Application Security Engineer
Resume:
STEPHEN R THOMAS
Troy, USA ***** 586-***-**** *******.**********@*****.*** www.linkedin.com/in/stephen-thomas-1506sansmi Page 1 of 2
PEN TESTING ENGINEER OFFENSIVE SECURITY APPLICATION SECURITY IN-VEHICLE SECURITY Seasoned Application Pen Tester & Offensive Security Engineer with a proven track record of pen testing large enterprise applications, APIs built on Java, .NET, and modern microservices. Successfully led security pen testing and validation for GM’s OnStar launches across 10 consecutive model years—delivering zero incidents, zero regulatory violations, and zero public disclosures, including through Hacker One vulnerability coordination.
PROFESSIONAL EXPERIENCE HIGHLIGHTS
• Conducted internal penetration tests and vulnerability assessments across servers, web applications, mobile apps, and advisor/in-vehicle systems for the OnStar ecosystem (>10,000 APIs).
• Manually tested and exploited web, mobile, and connected vehicle app channels for authentication, token exchange, authorization scope, and grant usage, ensuring security of services and data.
• Developed and executed abuse cases, fuzzing scripts, and test cases aligned with OWASP Top 10 (Web, API, Mobile) and business risk scenarios.
• Identified vulnerabilities, misconfigurations, and compliance issues; documented detailed findings, risk ratings, and mitigation strategies in formal reports and debriefs.
• Authored Rules of Engagement (RoE), Test Plans, and SOPs for enterprise red/blue team testing engagements.
• Delivered technical guidance and remediation support to developers, DevOps teams, product managers, and business stakeholders.
• Collaborated with engineering and innovation teams to validate and retest fixes, ensuring closure of application security vulnerabilities and supporting secure release.
• Championed enterprise-wide DevSecOps adoption through automation of SAST/DAST pipelines, secure coding practices, and security awareness programs.
• Supported bug bounty and external researcher coordination (e.g., HackerOne), triage, and internal stakeholder communication.
• Designed test frameworks aligned with global privacy and cybersecurity regulations (GDPR, NIST, ASPICE)
• Strong communicator and collaborator; worked cross-functionally with global business units, privacy/legal teams, security architects, and auditors.
• Experienced in Secure SDLC, Agile delivery models, and integrated product security throughout the development lifecycle. TECHNICAL SKILLS & FRAMEWORKS
• Cybersecurity Frameworks: ISO 27001, ISO 21434, NIST CSF 2.0, MITRE ATT&CK, SOX, PCI DSS, HIPAA, GDPR, ASPICE
• Cybersecurity Domains: Penetration Testing, Application Security (Web/API/Mobile), Cloud Security, Risk Management, Privacy, IAM, Third-Party Risk, Product Security (Automotive, Connected Vehicles), Governance & Compliance
• Cloud Platforms: AWS, Azure, GCP
• DevSecOps & Security Tools: Qualys, GitHub Advanced Security (GHAS), SAST/DAST tools, Automation Frameworks, AppScan, Postman, Insomnia, Burp Suite, Nmap, Wireshark, Metasploit, Nessus, Vehicle Spy, NeoVi, Selenium, Appium, Testim.io, GitHub, JIRA, Confluence, HP ALM, TFS
• Programming & Scripting: Python, Java, JavaScript, SQL
• Protocols & Tech: REST, SOAP, JSON, XML, AJAX, SPAs, Salesforce, J2EE, COTS products, HTTP/S, SOAP, REST, CAN, UDS, DoIP, Bluetooth, Wi-Fi
• Security Testing Areas: Web App pen testing, Mobile App Security, API Fuzzing, Vehicle ECU/IVI Penetration Testing
• Platforms: Connected Vehicles, Web Apps, iOS/Android, Telematics, Embedded Systems Education: Master’s in Computer Applications – Bharathidasan University 06/2002 Certifications: CompTIA Security+, PenTest+, CNVP, DFSS Green & Black Belt SAFe Certified GNIIT Diploma, SOC & Splunk certification – Thinkcloudly STC Certified in Software Testing Work Authorization & Immigration Status: Green Card Holder STEPHEN R THOMAS
Troy, USA 48085 586-***-**** *******.**********@*****.*** www.linkedin.com/in/stephen-thomas-1506sansmi Page 2 of 2
Application Security Validation Lead General Motors – Warren, MI June 2018 – September 2024
(Cybersecurity & Penetration Testing – Web App, Mobile, IVI systems & Apps)
• Led penetration testing across enterprise web, API, IVI systems, and mobile apps, uncovering critical vulnerabilities (IDOR, SSRF, auth flaws), reducing pre-production risk by 40%.
• Designed security test strategies based on OWASP Top 10, NIST 800-53, and MITRE ATT&CK, focusing on authentication, session handling, and API/business logic abuse.
• Developed custom tools and fuzzing scripts in Python and Bash to simulate real-world attack scenarios, increasing test coverage and speeding zero-day detection.
• Integrated SAST, DAST, and SCA tools into CI/CD pipelines (GitHub Actions, Jenkins), enabling DevSecOps practices and cutting remediation time by 60%+.
• Produced detailed security reports with risk ratings, PoC exploits, and remediation steps for engineering, product, and compliance stakeholders.
• Coordinated vulnerability disclosure with external researchers via HackerOne, ensuring safe triage, validation, and closure of high-impact findings.
• Mentored junior security and QA engineers, improving team skills in penetration testing, secure coding, and threat modeling.
• Embedded security into SDLC by partnering with DevOps and engineering teams to shift-left and ensure secure design and development practices.
• Ensured compliance with GDPR, ISO 27001, PCI DSS, and NIST through test frameworks, policies, and audit support.
• Managed test artifacts and defect triage in TFS and HP ALM, ensuring traceability and alignment with Agile/Scrum sprints; contributed to sprint readiness, feature grooming, and device matrix planning for IVI systems, web and mobile platforms.
• Validated IVI systems and features (navigation, media, voice, Bluetooth/Wi-Fi, apps, OTA) using tools like GAS Emulator, SIM tools, Nmap, and Wireshark in both vehicle and lab setups.
• Tracked issues in JIRA, validated fixes, and maintained test documentation in Confluence and GitHub. Senior Test Lead Onstar, General Motors (Wipro Contractor) – Detroit, MI May 2013 – June 2018
• Led validation across GM Onstar ecosystem (Web, Mobile, IVI systems) across multiple vehicle programs, ensuring feature reliability and compliance with safety, performance, and security standards.
• Created and executed test plans for audio, navigation, voice, connectivity (Bluetooth/Wi-Fi), apps, and OTA updates in both lab and vehicle environments.
• Directed cross-functional validation teams, coordinating with software, hardware, and systems teams to manage test execution, triage defects, and drive root cause analysis for timely releases.
• Built automation frameworks with Python, Selenium, and testing tools to boost test speed, consistency, and coverage.
• Verified end-to-end telematics data flow across GM, Cisco, and AT&T backends, reducing provisioning issues by 15%.
• Performed vehicle and bench-level testing, including CAN diagnostics, firmware/OTA updates, and bench registration using Vehicle Spy and NeoVi, improving deployment speed by 25%.
• Followed ASPICE, ISO 26262, and cybersecurity standards to help with audits and improve system reliability.
• Boosted launch quality and GCA scores by early testing of IVI, web, and mobile features during production trials, and reduced warranty claims by using Red X and SPPS to identify and fix root causes from customer feedback. Lead Consultant Wipro Ltd – Chennai, India June 2010 – May 2013
• Led QA team in end-to-end testing of web, API, and mobile systems, ensuring high-quality, on-time releases across projects.
• Developed test strategies and improved defect triage by collaborating with cross-functional teams to align testing with business goals.
• Enhanced test automation to increase coverage and efficiency by prioritizing key test cases and streamlining execution.
• Provided timely status updates to leadership, highlighting progress, risks, defect trends, and release readiness through clear reports and reviews.
Contact this candidate