Please note that this is a not a Job Board - We are an I.T Staffing Company and we provide candidates on a Contract and Full-time basis. If you need I.T.Professionals to fill a Contract or a Full-time Position, please call (800) 693-8939
is an experienced Application Security Testing and Software Security Specialist. His skill sets include Application and Infrastructure Security Assessment and Testing. He is also responsible for providing Secure Software Development Lifecycle guidance, securing web applications developed in Java, Ruby, .net and PCONFIDENTIAL utilizing known secure coding best practices. He has lead Application Security Testing activities utilitizing IBM AppScan Enterprise version 8.6, CONFIDENTIAL Web Inspect, Burp Suite, CONFIDENTIAL Fortify SCA, IBM Ounce, Veracode, Checkmarx, Firebug and Soap UI. He utilizes the OWASP’s Top Ten list as the framework for all of his projects, as well as incorporating the OWASP ESAPI Library as a primary software security solution. Mr. Sheppard has extensive experience planning and implementing security testing efforts, while leading Testers, QA Engineers and Developers. His training for multiple security certifications along with his drive to apply technology and processes to identify, manage, and resolve risk will make him an excellent addition to your team. He is available for immediate consideration.
TECHNICAL TOOLS AND SKILLS
¨ IBM App Scan v 8 - 8.6
¨ CONFIDENTIAL Web Inspect v 10.0
¨ Cenzic Hailstorm Ent
¨ Burp Suite Pro
¨ Qualys WAS v 2.0
¨ Tamper Data
¨ CONFIDENTIAL Fortify SCA v 3.1 - 4.0
¨ CONFIDENTIAL Fortify 360 Server
¨ App Detective Pro
¨ IBM App Scan Ent v8.6
¨ ModSecurity WAF
¨ Metaploit Pro
¨ Imperva WAF
¨ IBM Ounce
¨ SQL Map
¨ Pinata CSRF Tool
¨ Nmap ver 5.0
¨ XSS Proxy
¨ Soap UI v 4.0
¨ Akamai WAF
¨ NTOSQL Invader
¨ F-5 WAF
¨ OWASP ESAPI
¨ Acunetix WVS
¨ BackTrack 5
Sr. Information Security Engineer
¨ Perform CONFIDENTIAL FOD Standard and Premium Application Security Testing and Exploitation (UI and Web Services) on 100 Nestle and Genworth Financial web applications using CONFIDENTIAL Web Inspect, Burp Suite Pro, CONFIDENTIAL Fortify SCA 4.0 and Netsparker utilizing Methos and WAHH Testing Methodology.
¨ Environment: CONFIDENTIAL Web Inspect, Burp Suite Pro and CONFIDENTIAL Fortify SCA v 4.0
Sr. Information Security Engineer
¨ Lead all Application Security Testing and Exploitation (UI and Web Services) using AppScan Standard v 8.6, NTOSpider, Netsparker, SQLmap and Burp Suite Pro in Agile SDLC utilizing WAHH, OWASP Testing Guide and OSSTM Methodology.
¨ Working with Developers, QA Engineers, Project Managers and Business Owners to educate and implement industry best practices for remediating software security vulnerabilities.
¨ Creating and managing an Application Security Metrics Dashboard, using Sharepoint, Splunk, MongoDb, google charts and fusion charts.
¨ Environment: IBM App Scan Standard v8.6, Burp Suite Pro, NTOSpider and Netsparker
Sr. Information Security Specialist / Application Security Test Lead (Green Team)
¨ Lead all Application Security Testing and Exploitation (UI and Web Services) using AppScan Enterprise v 8.6 and Burp Suite in Agile SDLC utilizing WAHH, OWASP Testing Guide and OSSTM Methodology.
¨ Conduct Threat Modeling Analysis for V.me personal, business, developer, VDC, VPP and Visa.com
¨ Perform Manual Code Reviews using Firebug, Eclispe and CheckMarx
¨ Review, Analysis and Validation of AppScan Dynamic Security testing findings
¨ Provide security vulnerabilities (XSS, CSRF, SQLi, DDOS, etc.) remediation support to Java, .net, PCONFIDENTIAL and Ruby developers
¨ Review, Analysis and Validation of Veracode Static Code Analysis findings
¨ Lead Planning, Installation, Deployment and Support of AppScan Enterprise Platform throughout Visa, Cybersource, Playspan, Fundemo and VPS
¨ Responsible for conducting manual code review, static code analysis, dynamic security testing and manual penetration testing for V.me and Visa.com which consist of over 60 applications and 36 domains
¨ Review and Analysis of 3rd Party Web Application Penetration Test Findings prior to implementation
¨ Deliver AppScan Enterprise v 8.6 Security Testing training to Developers and QA Engineers
¨ Provide OWASP Top Ten training to QA Engineers and Software Developers
¨ Guide usage of ESAPI Encoder, CSRF Guard and Validator of the OWASP ESAPI Library
¨ Provide support to the Imperva & Akami Web Application Firewall NSWG
¨ Provide Secure Coding training to software development teams using Visa Secure Coding Guidelines
¨ Deliver Veracode and IBM Ounce Security Testing training to Developers
¨ Create custom Injection and Scripting attacks/exploits for Application Security Testing
¨ Environment: IBM App Scan Enterprise v8.6, Burp Suite v 4, IBM Ounce and Veracode
Application Security Test and Secure Coding Lead
¨ Lead all Application and Infrastructure Security Testing for Blue Cross Blue Shield of MI
¨ Lead, Manage, Plan, Support and Implement the Secure Coding Program with in BCBSM
¨ Manage and Assign security testing projects to Security Testing Team members
¨ Develop, Validate, Assemble, Submit and Quality Review all Security Testing Draft and Final Reports
¨ Manage Security Testers and Secure Coding Developers
¨ Review and Approve all base and project Change Control request through CA-SCM and CONFIDENTIAL Service Manager
¨ Create, Design and Implement all Security Test Plans for project and base Security Testing with in BCBSM
¨ Develop and Document Application Security Testing requirements, guidelines and standards
¨ Develop and Document all Secure Coding requirements, usage, guidelines, standards and processes
¨ Develop, Document and Execute all Test Cases for Security Testing
¨ Utilize and Implement OWASP Top Ten issues, WASC and CWE’s into Security Testing efforts
¨ Develop and Document Procedures and Methodology for Security Testing efforts
¨ Implement and Maintain the OWASP ESAPI Library throughout BCBSM
¨ Implement, Configure, Administrate and Maintain the F-5 Web Application Firewall with in BCBSM
¨ Perform Static, Dynamic and Manual Security Testing utilizing OWASP Testing Guide Methodology
¨ Train and Educate all Security Testing Team members using Aspect and Fortify CBT
¨ Produce weekly, monthly and quarterly security testing and secure coding status reports
¨ Lead developers, project team members, executive management and vendors through remediation efforts
¨ Integrating Threat Modeling and Test Case Strategy development throughout the SDLC
¨ Producing Monthly Metrics, reporting the state of application security programs and programmers of development teams against requirements
¨ Estimate, Schedule, Coordinate and Scope all Security Testing Projects with in BCBSM
¨ Track and Record all discovered security testing vulnerabilities into BCBSM Risk Management Tool (Archer and Sharepoint)
¨ Administrate Fortify SCA, 360 and CBT support for all BCBSM developers and security professionals
¨ Conducted Application Security Testing on Oracle Peoplesoft, Connecture, TeamConnect, Avanti, Verint, Trizetto, IBM Initiate, CONFIDENTIAL Service Manager, Callidus, Mckesson, HDMS, Dr. First, Taleo, Cognos, Google Search Appliance, Google Android Phone and over 100 BCBSM custom designed and developed java and .net applications.
¨ Create custom Injection and Scripting attacks for Application Security Testing
Environment: IBM App Scan v 8 - 8.5, Burp Suite v 3.5 - 4, Web Inspect v 9.2, Fortify SCA v 2.5 – 3.1.
Sr. Information Security Consultant
¨ Served as GLBA Regulatory Compliance specialist for over 100 different credit unions including Health One Credit Union, River Rouge Credit Union, Meijer Credit Union, and Affinity Group Credit Union.
¨ Performed Information Security Risk Threat Assessments in line with FFIEC guidelines.
¨ Performed External and Internal black box and white box Penetration Testing.
¨ Performed Network Vulnerability Testing, Assessment, and Remediation.
¨ Managed five Security Engineers, two Security Architects, and two Security Testers.
¨ Implemented and utilized Open Web Application Security Project’s (OWASP) Top Ten issues as the core frame work for projects.
¨ Creation of Comprehensive Information Security Programs in line with FFIEC guidelines.
¨ Creation and Review of Information Technology Policies, Procedures, and Plans.
¨ Creation and Review of Computer Incident Response Plans and Incident Handling Procedures.
¨ Creation and Review of Business Continuity / Disaster Recovery Plans and Procedures.
¨ Performed Staff Information Security Awareness Training with Suspicious Activities Reporting.
¨ Creation and Review of Vendor Oversight Program and Due Diligence Policies.
¨ Performed Compromise Forensics Investigation, Evidence Gathering for Expert Testimony.
¨ Reviewed of SAS 70 Type II Audits submitted by Data Processors and Third Party Service Providers.
¨ Produced Sales and Business Development in financial services market; 50K per month quota.
¨ Performed Project management of Information Technologies Security and Compliance Engagements.
¨ Prospecting, cold calling, writing engagement proposals, board / Sr. Management presentations, closing.
Technical Network Consulting
¨ Performed Configuring and Administrating Microsoft Windows Workstations utilizing Windows 2K, XP, and 7.
o Performed windows hardening, logon scripts, user policies and profiles)
¨ Performed Configuration & Administration of Microsoft Windows Server 2K3 / 2K8 (SBS | Enterprise).
o Utilized Active Directory, SMS, WSUS, Terminal, .net, Exchange versions 6.5 and 2K8, and SQL 2000 / 2005).
¨ Set-up, Configuration and Administration of Cisco 1720, 1841, 2601, 2811, and 7200 Routers.
o Wic Card installation and configuration, PDM, ACL, DHCP and Nat.
¨ Set-up, Configuration and Administration of Cisco Pix Firewalls (501, 506, 515, ASA) (VPN, PDM, ACL, DMZ, Nat).
¨ Set-up, Configuration and Administration of Sonicwall 170 / 190 TZ UTM Appliances (VPN, Nat, DMZ, DHCP).
¨ Set-up, Configuring and Administration of Checkpoint UTM-1 Security Appliances (VPN, Nat, DMZ, DHCP).
PROFESSIONAL EXPERIENCE – Continued
¨ Set-up, Configuring & Administration of Fortinet UTM Appliances (VPN, DHCP, ACL, DMZ, Nat).
¨ Symantec Consulting (SEP, SSIM, DLP, CCS and Altiris).
¨ Worked with ISDN, Frame Relay, DSL, T-1, MPLS data circuits.
¨ Virus, Trojan, Spyware, Adware, Rootkits, Botnets and Malware Removal.
Environment: GFI Languard Network Security Scanner ver. 8, Qualys Guard Security and Compliance Suite, Eeye Retina Vulnerability Scanner Suite, Fortify, Nessus Security Scanner ver. 4, Nmap ver 5.0 / Necrosoft Ncan ver. 0.9 – 2.0 / NSauditor ver. 2 / Look@Lan ver. 3
Computer Instructor / Network Administrator
¨ Teaching Intro to PC’s with windows 98, 2000 and XP to Kramer Middle School students.
¨ Teaching Office 97, 2000 and 2003 to Kramer middle school students.
¨ Teaching Graphic Design (Photoshop, illustrator & PageMaker) to Kramer middle school students.
¨ Teaching PC Building and Windows Networking to UAW/NTC Chrysler employees.
¨ Teaching Office 97, 2000 and 2003 to UAW/NTC Chrysler employees.
¨ Teaching Intro to PC’s with windows 98, 2000 and XP to UAW/NTC Chrysler employees.
¨ Teaching Graphic Design (Photoshop, illustrator & PageMaker) to UAW/NTC Chrysler employees.
¨ Teaching Intro to PC’s with windows 98, 2000 and XP to Vandyke Adult Ed students.
¨ Teaching Office 9 7, 2000 and 2003 to Vandyke Adult Ed students.
¨ Teaching Graphic Design (Photoshop, illustrator & PageMaker) to Vandyke Adult Ed students.
¨ Teaching Intro to PC’s with windows 98, 2000 and XP to Chrysler UAW Retirees.
¨ Teaching Office 97, 2000 and 2003 to Chrysler UAW Retirees.
REFERENCES AVAILABLE UPON REQUEST