Senior Application Security Engineer with 15+ years of impact
Resume:
Ronald Spainhour
**********@*********.***
linkedin.com/in/ron-spainhour-76186714
New Albany, IN, 502-***-****
Senior Application Security Engineer
With over 15 years of hands-on experience in application security and software architecture, I specialize in embedding secure coding practices, leading vulnerability remediation, and integrating security tools across the SDLC. My background spans enterprise encryption, RBAC, DevSecOps, and secure API design—backed by a passion for mentoring teams and driving compliance. I’ve led cross-functional initiatives at Fiserv and First Data, translating complex security requirements into scalable solutions. What sets me apart is my ability to bridge technical depth with strategic foresight, empowering teams to build resilient systems. I don’t just secure code—I cultivate a culture of security from the ground up.
Areas of Expertise
Secure Software Development Lifecycle (SDLC)
Static Application Security Testing (SAST)
Dynamic Application Security Testing (DAST)
Software Composition Analysis (SCA)
Threat Modeling
Secure Coding in .NET, Java, Python
API Security & Secure Integrations
Encryption Technologies (Voltage SecureData, Tokenization)
Role-Based Access Control (RBAC)
Identity & Access Management (IAM, SailPoint)
DevSecOps & CI/CD Pipeline Integration
Vulnerability Management & Remediation
Application Security Tooling (Fortify, WebInspect, Sonatype)
Security Governance & Compliance Reporting
Developer Training & Secure Code Coaching
Accomplishments
Embedded secure coding practices across Agile SDLC pipelines, directly aligning development efforts with OWASP Top 10 and regulatory compliance standards.
Led enterprise-wide deployment and optimization of Fortify (SAST), WebInspect (DAST), and Sonatype (SCA), reducing false positives and improving scan fidelity across application portfolios.
Designed and implemented secure API integrations between IBM Mainframe systems and modern platforms, ensuring encrypted data exchange and authentication integrity.
Spearheaded cross-functional initiatives to enforce RBAC using SailPoint, enabling least privilege access across hybrid cloud and legacy environments.
Delivered secure code training and remediation support to development teams, maintaining compliance and improving vulnerability resolution timelines.
Developed automated vulnerability tracking and reporting tools, enabling KPI-driven decision-making and streamlined audit readiness.
Partnered with incident response teams to mitigate application-layer threats, contributing to faster containment and root cause analysis.
Authored enterprise documentation on secure development protocols, SDLC alignment, and encryption implementation strategies.
Led multifactor authentication (MFA) deployment across cloud and mainframe systems, enhancing identity assurance and reducing unauthorized access risks.
Built cloning processes for Fortify scan projects to preserve suppression logic and reduce scan noise across application versions.
Integrated enhanced monitoring tools to trace sensitive data access, improving visibility and compliance across enterprise platforms.
Acted as Security Champion, translating AppSec strategy into actionable requirements and coaching developers on secure design principles.
Conducted vulnerability remediation reviews during code walkthroughs, advising on secure alternatives and architectural improvements.
Collaborated with internal audit and InfoSec teams to enforce secure system configurations and maintain regulatory alignment.
Presented secure architecture enhancements to executive stakeholders, influencing investment decisions and long-term security roadmaps.
Career Experience
Fiserv, Louisville, KY 2017 – 2024
Sr. Professional – Software Development Engineer
Served as the primary liaison between security and software development teams, embedding secure coding practices throughout the Software Development Life Cycle (SDLC).
Guided Agile development teams through remediation of vulnerabilities aligned with OWASP Top 10 standards.
Designed and developed automation for secure API integrations with IBM Mainframe systems via IBM Web Toolkit, ensuring secure transmission and data exchange.
Authored enterprise-wide documentation outlining secure development protocols and SDLC alignment with regulatory compliance.
Led the deployment of Enhanced Application Monitoring tools to trace and flag sensitive data access across enterprise platforms.
Spearheaded the creation of vulnerability and secure coding tracking tools for historical analysis, audit support, and KPI-driven decision-making.
Delivered weekly reports on application security tool metrics and vulnerabilities to both AppDev and Compliance leadership.
Information Security Advisor – Application Security & Governance
Championed field-level data encryption projects using Voltage SecureData; collaborated with the core encryption team and authored implementation requirements.
Managed enterprise-wide compliance for security testing tools including Fortify (SAST), WebInspect (DAST), and Sonatype (open-source risk).
Built and maintained a cloning process for Fortify scan projects to reduce scan noise and preserve suppression logic across application versions.
Partnered with Identity Governance teams to implement SailPoint-based role-based access controls (RBAC) and enforce least privilege models across critical applications.
Led cross-functional efforts to deploy and troubleshoot multifactor authentication (MFA) across hybrid environments involving both cloud and mainframe systems.
Maintained secure code training compliance by tracking developer participation, offering remediation support, and reporting training metrics to leadership.
Acted as Security Champion, attending AppSec strategy meetings and relaying actionable intelligence and security requirements to software development teams.
Application Architect, First Data, Louisville, KY 2000-2016
Developed and maintained enterprise-grade web applications in C# and T-SQL, streamlining workflows for Account Boarding, Risk Management, and Customer Service departments.
Played a key role as technical liaison in the successful migration of Bank of America's core applications and infrastructure to First Data systems, ensuring minimal disruption and full functionality.
Conducted rigorous data validation and schema review to ensure compliance with enterprise data integrity standards, security policies, and regulatory frameworks (including PCI).
Managed source control and versioning using Microsoft Visual SourceSafe, introducing structured branching strategies to improve development agility and minimize deployment risks.
Led the phased decommissioning of legacy Bank of America hardware and applications, engineering secure migration paths and reducing total operational costs.
Redesigned legacy authentication processes by implementing Windows-integrated security models, increasing login efficiency and strengthening access control.
Managed application security upgrades for a portfolio of internal tools, improving auditability and aligning with evolving corporate cybersecurity policies.
Partnered with internal auditors and InfoSec teams to ensure secure system configurations and enforce role-based access controls (RBAC) across enterprise platforms.
Collaborated with cross-functional teams including QA, Infrastructure, and Business Analysts to define system requirements, document user stories, and resolve integration bottlenecks.
Provided technical mentorship to junior developers and contributed to internal knowledge bases to accelerate issue resolution and promote code reuse.
Regularly presented architectural designs and system enhancements to executive stakeholders, enabling informed decisions on IT investments and application roadmaps.
Education
Bachelor’s degree in computer science
Indiana University Southeast
Online certifications
Privacy, Governance, and Compliance: Data Classification and Inventory (Linked In)
Complete Guide to Cybersecurity: A Practical Approach
Cybersecurity Foundations
Ethical Hacking: Vulnerability Analysis
Vulnerability Management in Cybersecurity: The Basics
Developing Secure Software
Improve Your Threat Modeling Skills
COBOL Essential Training
Cybersecurity Maturity Model Certification (CMMC 2.0)
Contact this candidate