Schlagwörter
IT Governance Information Security
Testing for Security Flaws
Enterprise Security Strategy
Integrated Security Planning
Penetration Testing (OWASP & PTES Guideline)
Web Application Firewall
Risk / Vulnerability Assessment
Resource Management
Security Infrastructure Development Process Optim
Regulatory Compliance
Standards Development
Intrusion Detection
Training Provision
Skills
Top-performing IT Security Consulting with extensive experience in spearheading the design, development, implementation and support of enterprise-wide information and business system security infrastructures. A recognised leader, applying high-impact IT security solutions to major business objectives, with capabilities that transcend IT operation boundaries. Skilled at working with management to prioritize activities and achieve project goals; able to translate IT security requirements. Committed to helping organizations achieve maximum benefit from their IT security investment, through meticulous research, development and implementation of technologies.
Enterprise Security Strategy ●Testing for Security Flaws ● Integrated Security Planning ● IT Governance
Information Security ● Penetration Testing (OWASP & PTES Guideline) ●Web Application Firewall ● Security Infrastructure Development Process Optimization ● Standards Development ● Regulatory Compliance ● Intrusion Detection● Risk / Vulnerability Assessment ● Resource Management ● Training Provision.
Technical Skills
EnF5 LTM/ASM, MySQL DBMS, Perl, PHP, JMeter, Webscarab, Microsoft Products, ModSecurity, LDAP, AWK, SED, OpenSSL, AppScan, Burpsuite, HP Webinspect, Nessus, Arcsight, Vordal Secure, Cacti / Nagios, Bash, KSH, TCPDump, Wireshark, Metasploit, Splunk/Xpolog, Beeware, Syslog-ng, Opensta, Nmap, Backtrack, ISO/IEC 2700, NIST, OSSTMM, OWASP, Engineering Methodology
Information Security ● Penetration Testing (OWASP & PTES Guideline) ●Web Application Firewall ● Security Infrastructure Development Process Optimization ● Standards Development ● Regulatory Compliance ● Intrusion Detection● Risk / Vulnerability Assessment ● Resource Management ● Training Provision.
Technical Skills
EnF5 LTM/ASM, MySQL DBMS, Perl, PHP, JMeter, Webscarab, Microsoft Products, ModSecurity, LDAP, AWK, SED, OpenSSL, AppScan, Burpsuite, HP Webinspect, Nessus, Arcsight, Vordal Secure, Cacti / Nagios, Bash, KSH, TCPDump, Wireshark, Metasploit, Splunk/Xpolog, Beeware, Syslog-ng, Opensta, Nmap, Backtrack, ISO/IEC 2700, NIST, OSSTMM, OWASP, Engineering Methodology
Projekthistorie
PROFESSIONAL EXPERIENCE
Deutsche Bank, Frankfurt, Germany. 11/2016 – Present
A global banking and financial services company.
Cyber-Security Consultant
Technical owner of a number of projects at Deutsche Bank: currently leading a team of 25 individuals, encrypting data, both in motion and at rest, throughout the bank, globally; managing audits and remediating potential risks; designing and delivering the architecture of key management and certificate management solutions; overseeing, from inception to completion, the introduction of smartcards across the bank.
Key Achievements:
A large company that specializes in retail.
Application Security Technical Lead
Responsible for all aspects of the Application Security Program, which includes managing open vulnerabilities and risks within the applications, establishing standards and procedures for development of web applications, developing and bringing in tools to enable the security and development teams, and training developers in secure coding practices and best practice. Performing automated verification of applications. Use automated tools augmented with manual verification according to OWASP ASVS verification requirements. Perform manual verification to verify that each automated finding is correct and not a false positive.
Lead application security assessments, manage vulnerabilities throughout the SDLC and working with development teams on remediation efforts. Deployment of AWS Cloud F5 ASM AFM HA WAF to defend against application attacks
Consult with development teams, providing technical and architectural guidance on the safety controls. Provision of F5 WAF deployment training.
Quadri Consulting LTD, London, UK ● 03/2013 – Present
A small company that specializes in detecting weaknesses in customer’s data.
Key Engagements:
Principal Consultant
Responsible for discovering gaps and weaknesses by performing Penetration testing, reviewing client’s security policies and OS security procedures and configuration such as password management standard to ensure they are compliant with the defined security requirement, as well as configure password cracking tools to ensure the policy is being adhered to in practice.
Jeremy was also responsible for reviewing firewall and WAF rule set to ensure it tally with the stated security policies, paying particular attention to peer-to-peer file sharing or social network and other Forbidden policies.
Key Engagements:
RBS GLOBAL MARKETS, London, UK ● 07/2012 – 03/2013
The Royal Bank of Scotland's wholesale banking arm.
Web Security Consultant – e-commerce Infrastructure
Supported protection of all web applications using strategic WAF platform solution, with responsibility for evaluating, choosing, and designing, deploying and providing training for the support team globally. Implemented F5 ASM security policy to all devices, and installed IP intelligence functionality. Worked directly with application owners globally to ensure a successful application onboarding. Scheduled propagation of attack signature updates, and produced attacker trend analysis. Integrated ProativeNet to monitor the F5 ASM capacity management. Conducted performance testing, web application penetration and vulnerability testing scoping and defined strict WAF policy. Participated in global migration planning and scheduling for application onboarding, and wrote documentation to support each stage of SDLC phase of WAF project. Set-up certificate and key management to ensure web traffic confidentiality, certificate expiration notification alert scripts, and certificate to ensure the F5 ASM administration traffic confidentiality.
Key Achievements:
• Deployed 26 new WAF hardware appliances globally across e-commerce SNP estate including F5 ASM management appliances on London Campus network.
• Enhanced threat protection for all M&IB external ecommerce web application/services, resulting in reduction of risk level from major to significant.
• Deployment of Splunk for log management solution to permit application owners to review security alerts and monitor abnormal traffic behaviour/patterns
• Produced wireframe used in meeting support team’s requirement for intrusion incident tracking.
• Created 10-stage exploration process to the select best product that met requirements during the proof of concept stage.
• Wrote and completed F5 ASM baseline security policy, ensuring policy alignment with information security through reviews, incorporating OWASP Top 10 recommendations for protecting QA and production web applications.
• Spearheaded deployment of F5 ASM WAF in high availability set-up to provide reliable traffic management to meet capacity demands, preventing a single point of failure and improve business continuity. BT OPERATE, Suffolk, UK ● 06/2011 – 01/2012
The Royal Bank of Scotland's wholesale banking arm.
Security Test Lead
Served as lead penetration tester working on an HMG project. Led team of security testers to test all platforms within Lehrer programme, with responsibility for working with network designers and managers to improve design before deployment. Reviewed security policy documents and mapped to inception design document to create high-level scenario test cases. Reviewed penetration reports, tooling documentation and security testing.
BNP PARIBAS FORTIS, Brussels, Belgium ● 11/2007 – 03/2011
A major financial / banking institution.
Web Application Security Consultant
Performed project review, and ensured execution through SDLC phases, with responsibility for securing web infrastructure through deployment of F5 ASM WAFs. Collaborated with security vendors for device assessment and product testing; created test plans to select the best product that met requirements during the proof of concept stage. Conducted functional and non-functional testing, and workshops to establish designing methods and web application design expected for F5 ASM WAF validation. Performed capacity planning, investigated incidents and classified breach to web farm; worked on a plan to monitor 24/7 real-time attacks. Resolved day-to-day operational issues such as incident, problem and change management. Handled cryptography deployment, certificate and key handling, and documented deviation from the HSM FIPS Level requirement. Deployed remote Syslogng centrally to collect all events from F5 ASM.
Key Achievements:
• Successfully deployed F5 ASM WAF to provide reliable traffic management to meet capacity demands, preventing a single point of failure and improve business continuity.
• Defined project mandates, selection criteria matrix, and set-up POC for Imperva and F5 ASM WAFs.
• Championed the use of Splunk for central logging analysis solution.
EUROCLEAR BANK S.A/N.V., Brussels, Belgium ● 03/2007 – 09/2007
A large clearinghouse.
Application Security Consultant
Played a key role in bank initiative to protect Soap messages by performing integrity checks and providing confidentiality on messages, as well as filtering out attack signatures from the message. Served as a member of web security team working on CCI project (communication systems); investigated which WAF and B2b gateway to deploy in order secure Soap messages exchanges between Euroclear and authorized participants. Wrote test strategy and conducted various tests to aid in device selection. Set-up POC environment to assess products.
Key Achievements:
• Facilitated projects for web application firewall, PKI enhancement, B2B gateway, authentication, authorization and message integrity. Actively involved in the deployment of new products to secure XML Soap in production.
• Contributed to legacy PKI infra enhancement required by CCI, incorporating strong authentication, PKI industrialization and various application firewalls.
NETSECURED SOLUTIONS, London, UK ● 11/2005 – 11/2006
A small security consultancy company.
Penetration Tester
Participated in pre-sales and penetration testing. Managed team that established a system that allowed firms to offer IT security, website development, hosting, and maintenance. Identified any potential avenue of attack against customer systems, determined areas within network vulnerable to attacks, and suggested solutions for identified vulnerabilities. Worked with SME to answer requirements and decide on a level of compliance. Coordinated with clients to plan tailored vulnerability assessment and penetration testing.
Key Achievements:
• Completed firewall and IDS deployments and audits, and vulnerability assessments.
• Engaged incident response teams for rapid reaction to any detected intrusions. SOUTH EASTERN TRAINS LTD., London, UK ● 04/2005 – 11/2005
A major rail transportation network company.
IT Security Governance Manager
Held responsibility for improving protection of electronic information in addition to counselling senior managers on methods to develop and manage IT security. Developed written security controls that provided overall IT security, ensuring compliance with ISO 17799. Performed comprehensive vulnerability analysis, penetration testing and firewall audits. Developed and improved security standards and policies incorporating audit requirements. Provided security training to employees. Delivered presentations on risk evaluation and IT security improvements.
Deutsche Bank, Frankfurt, Germany. 11/2016 – Present
A global banking and financial services company.
Cyber-Security Consultant
Technical owner of a number of projects at Deutsche Bank: currently leading a team of 25 individuals, encrypting data, both in motion and at rest, throughout the bank, globally; managing audits and remediating potential risks; designing and delivering the architecture of key management and certificate management solutions; overseeing, from inception to completion, the introduction of smartcards across the bank.
Key Achievements:
- Contributing technical expertise and specialist security knowledge in strategic planning and management of a number of large cyber security projects within Deutsche Bank: from inception to delivery, analyses requirements, makes recommendations, identifies potential risks, develop roadmaps and sets realistic timelines whilst complying to standards such as SDLC & industry best practices.
- Working effectively as a manager internationally; coordinates teams across multiple time zones (India, Singapore and Germany), building a culture that is based on valuing colleagues and grounded in ensuring programme/project goals are understood at all levels; motivating, training, and explicitly recognizing individuals’ strengths.
- Working closely with all key stakeholders/senior managers, to ascertain their core requirements and ensure each party is effectively informed of technical aspects involved for each solution
- Defining and designing the technical/solution architectural requirements, whilst managing technical governance, design review and guidance, alongside creating solution designs and providing a comprehensive document review process.
- Managing remediation of the identified audit issues in cooperation with the PKI team, as well as the applications owners based in Germany, London and Singapore.
- Coordinating of Penetration Tests and remediation
- Managing the migration of application from vulnerable and outdated Hardware Security Module (HSM) to Thales shield Connect
- Technical Owner role for a complex Database encryption project; overseeing the encryption of data at rest and data in motion, globally.
- Ensuring adherence to company security controls in terms of design, implementation and documentation
- Leading research regarding whether the banks systems meet industry standards.
- Remediating or replacing systems and processes as required.
- Project managing the delivery of file encryption system as well as end user crypto solutions such as smartcard: Mapping out all processes (BMPN 2) in the bank and providing adept process management for all cyber security issues.
- Coordinating audit issues & remediation
- Provisioning the X.509 certificate management & key management solution process to ensure that the certificate lifecycle is automated; integrating with the existing PKI system and expanding the client base
- Delivering the architecture, as well as high level design and IT security concepts
- Managing global technical teams
A large company that specializes in retail.
Application Security Technical Lead
Responsible for all aspects of the Application Security Program, which includes managing open vulnerabilities and risks within the applications, establishing standards and procedures for development of web applications, developing and bringing in tools to enable the security and development teams, and training developers in secure coding practices and best practice. Performing automated verification of applications. Use automated tools augmented with manual verification according to OWASP ASVS verification requirements. Perform manual verification to verify that each automated finding is correct and not a false positive.
Lead application security assessments, manage vulnerabilities throughout the SDLC and working with development teams on remediation efforts. Deployment of AWS Cloud F5 ASM AFM HA WAF to defend against application attacks
Consult with development teams, providing technical and architectural guidance on the safety controls. Provision of F5 WAF deployment training.
Quadri Consulting LTD, London, UK ● 03/2013 – Present
A small company that specializes in detecting weaknesses in customer’s data.
Key Engagements:
Principal Consultant
Responsible for discovering gaps and weaknesses by performing Penetration testing, reviewing client’s security policies and OS security procedures and configuration such as password management standard to ensure they are compliant with the defined security requirement, as well as configure password cracking tools to ensure the policy is being adhered to in practice.
Jeremy was also responsible for reviewing firewall and WAF rule set to ensure it tally with the stated security policies, paying particular attention to peer-to-peer file sharing or social network and other Forbidden policies.
Key Engagements:
- TopDevCentral. Nov/15-Present. TDC employs seventy full-time developers and creates customized enterprise software including Java, .Net, Frontend and Oracle. Jeremy ensured Security is interwoven into the core of the customized development and provide protection at the necessary layers. Championed and used static code analysis tool within the company.
- Nobody’s Child Ltd. Feb/14-2016. An e-commerce company based in central London, Provide ongoing security Assessment. Before Nobody’s launch, Jeremy was approached to provide ongoing security assessment, including perpetual penetration testing using OWASP Top 10 as a guideline assessment methodology. Duties include phishing attacks as well as password cracking and Anti-Virus Evasion.
- Boston University. Sept/13-2016. – Provided services including server vulnerability testing, pen-testing, cipher VPN encryption, Wi-Fi testing, network vulnerability scanning, and physical security coordination, including CCTV incorporation.
- Z-Mind Ltd – 07/13-2016. Fulfilled penetration testing-based role utilizing PTES guidelines. Delivered guidance on PCI DSS compliance before QSA audit introduction firewalls, rule base tallies against security policy, checking security policy, product security testing, black box testing, and patch management.
- Huawei – Data – 08/14-04/15. Classification Project: Developed and scoped the data loss prevention project, ensuring that data leakage is prevented, by classifying email contents, and other legacy data and Microsoft files.
- Eurobride. Jun/14 – 2016. Provided ongoing Penetration Testing/Risk & Vulnerability Assessment. Application Code Security. Encryption- Digital Certificate. Provided Managed Security Services.
RBS GLOBAL MARKETS, London, UK ● 07/2012 – 03/2013
The Royal Bank of Scotland's wholesale banking arm.
Web Security Consultant – e-commerce Infrastructure
Supported protection of all web applications using strategic WAF platform solution, with responsibility for evaluating, choosing, and designing, deploying and providing training for the support team globally. Implemented F5 ASM security policy to all devices, and installed IP intelligence functionality. Worked directly with application owners globally to ensure a successful application onboarding. Scheduled propagation of attack signature updates, and produced attacker trend analysis. Integrated ProativeNet to monitor the F5 ASM capacity management. Conducted performance testing, web application penetration and vulnerability testing scoping and defined strict WAF policy. Participated in global migration planning and scheduling for application onboarding, and wrote documentation to support each stage of SDLC phase of WAF project. Set-up certificate and key management to ensure web traffic confidentiality, certificate expiration notification alert scripts, and certificate to ensure the F5 ASM administration traffic confidentiality.
Key Achievements:
• Deployed 26 new WAF hardware appliances globally across e-commerce SNP estate including F5 ASM management appliances on London Campus network.
• Enhanced threat protection for all M&IB external ecommerce web application/services, resulting in reduction of risk level from major to significant.
• Deployment of Splunk for log management solution to permit application owners to review security alerts and monitor abnormal traffic behaviour/patterns
• Produced wireframe used in meeting support team’s requirement for intrusion incident tracking.
• Created 10-stage exploration process to the select best product that met requirements during the proof of concept stage.
• Wrote and completed F5 ASM baseline security policy, ensuring policy alignment with information security through reviews, incorporating OWASP Top 10 recommendations for protecting QA and production web applications.
• Spearheaded deployment of F5 ASM WAF in high availability set-up to provide reliable traffic management to meet capacity demands, preventing a single point of failure and improve business continuity. BT OPERATE, Suffolk, UK ● 06/2011 – 01/2012
The Royal Bank of Scotland's wholesale banking arm.
Security Test Lead
Served as lead penetration tester working on an HMG project. Led team of security testers to test all platforms within Lehrer programme, with responsibility for working with network designers and managers to improve design before deployment. Reviewed security policy documents and mapped to inception design document to create high-level scenario test cases. Reviewed penetration reports, tooling documentation and security testing.
BNP PARIBAS FORTIS, Brussels, Belgium ● 11/2007 – 03/2011
A major financial / banking institution.
Web Application Security Consultant
Performed project review, and ensured execution through SDLC phases, with responsibility for securing web infrastructure through deployment of F5 ASM WAFs. Collaborated with security vendors for device assessment and product testing; created test plans to select the best product that met requirements during the proof of concept stage. Conducted functional and non-functional testing, and workshops to establish designing methods and web application design expected for F5 ASM WAF validation. Performed capacity planning, investigated incidents and classified breach to web farm; worked on a plan to monitor 24/7 real-time attacks. Resolved day-to-day operational issues such as incident, problem and change management. Handled cryptography deployment, certificate and key handling, and documented deviation from the HSM FIPS Level requirement. Deployed remote Syslogng centrally to collect all events from F5 ASM.
Key Achievements:
• Successfully deployed F5 ASM WAF to provide reliable traffic management to meet capacity demands, preventing a single point of failure and improve business continuity.
• Defined project mandates, selection criteria matrix, and set-up POC for Imperva and F5 ASM WAFs.
• Championed the use of Splunk for central logging analysis solution.
EUROCLEAR BANK S.A/N.V., Brussels, Belgium ● 03/2007 – 09/2007
A large clearinghouse.
Application Security Consultant
Played a key role in bank initiative to protect Soap messages by performing integrity checks and providing confidentiality on messages, as well as filtering out attack signatures from the message. Served as a member of web security team working on CCI project (communication systems); investigated which WAF and B2b gateway to deploy in order secure Soap messages exchanges between Euroclear and authorized participants. Wrote test strategy and conducted various tests to aid in device selection. Set-up POC environment to assess products.
Key Achievements:
• Facilitated projects for web application firewall, PKI enhancement, B2B gateway, authentication, authorization and message integrity. Actively involved in the deployment of new products to secure XML Soap in production.
• Contributed to legacy PKI infra enhancement required by CCI, incorporating strong authentication, PKI industrialization and various application firewalls.
NETSECURED SOLUTIONS, London, UK ● 11/2005 – 11/2006
A small security consultancy company.
Penetration Tester
Participated in pre-sales and penetration testing. Managed team that established a system that allowed firms to offer IT security, website development, hosting, and maintenance. Identified any potential avenue of attack against customer systems, determined areas within network vulnerable to attacks, and suggested solutions for identified vulnerabilities. Worked with SME to answer requirements and decide on a level of compliance. Coordinated with clients to plan tailored vulnerability assessment and penetration testing.
Key Achievements:
• Completed firewall and IDS deployments and audits, and vulnerability assessments.
• Engaged incident response teams for rapid reaction to any detected intrusions. SOUTH EASTERN TRAINS LTD., London, UK ● 04/2005 – 11/2005
A major rail transportation network company.
IT Security Governance Manager
Held responsibility for improving protection of electronic information in addition to counselling senior managers on methods to develop and manage IT security. Developed written security controls that provided overall IT security, ensuring compliance with ISO 17799. Performed comprehensive vulnerability analysis, penetration testing and firewall audits. Developed and improved security standards and policies incorporating audit requirements. Provided security training to employees. Delivered presentations on risk evaluation and IT security improvements.
Reisebereitschaft
Verfügbar in den Ländern
Deutschland
Willing to travel between Europe
