200-C) (Mandatory for 3PAQs)

• Review & Approve Process (201-A)

Penetration Testing with Metasploit

VTC Certified Ethical Hacker Workshop

Kali Linux Operating Systems Built for Hacking

Fedora 21 Linux of the Future

Security Standards Council (SSC) Payment Card Industry (PCI) Essentials Cyberspace Defense

GTRI Splunk for Operational Efficiency

GTRI Splunk Security Bootcamp

Splunk Bootcamp for Security

Bit9 + Carbon Black Advanced Threat Protection for Endpoints & Servers Cisco Next Generation Intrusion Protection System-x (NGIPS-x) VMware Data Center Virtualization

Advanced Microsoft Excel 2010

Advanced Automation with McAfee ePolicy Orchestrator (ePO) Tag Guidance: FIPS-137/140/199/200, NIST-30/37/39/53/53A/82/115/137, FedRAMP-200-A/B/C, 201-A, PCI DSS

Network Experience: Cisco IOS, routing, switching, & security products to include: Host-based & Network- based IPS/IDS; server administration to include: 2000/2008R2/2012R2/VMs; McAfee ePO, VPN, BGP Infrastructure Security Testing: SCAP, Kali Linux, Metasploit, vulnerability scanning, manual vulnerability assessments, penetration testing, incident response, & system security configuration CURRENT ASSIGNMENT:

Web Application Security Assessment Engineer, SAIC, Arlington, VA, from 10-1-23 to 2-2-24

(Contract Expired)

o Perform security assessments against web applications for vulnerabilities, security misconfigurations, and compliance-related concerns o Utilize a variety of industry standard security tools to conduct manual-based security assessments

o Utilize a variety of industry standard security tools to conduct automated scans against web applications

o Review new vulnerabilities as they are published and develop impact assessments o Determine risk from vulnerabilities based on availability of exploit and potential loss of information and IT services capabilities

o Produce periodic trending and impact reports

o Generate detailed reports (automated and manual) based on results from assessments and have the ability to explain in detail to customers o Develop new testing programs

o Maintain thorough knowledge and understanding of the Open Web Application Security Project (OWASP) top 10

o Manage and maintain Government owned virtual platforms (VM), operating systems, and applications

Web Application Security Assessment Engineer, Halfaker and Associates, Arlington, VA, from 10/25/2018-10-1-23

o Utilize a variety of industry standard security tools to conduct automated scans against web applications

o Produce periodic trending and impact reports

o Generate detailed reports (automated and manual) based on results from assessments and have the ability to explain in detail to customers o Develop new testing programs

o Maintain thorough knowledge and understanding of the Open Web Application Security Project (OWASP) top 10

o Manage and maintain Government owned virtual platforms (VM), operating systems, and applications

Web Application Security Assessment Engineer, ASM Research, Fairfax, VA, from 3/2016- 10/25/2018

o Support the development of technical security safeguards to protect information systems from intentional (unauthorized) or accidental (inadvertent) access or destruction o Work with Web development, network administration, and corporate security teams, to actively identify, & analyze risks & develop plans that drive security improvements for the projects

o Serve as a liaison between development teams & stakeholders to understand & formulate security requirements for projects

o Define, maintain, and enforce application security best practices o Explain and demonstrate vulnerabilities to application owners, and provide recommendations for mitigation

o Conduct and coordinate vulnerability assessments of software application under development o Identify additional application security related tools, conduct tool analysis, & provide recommendations

o Perform & conduct penetration tests and manual/automated code reviews o Train developers & other relevant team members on Secure Code Development, as well as other security protocols as needed, and the WASA process o Perform security assessments against mobile applications for vulnerabilities, security misconfigurations, and compliance-related concerns o Strong understanding and experience with the OWASP Mobile Security Testing Guide o Utilize a variety of industry standard security tools to conduct manual-based security assessments

o Utilize a variety of industry standard security tools to conduct automated scans against web applications

o Review new vulnerabilities as they are published and develop impact assessments o Determine risk from vulnerabilities based on availability of exploits and potential loss of information and IT service capabilities

o Produce trending and impact reports

o Generate reports based on results from assessments and have the ability to explain in detail to customers

o Develop of new testing programs

o Management and maintenance of backend systems hardware and software o Thorough knowledge of the Open Web Application Security Project (OWASP) top 10 o Administration of existing and future infrastructure including system maintenance and management

Senior Security Engineer, Agensys Corporation, San Antonio, TX, from 2/2016-3/2016 (contract) Develop Manual Hardening Procedures for Federal and DoD Customers Contract Description

o The SA STIG Engineer:

Performed a full STIG assessment through documentation, identify and document the audit findings on the physical and virtual servers, switches and storage in a standard EMC report format, and completed and delivered the STIG assessment documentation. The SA resource in this case provided assessment and documentation for the following storage components of the Vblock.

* Cisco UCS 5180 Blade Chassis

* Cisco UCS B420 and associated software

* Cisco UCS B200 and associated software

* Cisco UCS 6296 and associated software

* EMC VNX7600 and associated software

* EMC VNXe3200 and associated software

* EMC PowerPath VE

* Cisco Nexus 9396PX

* Cisco 9504 and associated software

* Cisco MDS 9148 and associated software

* Cisco MDS 9706 and associated software

* Cisco Nexus 3048

* VMware VDS

* Cisco UCS B220 and associated software

* VMware vCenter - EMC ESRS and associated software Senior Security Analyst, U.S. Department of Veterans Affairs, from April 2015 to May 2015

(contract)

• Developed & maintained A&A security artifacts, such as security plans, contingency plans, risk assessments, privacy impact assessments, incident response plans, configuration checklists, & interconnection security agreements

• Continually monitored change orders for information that can be used to update documentation & assess security controls for annual FISMA self-assessment testing through interview, documentation review, & review scan results

• Provided information assurance policy guidance to both internal & external customers & act as interface with customer to provide audit support for both internal & external audits & reviews, knowledge of service support systems such as Service Desk Manager (SDM)

• Advised project managers to minimize security vulnerabilities & risk assessment for assigned applications within the Austin Information & Technology Center Understanding of Information Technology equipment & telecom equipment including but not limited to software, servers, mainframes, enterprise backup systems, enterprise storage, applications, products & services, & switches

• Provided knowledge of VA 6500 Directive/Handbook & other VA guidance on information security, skills in developing mitigation strategy for identified weaknesses & providing guidance to interpret relationship of National Institute of Standards & Technology (NIST) Special Publication (SP) 800-53 security controls to identified weaknesses

• Utilized experience conducting Threat & Risk assessments & Vulnerability Assessments of IT systems

• Trained less experience personnel on developing & implementing Information Security policies & procedures

• Conducted system security evaluations, audits, & reviews Cyber Security Consultant, Kratos Defense & Security Solutions, San Antonio, TX. from 6/2015- 2/2016 (contract)

• Served on an Air Force major command level team of information security professionals in the enforcement of security policies, procedures, & ePolicy Orchestrator/STIG compliance for a variety of commercial & government activities worldwide

• Oversaw the development & coordination of System Security Authorization Agreements

• Performed threat vulnerability assessments; provide security test & evaluation reports

• Provided technical vulnerability research in the evaluation of system applications & services

• Developed C-level reports regarding areas of network & end-point system security concerns

• Consulted in all areas of cyber security, including physical security, administrative security, personnel security, computer security, operations security, & industrial security Cyber Security Consultant, Abacus Solutions Group, San Antonio, TX. from 3/2015-3/2015

(contract)

• Provided subject matter expertise to acquisitions & security documentation related to Risk Management Framework (RMF) implementation

• Authored & maintained cyber security & Security Management Plans, Information Support Plans, Program Protection Plans (PPPs), Security Risk Analyses, Security Vulnerability & Countermeasure Analysis, Security Concepts of Operations, Operational Security (OPSEC) Plans, & other system/network security related documents

• Performed network & end-point reconnaissance & developed the AF KMI Penetration Test Data Management & Analysis Plan (DMAP) & Test Plan

Eglin Radar Network Systems Engineer II, Cyber Security Engineer, Penetration Tester, & Incident Response Consultant, Jacobs Technology, Colorado Springs, CO. from 7/2009-3/2013 & 7/2014- 2/2015 (contract)

• Lead 9-person system engineering team on $200M communications network development project utilizing Microsoft 2008 R2 & 2012 R2 operating systems with VMware & vSphere technology

• Administered McAfee ePolicy Orchestrator (ePO) for weekly policy, antivirus updates, application deployment, & malware monitoring

• Performed SCAP Compliance Checker assessments of systems & hardened systems to ensure compliance

• Provided STIG Viewer findings report to government with proposed solutions to remediate or eradicate vulnerabilities

• Provided Change Control Board (CCB) change recommendations to the Department of Defense

(DoD) Enterprise-wide Information Assurance (IA) & Computer Network Defense (CND) Solutions Steering Group (ESSG)

• Developed Information System Security Plan, Continuity of Operations, Privacy Impact Assessment, Penetration Test DMAP, Test Plan & Business Impact Analysis documents; briefed leadership to gain buy-in for system development & test strategies

• Administered Cisco NGIPS-x ASA-x router & end-point Advanced Malware Solution Intrusion Protection Systems (IPS)

• Developed Penetration Test Rules of Engagement; led the execution of all phases of test

• Served as Splunk Enterprise Application administrator & trained site administrators on how to accomplish data correlation & real-time threat monitoring o Performed incident forensics & reported test findings to organization leadership Military Satellite Communications (MILSATCOM) Cyber Security Consultant & Penetration Tester, Leidos, Colorado Springs, CO. from 3/2013-7/2014 (contract)

• Performed MILSATCOM systems security compliance configurations, functionality & penetration testing

o Developed MILSATCOM Systems Penetration Test DMAP & Test Plan

Briefed leadership on test scope & objectives

o Briefed network & system threats & vulnerabilities requiring mitigation o Obtained leadership Approval to Connect & Approval to Operate

• Performed required vulnerability updates on Unix mainframe systems & subsystems o Trained administrators on required processes to update & perform regression testing on client applications when changing system security baselines

• Produced/briefed risk assessment & test findings to senior leadership

• Developed security related documents to coincide with system upgrade requirements o Developed system/network functional test plans, test cards/scenarios, & report templates

• Planned & led 6 system administrators through threat & vulnerability assessments

• Assisted the software developers in performing field troubleshooting for software integration issues

• Provided Initial & Final System Security Functional Analysis reports to leadership

• Performed STIG assessments on Operating System (OS) & applications software to determine interoperability concerns that contributed to the overall network test threads to include data flows & data mapping

• Developed operational-level interaction reports across functional teams, customers & users o Developed & briefed STIG compliance documentation & presented findings test reports to software development teams

AFISR System Installation Lead, Air Force Intelligence, Surveillance, & Reconnaissance (AFISR), Japan, from 7/2006-7/2009 (Active Duty Air Force)

• Performed Network Installation & IA baseline studies/configurations for 78+ National Security Agency

(NSA) mobile intelligence mission systems

o Performed STIG compliance assessments

o Tracked findings to resolution or mitigation

• Researched net-centric interoperability concepts/issues; provided strategic ePO security & system interface injects to NSA leadership for 30 relevant intelligence, surveillance & reconnaissance platforms to integrate with Air Force Distributed Common Ground System Network

• Performed security compliance configuration updates to maintain security baselines on 115+ NSA mission systems, switches & routers

Superintendent, Air Force Operational Test & Evaluation Center (AFOTEC), Colorado Springs, CO., from January 2003 to July 2006 (Active Duty Air Force)

• Guided 21 space & missile defense programs at Air Force Operational Test (OT) & Evaluation Center

(AFOTEC)

o Oversaw mission training of 97 testers for OT tactics, techniques & procedures o Ensured Defense Information Systems Agency (DISA) Host Based Security Service (HBSS) policy/guidance compliance for OT related events

• Built DMAPs & Test Plans for eight next-generation ground-based network security compliance tests

• Briefed program compliance status to AFOTEC leadership & the Director, OT&E-Pentagon

• Led compliance tests for DoD’s Global Broadcast System (GBS) Internet Protocol (IP) upgrade

• Authored/executed OT & Penetration Test Plan for the Air Force’s new Satellite Command & Control System; 54-person team earned Test Team of the Year Award for 2004 o Attended 4-week CCS-C class to execute test, collected & managed data, coordinated Joint Reliability Maintainability Evaluation Team & Deficiency Review Board meetings; obtained 1st ever approval to fly MILSATCOM satellite using the CCS-C system

• Co-planned/executed security compliance test plan for Army’s Configuration Control Element for satellite payloads

Noncommissioned Officer in Charge, United States Air Forces in Europe (USAFE) Tech Control & USAFE Commander’s Network Administration Cell, Germany, from 1/2000-1/2003 (Active Duty Air Force)

• Managed over 30 DISA router installs in Europe/Southwest Asia--increased reliability over 20% o Maintained Europe’s largest Defense Information Control Facility o Installed & configured 4,500 long-haul circuits & 21 remote Global Information Grids o Performed router configurations & performed system hardening (compliance) tests o Developed & coordinated security compliance packages for Approval to Connect (ATC), Approval to Test (ATT), & Approval to Operate (ATO) certifications

• Performed Network- & System-administrator duties for 3500-node USAFE/NATO Commander Local Area Network (LAN)

o Administered 4 domain controllers, 18 subnet switches, & 2 gateway routers

• Researched requirements for Theater Deployable Communications package o Developed/executed security compliance Test Plan & worked findings to resolution o Successfully developed & briefed Approval to Operate package to Authorizing Official o Let DoD communications-computer infrastructure cyber security testing with coalition forces from over 30 allied countries

Network Engineer, United States Air Force, from 1/1999-1/2000, Alaska (Active Duty Air Force)

• Engineered/installed network on Clear AS, Alaska to include installing/configuring all site servers, routers, switches, routers, IPS systems & Cat 5/fiber (12-month project)

• Performed security compliance testing on all systems & obtained ATC & ATO certifications

Contact this candidate