|Sr. Security Program Manager||Blog: https://spartiates.wordpress.com/||eMail: firstname.lastname@example.org|
|Software Security Management||Twitter: http://twitter.com/curtisko||References: http://linkedin.com/in/curtisko|
Self-motivated, inventive technology leader with over 15 years of experience in software architecture, program management, security, project leadership and development/integration of complex software and systems. Proven ability to distill, communicate and resolve complex security scenarios to solve business problems while managing risks and organizational needs. Seasoned leader, looking to obtain a position that leverages my technical knowledge and business insight in steering diverse teams of IT professionals in architecting and delivering impactful business solutions.
|Systems Architecture & Design||Threat Modeling, Data Flow Diagraming, Requirements Analysis, System Context Diagraming, ITILv3 – Information Technology Infrastructure v3 Foundations, CISSP, MCSE, MCSA|
|Software Development||C#,C++, Java, Visual Studio, .NET, Development Models (Agile SCRUM, Waterfall, Spiral, Iterative), HP WebInspect, IBM Rational AppScan, Fortify, OWASP ZAP, familiarity with Python, OWASP Top 10, Jira, Bugzilla|
|Project Management||Microsoft Project, Microsoft Office Suite (Word, PowerPoint, Excel, Visio)|
|Security Process||Risk Analysis/Management, Incident Analysis & Response, Threat Modeling|
|Conferences Attended||Blackhat, DefCon, CanSecWest, DerbyCon, SkyDogCon, Louisville Infosec, Bsides Vancouver|
|Information Security Engineer,5
Sr. Application Security Engineer
|12/2014 – 10/2014|
Design, develop and implement secure software best practices for the Wells Fargo Security Development Lifecycle (SDL) program. Identify emergent software security vulnerabilities and threats and design methods to identify those vulnerabilities and provide remediation alternatives. Lead the evaluation of new and existing application software security designs, and emerging software security technologies and systems. Serve as a technical Subject Matter Expert (SME) responsible for application security and software security best practices. Consult with line of business development groups on the implementation of Security Development Lifecycle best practices and tools. Lead the research, development and /or customization of software security tools and libraries. Manage and mentor offshore and contract resources assigned to project.
- Led planning, development, and release of 2 versions of 2 custom software tools in a 6-month period on budget and ahead of schedule
- Created and delivered enterprise wide training for computer based and in person sessions
- Directed the evaluation and analysis of several vendor platforms for inclusion and extension of the SDL program
- Spearheaded the usage of agile management techniques and tools for project management
|Sr. Security Program Manager||02/2011 – 10/2014|
|Mozilla||Louisville, KY / Mountain View, CA|
Collaborate with engineering to identify potential features, architecture changes, and mitigating strategies to improve the security of Mozilla products. Manage and drive security bugs to resolution. Track external security reports, public security related sites and mailing lists for new information to improve process and identify future areas of security concern. Communicate with security researchers (security@mozilla) to investigate identified vulnerabilities. Creating and reviewing technical security documents for use by the organization. Lead the process of integrating risk based security actions into the software development lifecycle. Track new products and new product features to ensure they are reviewed. Manage internal and external testing schedules. Represent the Mozilla security team at conferences of various sizes and promote our community approach to security.
- Created a process for managing and communicating security reviews and resultant information, resulting in a tripling of items reviewed.
- Led the merger of security reviews under one process for Application Security, Web Applications, Web Sites and Infrastructure Security.
- Co-Founder of Mozilla Winter of Security and mentor for student executed projects in Security Automation focusing on Threat Modeling.
- Create and direct the Mozilla Security Champions to drive security knowledge and ownership more directly in development teams.
- Own and drive vendor security reviews, privacy technical reviews as well as the security review lifecycle.
- Redesigned bug triage and reduced unworked bug backlog by 90% for both internal and web security areas.
- Drive community engagement to offer opportunities beyond bug bounty reporting to engage interested contributors in security tools, bug fixing and skill mentorship in the security space as well as Mozilla wide.
- Coordinated vulnerability disclosure and analysis for the Mozilla team at CanSecWest as well as directing press inquiries
|Technical Security Architect||10/2006 – 02/2011|
Spearhead and implement long term security strategy as relates to the Software Development Lifecycle and internal security operations and architecture. Create internal tools to support and improve software security reviews. Oversee and generate Architecture Models for software projects. Mentor and lead all security team members in their interactions with development and business contacts. Appraise and evaluate vendor supplied and contract software and technology for strategic importance. Investigate software security and network security Incident Response. Coordinate with corporate Enterprise Engineering team to address emerging threats and regulatory compliance. Create training and guidance for consumption by business and IT customers.
- Maintained regulatory compliance with regards to software development and security practices while reviewing 150+ projects per year. Regulations: HIPPA, SOX,GLBA, HITECH, PCI, Privacy
- Created and delivered training to Enterprise Architects and developers on Secure Coding Principles with a satisfaction rating of 99%.
- Successfully created and implemented a program to integrate security development tasks into the development lifecycle for both Agile SCRUM and waterfall development models.
- Drove the adoption of security scanning tools for both development and production use. Tools: HP WebInspect, IBM Rational AppScan.
|Various||07/2000 – 10/2006|
|Spyware Analyst||Redmond, WA|
Analyzed, gathered and classified various malware samples for inclusion in weekly signature releases to over 2 million beta customers. Assisted in product design reviews and defect prioritization meetings with both an internal tools team and the public product team during the transition from purchased intellectual property to a final product release. Managed and maintained the internal process to identify signature defects in both a false positive and false negative capacity. Assisted as an internal beta tester of anti-malware products and general Windows security features. Researched and communicated emerging trends in malware spread and vulnerability exploit behavior.
- Maintained a signature quality standard of three 9’s.
- Co-authored the first internal objective analysis and criteria process for an anti-spyware classification standard to ensure analysis parity.
|Security Support Engineer||Redmond, WA|
Lead Software Security Incident Response Process as on-call member from the support organization for issues of global impact to Microsoft and its customers. Distilled monthly security releases and guidance content with customer implementation details in focus for custom ratings and deployment guidance. Participated in company sponsored, online communities to engage customers outside of formal support pathways.
- Chosen as one of six engineers to deliver security content to a worldwide audience for Windows XP Service Pack 1.
- Tasked as the primary contact across all of the Services Division to address the growing spyware and adware issue with OEM partners.
- Developed tools for use by the world wide support organization to reduce diagnostic error and system state gathering time.
|Technical Support Engineer||Redmond, WA / Las Colinas, TX|
Functioned as the primary support contact for customer segments which varied from home users to enterprise customers on all Windows platforms. Created and delivered training programs for various Windows components for both internal and external use. Acted as the advocate for customers when reviewing product defects, functional changes and support documentation. Specialized in networking and high performance computing functions of Windows XP and Windows 2000 Operating Systems. Developed and communicated troubleshooting guides and content for consumption by internal engineers and outsource partners.
- Appointed as Team Lead and mentor for the launch support team for Windows XP.
- Created a custom issue tracking system that reduced customer contact times by 50%
- Wrote and delivered a technical webcast that set an attendance record for Microsoft content delivery.
- Maintained customer satisfaction levels in the top 25% of all Support Engineers.
Volunteer & Civic Activities
|OWASP, Louisville Chapter||Louisville, KY|
Organize and direct the activities of the Louisville, KY Open Web Application Security Project (OWASP) board with regards to member outreach, event planning and finances. We currently service the Louisville Metro area including Southern Indiana and as far South as Frankfort, KY.
|Course Director, National Youth Leadership Training||06/2012 – 07/2013|
|Boy Scouts of America, Lincoln Heritage Council||Louisville, KY|
Built and developed a team of 9 adult and 22 youth staff to deliver advanced leadership training to 64 youth from 4 states. Managed the budgeting and purchasing for all goods and services. Secured dates and facilities for staff development activities. Responsible for overseeing the health and safety for all as the week long course proceeded. Mentored youth staff on leadership and in understanding and executing their positions.
|OWASP, Louisville Chapter||Louisville, KY|
Served on the board Louisvillel OWASP chapter to assist in the operating tasks to conduct meetings and attract speakers. Give presentations to promote the chapter and on general application security topics.
|SkyDogCon 2011||The Neurobiology of Decision Making (Knowing Where One’s Towel is)||https://youtu.be/sVc0pgMIXE4|
|GFIRST||Bug Bounty Panel (representing Mozilla)||Aug 19-24, 2012|
|SkyDogCon 2012||Insanely Great (Leading Change)||https://youtu.be/XWV30HHX1vE|
|Louisville Infosec 2012||Grey Hats & Bug Bounties||https://youtu.be/U57k1hXJll8|
|SkyDogCon 2013||Hacking Your Career||https://youtu.be/mracupFIm5Q|
|Midwest Open Source Software Conference||Security in the open||http://www.mosscon.org/sessions/security-open|
|BSides Vancouver 2014||Workshop for “I am the Cavalry”||http://iamthecavalry.org/|
|History of Defense||https://youtu.be/iYNTNcHrYA8|
|Owasp Louisvlle Chapter||Various unrecorded talks on SQL Injection, XSS detection and prevention and Security Program management|
|Mozilla (public broadcast talks)||Leading Change||https://air.mozilla.org/leading-change/|
|SkyDogCon 2014||Building Utopia||https://youtu.be/BwaXLPYcoYw|
|SkyDogCon 2015||Everything you Know about Security is a Lie||https://youtu.be/9pvyhBRkVmc|
Education & Certifications
|MS||Master of Science – Information Systems||University of Arizona||2000|
|BS||Bachelor of Science – Microbiology||University of Arizona||1997|
|CISSP||Certified Information Systems Security Professional (50278)||(ISC)2||2004|
|ITILv2||Information Technology Infrastructure Library v3 Foundation||Office of Government Commerce||2006|
|MCSE||Microsoft Certified Systems Engineer (Windows 2000)||Microsoft||2004|
|MCSE, Security||Microsoft Certified Systems Engineer, Security (Windows 2000)||Microsoft||2004|
|MCSA||Microsoft Certified System Administrator (Windows 2000)||Microsoft||2004|
|MCSA, Security||Microsoft Certified System Administrator, Security (Windows 2000)||Microsoft||2004|
Professional Memberships & Awards
- Open Web Application Security Project (OWASP)– Founding Member & Executive Board, Louisville Chapter
- Certified Information Systems Security Professional (CISSP) – Member Number 50278