Application Security

As a quick summary, application security areas I've worked in, include:

• GRC integration: AppSec standards, compliance, controls assessments, supply chain risk
• Security Engineering: architecture, developer training, security tooling, containers
• Product Assurance: DAST, SAST, IAST, bug bounty triage, penetration testing

I began penetration testing of applications during my time consulting with Info@Risk, starting from about 2006. But I truly began working in this as a specialty in 2014 when I joined the Application Security team in Jackson National Life Insurance. The team had just been created and I worked to configure the tooling and establish processes for scanning and engagement with development teams. I used AppScan for static and dynamic application security testing (SAST and DAST) in this time, testing dozens of internally developed applications, as well as some that we acquired externally or in proof-of-concept deployments.

While risk assessment was in use in some company functions, I introduced standardized risk assessment processes and scoring for software vulnerabilities, as well as developed some basic threat modeling approaches. I expanded the use of both of these in later roles I held within the company.

I built training programs for developers on secure coding practices and created a documented program for Security Champions to help evangelize security concepts across the various company functions. I aligned reviews of development use cases and code to OWASP (Open Worldwide Application Security Project) testing guides and worked with QA teams to incorporate some basic security testing into QA tests.

As Manager of Information Security Controls Program at Jackson, I wrote the standards for secure coding, aligned to NIST SP800-53 and best practice guidance from OWASP and SAFECode.

As Senior Ethical Hacking Analyst at Jackson, I drove the product evaluations, developed the budget estimates, and drove product selection for the new application security tooling, replacing AppScan with Fortify for SAST and DAST. I established processes for onboarding of applications and built dashboards for developers and project owners to be able see security issues relevant to them and established alerting for high and critical-risk issues identified by the scanners. I also established processes for developers to report on their remediation efforts and performed validation of effective remediation. I worked particularly closely with some development teams as an embedded observer and security consultant.

During this time, I continued to develop threat modeling approaches based on the Microsoft STRIDE methodology to reduce the introduction of security flaws at the earliest stages of application planning and design, avoiding the later need for costly fixes. Working with DevOps teams, I was able to onboard a handful of applications for static scanning and partially automate the testing of code in development. Automation of dynamic security scanning was much easier and I successfully onboarded dozens of applications and fully automated security scanning of the applications deployed in test regions. I worked with Enterprise Architects to test API security, participated in proof-of-concept API security gateway product evaluations and incorporated API testing as a regular line of effort.

When I began with Zoom Video Communications in 2020, my initial focus was on web application security testing, using tactics, techniques, and procedures of malicious actors. While my role at Zoom did change over time, I remained within the Offensive Security team as a part of the Product Assurance function. Both in my testing role, as well as later as Manager Security Controls Validation, I worked to identify vulnerabilities in Zoom applications, provide developers with actionable vulnerability analysis and recommendations for remediation, and then tracked the issues to verify effective remediation. The shift to the Manager position expanded my scope of research to cover more issues within cloud platform configurations and architecture as the application environments. Within my areas of code repository access, all aspects of the security of the products were within scope for testing, from the identity and access management to business logic, designs, coding flaws, threat models, supply chain, and more.

Following is a link to a presentation I gave on secure application development from 2019 that may be of interest: https://www.linkedin.com/posts/meldrews_introduction-to-secure-application-development-activity-6534449084533661696-G2W_

Professional certifications supporting this work include: CISSP, CISA, CISM, GCCC, GPYC, GWEB