Paul Mendelson, CISSP

Paul MendelsonMSIA, CISSP, CISA,CISM, CSSLP, C|EH, MCP

• (248) 404-7880

APPLICATION SECURITY SPECIALIST

Introduction

Paul Mendelson is a Certified Application Security Specialist with a passion for software security. He has extensive experience in application penetration testing (“blackbox testing”), static code analysis (“whitebox testing”), vulnerability assessment, secure software development, and open source intelligence. He possesses a broad knowledge of information technology and a world-view of security. His abilities stem from a strong background in software engineering, information security, and anti-terrorism.

Paul has 18 years' experience in application security and over 20 in software development. He has held private- and public-sector positions as an Application Security Engineer, Principal Security Consultant, Application Security Manager, and Information Security Officer within a wide range of industries, including financial services, government, healthcare, medical devices, insurance, retail, consumer goods, technology services, oil, gas, and nuclear/energy. Paul has significant experience providing high-assurance security assessments on mission critical financial applications, national and foreign critical infrastructure, and other high risk, high-value systems.

In addition to analyzing countless web apps, mobiles apps, web services, and thick-clients, past assessments also include: nuclear power plants, power grids, military hospitals, stock exchanges, satellite-based intelligence systems, electronic election/voting systems, PTZ video surveillance, medical and life support devices, infusion management systems, deadly reagent superstores, national disaster management, video games, smart home/IoT devices, operational control systems, supervisory control and data acquisition (SCADA) systems, radiological emergency management, and Wi-Fi enabled coffee pots.

Paul is an expert performing security assessments using formal methodology (e.g. NIST, OWASP), formal risk analysis (e.g. CVSS, DREAD), formal threat modeling (e.g. STRIDE), and formal reporting. Paul is also skilled in network pentesting/vulnerability assessment, ethical hacking/reverse engineering, malicious code detection/forensics, security program development, Secure SDLC development/auditing, security policy/standards development, security training, secure software design/development, social engineering/phishing, dark web/deep web, and attack modeling.

Paul is an active member of OWASP, ISSA, ISACA, WASC, and FBI InfraGard, and a contributor to major industry projects, including the OWASP Mobile Top 10, OWASP Mobile Apps Checklist, Android Testing Cheat Sheet, and the OWASP Testing Project. He has also published numerous security-focused white papers and blogs, as well as articles in scholarly journals.

Areas of Expertise

•Application & Network Penetration Testing •Secure SDLC Development & Auditing

•Source Code Analysis Malicious Code Detection•Security Testing & Code Review Methodology

•Dark Web / Deep Web / Surface Web Intelligence•Social Engineering & Phishing

•Application Security Program Development•Threat Modeling & Attack Modeling

•Security Policy & Standards Development•Application Security & Pentest Training

Formal Education

M.S.Information Assurance

Walsh College, Troy, MI(NSA CAE/CD - National Center of Academic Excellence in Cyber Defense - NSA DHS), 4.0

B.S.Computer Science

Michigan State University, East Lansing, MI

Professional Training

• Web Application Security, InfoSec Institute

• Application Security & Web Application Hacking, InfoSec Institute

• Certified Ethical Hacker BootCamp, NetCom Information Technology, Inc.

• Exploiting & Defending Web Applications, InfoSec Institute

• IDP Intrusion Detection & Prevention, SunTel Services and Juniper Networks

• HIPAA 2008 Privacy Standards, Information Security Standards, Medicare, BCBSM

• Application Security, InfoSec Institute

• Novell Certified Ethical Hacker, NetCom Information Technology

Professional Certifications

•(ISC)2Certified Information Systems Security Professional (CISSP)

•(ISC)2Certified Secure Software Lifecycle Professional (CSSLP)

•ISACA Certified Information Systems Auditor (CISA)

•ISACA Certified Information Security Manager (CISM)

•EC-Council Certified Ethical Hacker (C|EH)

•InfoSec Institute Certified Application Security Specialist (CASS)

•CompTIA Security+, Network+ and A+ Certified Professional

•Microsoft Certified Professional (MCP)

Professional Experience

•Principal Security Consultant, PM Security Inc (2008-Current)

•Information Security Engineer, Wells Fargo (2007-2009)

•Application Security Manager, Wayne County, MI Government (2005-2007)

•Software/Security Architect, Creative Document Solutions (2003-2005)

•Security Manager, Directed Engineering(2001-2005)

•Software/Security Consultant, DistributedNET(1999-2001)

Clients

Past and current clients include primarily government agencies and high-profile Fortune 50/100/500 companies, such as large banks, healthcare providers, insurance companies, online brokers, audit firms, software companies, retailers, service providers, and other top cyber-security companies. A few examples:

Wells Fargo / TD Ameritrade / Visa / Blue Cross Blue Shield
Wachovia / General Electric / MasterCard / Wayne County, MI Gov't
JPMorgan Chase / E*Trade / American Express / Procter & Gamble
Morgan Stanley / Verizon / Sempra Energy / VMware
Bank of America / FAA / Advance Auto Parts / NY State Gov't
Principal Financial / Home Depot / Owens Corning / Hertz Car Rental
Walmart / Lowes / Smith & Wesson / PA State Gov't
Sam's Club / John Deere / Adobe Systems / Kidde
Nuclear Reg Comm (NRC) / PSEG / National Grid / Cooper Tire
American Water / Southern Company / American Elec Power (AEP) / Pacific Gas & Elec (PG&E)
Rockwell Automation / DSW / Procter & Gamble