Marc P. Dioso
CISSP, CSSLP, CCSP, MSBA
Relevant Skills Summary
Application Security:
SAST/IAST Scanning: Checkmarx CxAudit, Fortify SSC,
Fortify AWB, Contrast
Manual Security Code Review: C#,
Java, C++, VB.Net, Salesforce, Cold Fusion,
Objective-C
DAST Scanning: WebInspect, Burp Suite, ZAP, SQLMap,
Kali Linux
Thread Modeling, SD Elements, ThreadFix, OWASP Top 10
SSDLC, Data Analytics, Microservices, SSO, Federated Authentication, Cloud
Security
Software Development:
ASP.Net/C#, VB.Net, C++, ASP,
SQL, Visual Basic, ‘c’, Javascript, Clipper/Dbase,
PHP, ADO.Net, AJAX, SOAP, REST, XPath, xmlHttp, LDAP, COM+, Visual Studio, Powershell
Sql Server, Oracle, Sybase, Access,
Paradox, Clipper, Dbase, MySQL, SQLAnywhere,
Raima, Btrieve, IBM
Database Mgr
Agile SCRUM, Kanban,
JIRA, SSDLC, Threat Modeling, CI/CD
Object Modeling Technique, Object
Oriented Design, SOA, Web Services, UML, RUP
Professional Certifications:
CISSP, CSSLP, CCSP
AVP – Senior Information Security Engineer: Wells Fargo, 10-2019 to Present
Solution platform: Checkmarx CxAudit, Fortify SSC/AWB, Java, C#, Salesforce,
ThreadFix, Agile Scrum, Kanban,
JIRA, GitHub, Eclipse, Visual Studio
Checkmarx custom query development and AppSec vulnerability gap analysis for SAST scanning in
support of enterprise level migration from Fortify SSC to the Checkmarx CxAudit platform.
Conduct manual and automated
security code reviews of publicly accessible and high risk enterprise banking
applications (Java, C#, Salesforce) to identify
application security vulnerabilities utilizing Agile Scrum and Kanban methodologies.
Contribute to AppSec review processes and documentation related to Microservices architecture, SSO and Federated
Authentication systems, and Cloud Application deployment and migration.
Work with application
development teams on relevant application security remediation efforts.
Disposition SAST vulnerability
findings used for input into AI and Machine Learning Models.
Lead Application Security Engineer: Moss Adams, 11-2018 to 10-2019 (Merged w/ AsTech
11-2018)
Solution Platform: Fortify, Burp Suite, AppScan,
WebInspect, Contrast, Checkmarx,
Kali, ZAP, Qualys, ASP.NET/C#,VB,J#, Java, JSP,
Classic ASP, Visual Basic, ActionScript, iOS/XCode, Javascript,
Cold Fusion, Visual Studio, Eclipse, SQL Server
Performed manual code review,
static code analysis, dynamic testing and penetration testing using DAST and
SAST tools for web-based, desktop, and mobile enterprise solutions to identify
critical internet security vulnerabilities, assess risk exposure, and provide
source code remediation guidance and/or implementation
Analyzed source code, assess
risk, prioritize vulnerabilities, and provide remediation guidance used to
generate and present comprehensive security assessment and recommendations
report to development and management team
Deployed Checkmarx
POC on AWS cloud instance to benchmark SAST performance versus Fortify
Senior Application Security Engineer: AsTech Consulting, 2-2009 to 11-2018
Solution Platform: Fortify, Burp Suite, AppScan,
WebInspect, Contrast, Checkmarx,
Kali, ZAP, Qualys, ASP.NET/C#,VB,J#, Java, JSP, Classic
ASP, Visual Basic, ActionScript, iOS/XCode, Javascript, Cold Fusion, Visual
Studio, Eclipse, SQL Server
Performed manual code review, static
code analysis, dynamic testing and penetration testing using DAST and SAST
tools for web-based, desktop, and mobile enterprise solutions to identify
critical internet security vulnerabilities, assess risk exposure, and provide
source code remediation guidance and/or implementation
Collaborate with colleagues to
analyze source code, assess risk, prioritize vulnerabilities, and provide
remediation guidance used to generate and present comprehensive security assessment
and recommendations report to development and management team
Perform
DAST and Penetration Testing assessments on web and mobile applications using
most popular commercial and open source pen testing tools, including Burp
Suite, AppScan, WebInspect,
etc.
Deployed
distributed Fortify scan process with separate Translate (NST) and Scan servers
to optimize multi-user and large application SAST processing.
SME-level understanding of web
application security threats,
vulnerabilities and risk of external/internal exploit
Provided solutions and
recommendations for source code remediation based on OWASP guidelines, Secure
Coding Practices, PCI, PKI, and HIPAA standards
Provided SME support and
guidance for AppSec Center of Excellence initiatives
at major financial institutions to integrate AppSec
best practices and procedures into enterprise-wide SSDLCs
Conducted presentations to
development teams regarding SAST/DAST methodologies for integration into CI/CD
pipeline and SSDLC process
Developed Advanced Fraud
Analytics modeling application using R-based statistical analysis, user profiling,
and rule-based customer risk scoring – integrated data points for potential
money laundering, credit card fraud, suspicious transactions/activity,
political exposure, terrorist financing, etc.
Developed numerous utility
programs to parse and mine information from multiple databases, proprietary and
commercial file formats to build analytics data model
Developed
internal web-based Security Assessment statistics and Vulnerability Metrics
database and front-end application for Ad Hoc security trend and mitigation analysis
(ASP.Net, SQL Server). Data was extracted, integrated and published in the Verizon DBIR
Annual Report.
Authored blog articles on
Application Security topics for publication on company website; also acted as
moderator for company website blog article user comments
Senior Software Engineer, Project Leader: Audatex/Solera formerly ADP,
3-2004 to 12-2008
Solution Platform: .Net/C#, ASP, Ajax, XML, XSL, VB, Javascript, Oracle, ODP.Net, ADO, SCRUM
ASP.Net/C# development on end-to-end web-based SOA Claims Processing solution for the Insurance and Auto Collision Industry, which integrates multiple Enterprise applications.
Team Lead for project which included migration of central Dispatch engine from ASP/VB/ActiveX to ASP.Net/C# and N-Tier SOA implementation. Managed overall development and worked on new .Net assemblies and .Net Web Services which replaced the legacy ASP/VB xmlHttp web services and components. Support installation and deployment of .Net components/services on internal test and Production servers.
Team Lead for major .Net rewrite of central Claims Viewer application middle tier business logic to use authentication-based access to LDAP and DB based insurance claim information.
Developed ASP.Net assemblies and web services to process security and authentication information based on centralized LDAP configuration settings for organization, user, and role-based profiles. Developed .Net assemblies, which encapsulate configurable business and search logic previously embedded in PL/SQL and stored procedures. Worked with DBAs to tune embedded SQL, stored procedures, and configured connection pooling parameters for search queries.
Project Lead and hands-on developer for Quarterly and Monthly releases which include customer and internal enhancements as well as critical hotfix/patch deployments. Interface with Product Mgmt for requirements, provide development sizings, perform design and code reviews. Manage external team dependencies, integration testing and deployment support for all development and production environments. Development contact for Production-related escalation issues. Conducting training sessions and mentoring new developers on team.
Software Engineer (part-time contract): New America Software, 10-2009
to 12-2009
Solution Platform: .Net/C#, DevExpress, SQL Server
Maintained / enhanced C# utility programs to
generate code and scripts to build and synchronize SQL Server database tables
which support a Multiple Year Tax Filing application for businesses and
individuals
Senior Software Engineer: ADP, 2-2003 to 3-2004
Solution Platform: ASP, XML, XSL, Javascript,
VBScript, VB/ActiveX, ADO, Oracle, COM+
Lead engineer on front line Production
Support for end-to-end web-based Claims Management system. Developed and managed deployment of critical hotfix
patches for Prod issues.
Technical Liaison for remote
developers for migration to new DB schema and N-Tier SOA platform
Senior Software Engineer, Project Leader: ADP, 9-2001 to 2-2003
Solution platform: ASP, DHtml, VB6, ADO,
Oracle, XML
Developed and maintained
centralized Claims Viewer application to help transition clients from mainframe
to web-based solution.
Managed contractors, worked
directly with Product Mgmt and Client Services to obtain requirements.
Scheduled/developed/deployed multiple
releases for client enhancements and resolution of critical Production issues.
Senior Software Engineer: ADP, 12-2000 to 9-2001
Solution platform: C++, XML, DCOM/MTS, Oracle, VB6
Maintained and enhanced
client/server message routing and communications management infrastructure.
Supported
MAPI, MSMQ, and internal protocols over RAS and Wireless transports.
Developed tools to troubleshoot performance,
connection, and threading issues
Senior Software Engineer: Premenos/Harbinger/Peregrine,
1-96 to 12-2000
Solution platform: C++, NT, Unix(Solaris/AIX/HP),
VB, CORBA, Oracle, Sybase, SQLServer
C++ NT/Unix cross-platform
development for Electronic Commerce-enabling software which provides secure EDI
transport over the internet by integrating PKCS encryption, authentication,
non-repudiation of origin and receipt, key management, message tracking,
archiving and multiple point-to-point internet protocols Implemented SMTP,
POP3, MAPI, FTP Client, and SSL TCP/IP transport classes for NT and Unix
Integrated SOCKS5 proxy server
support for product on Solaris, AIX, HP-UX, Win 95 & Win NT
NT middle tier and UI built on
C++/MFC and VB utilizing OLE, CORBA and ODBC to SQL Server
Developed client, server, and
database installations for Win NT/95 using InstallShield
Supported Unix
platform script installations including bundled Oracle and Sybase versions
Created project and design
process templates, which were adapted for company-wide use
Automated windows build process to ensure consistent binary configuration for distribution
Provided mainline contact for
Technical Support group for all Windows and Unix
platforms
Technical Consultant (Project Lead/Team Leader): ADP, 8-93 to 1-96
Solution platform: C++, NT, Windows SDK, Paradox, PVCS, OMT
Developed O-O
C++/Windows GUI Framework which was used as base architecture for Pen-based
laptop estimating system.
Framework was reused across
corporate estimating product line.
Led UI design
and development effort with migration to Client/Server (TCP/IP) and Component
Architecture.
Developed Vehicle
Damages Page of pen-based claims workstation, which integrated point and click
part selection and compressed vehicle graphics and data.
Project/Technical Lead for
customizable Forms Manager project utilizing scripting language,
customized in-house class library and dynamic data dictionary for UI
flexibility.
Maintained
architectural UI framework/controller allowing parallel development of UI DLLs.
Presented
Object and Dynamic Modeling class for management and programming staff.
User Interface Team Leader
functioning as lead developer while reviewing internal designs, providing
architectural guidance, scheduling & assigning tasks, and resolving product
issues.
Software Engineer/Project Manager: Onsite Systems, 8-90 to 7-93
Solution platform: C++, NT, Windows SDK, Oracle, zApp,
Vitamin C
Developed O-O
C++ system-level reuseable Windows GUI class library
for screen generation and pharmaceutical data entry software using Borland c++,
Zapp class library, and Oracle database. Beta prototype was developed
using MSC 6.0, CommonView class library and dbVista 3.1(RAIMA).
Led multiple
releases of Clinical Data Cube software, which managed the electronic capture
of Clinical Trials data for pharmaceutical companies. Developed C++ object-oriented
access method and data decryption classes for proprietary clinical data database.
Developed
Windows Spreadsheet App for Management Reporting using MS EXCEL SDK, DLLs, and
DDE.
Conducted O-O
Design and C++ training classes for internal Engineering Group.
Systems Engineer: Fireman's Fund Insurance Co., 1-89 to 8-90
Solution platform: ‘c’, OS/2, Presentation Manager SDK, IBM Database Mgr,
ERWin data modeling
One of lead developers for
insurance system automating Rate, Quote, Issue, and MIS using IBM C2, OS/2 PM
SDK, and IBM Database Mgr (Crystal and GUPTA DB were used for prototype). Created MDI-like Notes processor with insert,
fonts, wrap and resize (emulated MLE control).
Developed Insured Rating module
involving extensive data field capture and validation and complex risk rating and
underwriting algorithms
Workstation to
Host communication via APPC, Remote Data Services, and Communications Gateway.
Responsible for
multiple DLL creation and integration, DB2 Table Design, and embedded SQL
coding (static and dynamic).
Programmer/Analyst: Micro Force Innovations, 7-88 to 7-89
Solution platform: Dos, Clipper, Dbase IV
Developed Dental Office Automation
system and user documentation (Dbase and Clipper S'87)
Integrated dental office management
reports using Dbase table data and MS Excel macros
Owner/Founder: MPD Enterprises (Consulting), 1-90 to present
Software/Web development using
C#, C++ programming, ODD, Website Design, HTML, Javascript
Developed Holistic Pet Care
website, which integrated Online store and credit card
processing
Developed informational and
product websites for various merchants and vendors
Custom small business applications
development using Visual Basic and Clipper SDK
Real Estate Investment and
Property Management
California
State University, Hayward (4.0 GPA)
· Master
of Science, Business Administration: Computer Information Systems
San
Francisco State University (Cum Laude)
· Bachelor
of Science: Computer Information Systems
· Bachelor
of Science: Finance
· Minor:
Asian American Studies
Licenses
& Certifications
Awards
& Affiliations
Beta
Gamma Sigma, World Class Service Award (ADP), President’s Award (ADP),
Apartment Owners Assoc, Aikido Schools of Ueshiba (Nidan), Delta Sigma Pi, Nat’l Honor Society, Licensed
Childcare Provider