Joe Bagdon,美国明尼苏达州Bovey的开发人员
Joe is available for hire
Hire Joe

Joe Bagdon

Verified Expert  in Engineering

Expert AWS Developer

Location
Bovey, MN, United States
Toptal Member Since
April 4, 2022

Joe是一位经验丰富的安全和基础设施工程专业人士,具有执行应用程序和网络评估的经验, writing and enforcing policies, 为企业环境提供防御, and administrating infrastructures. 他对信息安全、信息技术、信息战有深入的了解. Joe是一个有能力的Python程序员,增加了自动化和集成,减少了工作量.

SecuritySystem AdministrationInformation SecurityWeb App SecurityThreat IntelligenceWeb SecurityCloud SecuritySecOpsSaaSSecurity ArchitectureCloudflareNetwork SecurityPythonAmazon EC2Amazon S3 (AWS S3)

Portfolio

Kompleye
渗透测试,Burp套件,OWASP Zed攻击代理(ZAP), OWASP top10...
AgileSecOps
AWS Fargate、Cloudflare、Python、Python API、HIPAA合规...
BoostLingo, LLC
安全、SOC 2、ISO 27001、亚马逊网络服务(AWS)、IT安全、CISO...

Experience

Penetration Testing - 20 years脆弱性评估- 18年HIPAA Compliance - 10 yearsPython - 10 yearsCloudflare - 8 yearsSOC 2 - 6 yearsAWS Fargate - 5 years

Availability

Part-time

Preferred Environment

Linux、Cloudflare、亚马逊网络服务(AWS)、应用程序安全、Python、MacOS、Docker

The most amazing...

...我所做的是为美国陆军创建和教授第一个大学生网络战争训练(UNWT)课程.S. Air Force.

Work Experience

Principal Penetration Tester

2021 - PRESENT
Kompleye
  • 获得公司FedRAMP和CMMC渗透测试认证/资质.
  • 为Kompleye创建并维护渗透测试程序. 从头开始构建这个程序, 为销售渠道提供直接输入, 并且在技术上完成了所有任务.
  • 为各种规模的公司进行测试, 从初创公司到财富500强企业,几乎所有行业都是如此.
Technologies: 渗透测试,Burp套件,OWASP Zed攻击代理(ZAP), OWASP top10, OWASP, FedRAMP, NIST, HITRUST Certification, Nessus, Vulnerability Assessment, Social Engineering, Cybersecurity, APIs, DevSecOps, Mobile Security, 认证信息系统安全专业人员, Amazon S3 (AWS S3), Amazon EC2

Principal Engineer

2015 - PRESENT
AgileSecOps
  • 对策略、过程、遵从性计划和技术实现做出贡献. CISO作为一种服务提供了与安全相关的指导和方向, 牢记关键的业务目标.
  • 开发Python和PowerShell脚本,将其他威胁情报产品集成到特定平台,并获得了RESTful api的丰富经验.
  • 在漏洞扫描和管理中发挥了关键作用, 以及基础设施的渗透测试, mobile, and web applications.
Technologies: AWS Fargate、Cloudflare、Python、Python API、HIPAA合规, HITRUST Certification, SOC 2, Firewalls, Web App Security, DevOps, Penetration Testing, Vulnerability Assessment, IT Audits, PCI Compliance, Host-based Intrusion Prevention, Intrusion Detection Systems (IDS), 入侵防御系统(IPS), Application Security, ISO 27001, Risk Management, Disaster Recovery Plans (DRP), Virtualenv, Technical Training, Management, Google Cloud, Web Security, Cloud Security, SIEM, Windows, VMware, Threat Intelligence, Training, Compliance, Policy, Puppet, SaltStack, Data Loss Prevention (DLP), Sumo Logic, MacOS, Team Management, Mobile Device Management (MDM), 端点检测和响应(EDR), Amazon弹性容器服务(Amazon ECS), AWS ALB, CISO, Ansible, Terraform, PCI, Web Application Firewall (WAF), OWASP Zed Attack Proxy (ZAP), Burp Suite, Hacking, Ethical Hacking, Amazon Firewall, VPN, IT Security, Security Audits, Security, Okta, SaaS, Flask, Web, Amazon Web Services (AWS), System Administration, Cybersecurity, Network Security, DevSecOps, CI/CD Pipelines, Kubernetes, System-on-a-Chip (SoC), Architecture, Business Continuity & Disaster Recovery (BCDR), Security Architecture, Security Analysis, Content Delivery Networks (CDN), Consulting, Azure, Single Sign-on (SSO), OWASP, 静态应用安全测试(SAST), 动态应用安全测试(DAST), Metasploit, Data Privacy, GDPR, Technical Hiring, Task Analysis, Interviewing, APIs, Cloud, Source Code Review, CISSP, Vulnerability Identification, Authentication, Monitoring, Antivirus Software, IDS/IPS, Amazon CloudWatch, Cloud Architecture, Security Engineering, Data Governance, Data Protection, IT Governance, Group Policy, Database Security, Threat Modeling, WordPress, WP Engine, React Native, Microsoft 365, SecOps, Mobile Security, 认证信息系统安全专业人员, Amazon S3 (AWS S3), Amazon EC2

Fractional CISO

2022 - 2023
BoostLingo, LLC
  • 协助制定SOC2和ISO 27001认证的政策和程序.
  • 审查应用程序的漏洞,并向开发人员提出关于最佳补救措施的建议.
  • 为客户提供公司的安全代表. Completed security questionnaires, 回答其他客户端安全相关问题, and interfaced with sales staff.
Technologies: 安全、SOC 2、ISO 27001、亚马逊网络服务(AWS)、IT安全、CISO, DevOps, Mobile Security, 认证信息系统安全专业人员, Amazon S3 (AWS S3), Amazon EC2

安全顾问|安全工程师

2022 - 2023
Hearst
  • 领导一个由8名工程师组成的团队,帮助公司整体降低风险. 对漏洞执行彻底的技术补救.
  • 与业务单位合作,协助识别和降低风险. 执行渗透测试和源代码分析,并培训开发人员使用安全工具.
  • 应用AWS最佳实践来修复复杂的多租户环境中的漏洞.
  • 部署了带有Terraform的Azure Sentinel,并配置了规则/警报,以帮助公司满足HITRUST需求.
Technologies: Security, IT Security, ISO 27001, Compliance, Consulting, Application Security, Burp Suite, OWASP Zed Attack Proxy (ZAP), Amazon Web Services (AWS), Azure, Terraform, Python 3, Python, Sumo Logic, Cloudflare, Web Application Firewall (WAF), CrowdStrike, NIST, HITRUST Certification, SecOps, Mobile Security, 认证信息系统安全专业人员, Amazon S3 (AWS S3), Amazon EC2

Chief Information Security Officer

2020 - 2022
The Kit Company
  • 构建公司整体信息安全方案.
  • 获得SOC2、Type 2认证和HIPAA遵从性.
  • 使用Terraform重新创建和重新部署应用程序到ECS和Fargate, providing hardened, increased security, elasticity, and reproducible environment.
Technologies: AWS Fargate, Docker, DevOps, GitHub, GitHub Actions, Cloudflare, SOC 2, HIPAA Compliance, Python, Vulnerability Assessment, IT Audits, Host-based Intrusion Prevention, Intrusion Detection Systems (IDS), 入侵防御系统(IPS), Application Security, Python API, Web App Security, Risk Management, Disaster Recovery Plans (DRP), Virtualenv, Technical Training, Team Leadership, Management, Web Security, Cloud Security, SIEM, Threat Intelligence, Training, Compliance, Policy, Data Loss Prevention (DLP), Sumo Logic, MacOS, Team Management, Mobile Device Management (MDM), Amazon弹性容器服务(Amazon ECS), AWS ALB, CISO, Ansible, Terraform, Web Application Firewall (WAF), OWASP Zed Attack Proxy (ZAP), Burp Suite, Amazon Firewall, VPN, IT Security, Security Audits, Security, SaaS, Web, Amazon Web Services (AWS), System Administration, Cybersecurity, Network Security, DevSecOps, CI/CD Pipelines, System-on-a-Chip (SoC), Architecture, Business Continuity & Disaster Recovery (BCDR), Security Architecture, Security Analysis, Content Delivery Networks (CDN), OWASP, 静态应用安全测试(SAST), 动态应用安全测试(DAST), Data Privacy, GDPR, Technical Hiring, Task Analysis, Interviewing, APIs, Cloud, Source Code Review, CISSP, Vulnerability Identification, Authentication, Monitoring, Antivirus Software, IDS/IPS, Amazon CloudWatch, Cloud Architecture, Security Engineering, Data Governance, Data Protection, IT Governance, Database Security, SecOps, Mobile Security, 认证信息系统安全专业人员, Amazon S3 (AWS S3), Amazon EC2

信息安全高级经理

2015 - 2016
Copart
  • 重建安全团队,使其高效运作, 具有检测威胁和维护公司合规性(如PCI)的能力, SOC2, ISO 27001, 和安全港在全球180多个地点.
  • 通过收集证据,领导PCI环境的重新认证, recommending changes, and remediating issues.
  • 领导内部风险管理计划,将安全风险的所有权与适当的业务所有者绑定,并向c级管理人员提供风险概述.
  • 安装Sumo Logic作为中央syslog服务,并担任项目负责人, 转换老化的syslog和SIEM系统.
  • 设计并部署了入侵检测系统和文件完整性监控, including HIDS, NIDS, and FIM.
Technologies: Sumo Logic, PCI DSS, ISO 27001, Python, Vulnerability Management, Firewalls, Vulnerability Assessment, IT Audits, PCI Compliance, Host-based Intrusion Prevention, 入侵防御系统(IPS), Application Security, Risk Management, Disaster Recovery Plans (DRP), Team Leadership, Management, Web Security, Cloud Security, SIEM, Windows, Threat Intelligence, Training, Compliance, Policy, Data Loss Prevention (DLP), Team Management, Python API, Web App Security, 端点检测和响应(EDR), Ansible, PCI, Web Application Firewall (WAF), OWASP Zed Attack Proxy (ZAP), VPN, IT Security, Security Audits, Security, SaaS, Web, System Administration, Cybersecurity, Network Security, Business Continuity & Disaster Recovery (BCDR), Security Architecture, Security Analysis, Content Delivery Networks (CDN), OWASP, 静态应用安全测试(SAST), 动态应用安全测试(DAST), Data Privacy, Technical Hiring, Interviewing, APIs, Cloud, CISSP, Vulnerability Identification, Monitoring, Antivirus Software, IDS/IPS, Security Engineering, Data Protection, Group Policy, 认证信息系统安全专业人员

Manager of Information Security

2014 - 2015
Think Finance
  • 监督信息安全、网络和电话团队的日常运作.
  • 编写和维护政策和程序,以确保符合PCI和公司标准.
  • 构建并配置了一个基于Elasticsearch和Kibana的中央日志系统.
  • 将所有系统从传统防病毒转换为Bit9应用程序白名单.
  • 构建并安装了一个基于网络的入侵检测系统.
  • 为所有Linux服务器合并了SaltStack配置管理,并编写了自动遵守Internet安全中心基准的配置.
技术:应用程序安全, Vulnerability Management, Risk Management, PCI DSS, Data Loss Prevention (DLP), SaltStack, Vulnerability Assessment, PCI Compliance, Disaster Recovery Plans (DRP), Team Leadership, Management, SIEM, Windows, Threat Intelligence, Compliance, Policy, Team Management, Ansible, PCI, IT Security, Security Audits, Security, Web, System Administration, Cybersecurity, Network Security, Architecture, Security Architecture, Security Analysis, OWASP, Technical Hiring, Interviewing, Cloud, CISSP, Vulnerability Identification, Monitoring, Antivirus Software, IDS/IPS, Security Engineering, Data Protection, Group Policy, 认证信息系统安全专业人员

Security Officer

2012 - 2014
Rally Software
  • 与客户沟通,回答与安全相关的问题,协调客户的安全测试.
  • 制定并执行安全和隐私策略.
  • 监督电子商务网站PCI合规性的所有方面.
  • 获得SaaS产品的FISMA NIST 800-53适度合规性,并保持ISO 270001合规性, EU Safe Harbor, and HIPAA.
  • 在公司和生产环境中部署了基于软管的入侵检测系统和基于网络的入侵检测系统.
  • 在安全和运营职能上直接与运营管理员协作.
  • 对公司提供的SaaS应用程序执行漏洞和渗透测试.
  • 在与开发人员沟通解决安全问题的同时,进行定期的应用程序审查.
  • 为生产环境编写灾难恢复策略,并担任公司灾难恢复文档的主要贡献者.
技术:应用程序安全, Vulnerability Management, PCI DSS, ISO 27001, Linux, Puppet, Python, Bash Script, Policy, Disaster Recovery Plans (DRP), Vulnerability Assessment, IT Audits, PCI Compliance, Host-based Intrusion Prevention, 入侵防御系统(IPS), Web App Security, Risk Management, Team Leadership, Management, Web Security, SIEM, VMware, Threat Intelligence, Training, Compliance, SaltStack, Data Loss Prevention (DLP), MacOS, Team Management, CISO, PCI, Web Application Firewall (WAF), OWASP Zed Attack Proxy (ZAP), VPN, IT Security, Security Audits, Security, SaaS, Web, System Administration, Cybersecurity, Network Security, Business Continuity & Disaster Recovery (BCDR), NIST, Security Architecture, Security Analysis, OWASP, 动态应用安全测试(DAST), Data Privacy, Technical Hiring, Interviewing, Cloud, CISSP, Vulnerability Identification, Authentication, Monitoring, Antivirus Software, IDS/IPS, Security Engineering, Data Protection, PHP, SecOps, 认证信息系统安全专业人员

全球信息安全工程师

2012 - 2012
Prologis
  • 提供公司安全方面的支持、指导、工程和管理.
  • 建立并替换了一个老化的基于网络的入侵检测系统.
  • 识别和管理位于公司全球基础设施内的几个僵尸网络和其他恶意感染系统的清理工作.
  • 安装了中央日志记录和报告功能,以支持安全和基础设施管理员.
Technologies: Python, Intrusion Detection Systems (IDS), SIEM, Penetration Testing, Threat Intelligence, Training, Policy, Risk Management, IT Security, Security Audits, Security, System Administration, Cybersecurity, Network Security, Security Analysis, Vulnerability Identification, Monitoring, Antivirus Software, IDS/IPS, Security Engineering, Data Protection

领导系统、网络和安全工程师

2009 - 2012
Tendril Networks
  • 评估信息技术控制和测试应用技术的合规性, development projects, data center operations, security, 与信息技术相关的工作流程.
  • 开发和维护流程以包含安全事件响应, 漏洞评估及扫描, patch management, security metrics and reporting, security event management, protection of PII, and encryption.
  • 通过识别不合规的领域和识别操作弱点来评估风险和内部操作控制, inefficiencies, and issues.
  • 利用BackTrack进行渗透测试和漏洞扫描, Metasploit, Nessus, John the Ripper, Nikto, Nexpose, Burp Suite, and w3af.
Technologies: Python, Compliance, PCI DSS, Penetration Testing, Vulnerability Management, Web Security, Threat Intelligence, Policy, Puppet, Risk Management, Team Management, IT Security, Security Audits, Security, Web, System Administration, Cybersecurity, Network Security, Architecture, Security Analysis, OWASP, Technical Hiring, Interviewing, Cloud, Vulnerability Identification, Monitoring, IDS/IPS, Security Engineering, Data Protection

安全与运营中心Linux管理员

2008 - 2009
DigitalGlobe
  • 为Linux RHEL 5提供安全和管理支持, Windows (XP, 2003, 7, 2008), Solaris 10, and IRIX systems.
  • 排除和解决基础设施组件和公司构建的专用软件应用程序的问题.
  • 编写脚本和程序,使监视和管理过程自动化.
Technologies: Python, Vulnerability Management, Linux, Windows, VMware, Policy, VPN, IT Security, Security, Web, System Administration, Cybersecurity, NIST, Vulnerability Identification, Monitoring, Antivirus Software, IDS/IPS

情报和网络安全管理员

1994 - 2008
U.S. Air Force
  • 管理一个网络安全攻击的开发项目团队.
  • 担任第一个空军本科网络战争课程的认证讲师和开发人员.
  • 指导学生防御黑客技术和使用恶意软件, utilizing Linux hosts with Ruby, Python, and shell scripting.
  • 使用开源软件(如NMAP)执行渗透测试, Nessus, and Metasploit, 以及其他在互联网上发现的由c++组成的恶意代码, Python, and shell scripting.
Technologies: Penetration Testing, Python, Compliance, Training, Threat Intelligence, Firewalls, Virtualenv, Vulnerability Assessment, Application Security, Technical Training, Team Leadership, Management, Web Security, Windows, Policy, Data Loss Prevention (DLP), Risk Management, Team Management, Web App Security, Mobile Device Management (MDM), HIPAA Compliance, Web Application Firewall (WAF), Military Operations, Hacking, Ethical Hacking, IT Security, Security Audits, Security, System Administration, Cybersecurity, Network Security, System-on-a-Chip (SoC), NIST, Security Analysis, OWASP, 静态应用安全测试(SAST), 动态应用安全测试(DAST), Metasploit, Technical Hiring, Vulnerability Identification, Authentication, Monitoring, Antivirus Software, IDS/IPS

The Unstoppable Denial of Service

一家财富100强公司联系我,说他们的网络应用程序存在安全问题. Almost immediately, 我确定了与恶意行为者攻击端点相关的问题,这会导致长时间运行的数据库查询并使应用程序脱机. 我与开发人员和安全团队合作,迅速将web应用程序防火墙安装到位. 24小时后,应用程序变得更加有效,运行顺畅.

DevSecOps Champion

受雇协助一家初创公司处理所有安全事务. 我很快发现生产环境中存在一些明显的问题. 缺乏对AWS和正确/安全的代码部署管道的了解. 我被要求帮助他们走上正轨. 几周后,我构建并实现了一个新的AWS环境. 新环境包括在ECS/Fargate中运行容器,以及使用GitHub Actions的自动部署管道. 该解决方案与Terraform一起部署,新环境可以在几分钟内启动. 最后,该解决方案具有可重复性、安全性和易于维护的特点.

从零到兼容- SOC 2,类型2

最近的一个客户有一个业务需求,要成为SOC2, type 2 compliant, and it needed to happen quickly. 如果不能按时完成,就有可能失去重要的商业机会. 他们似乎很困惑是什么让他们变得顺从. SOC 2只是一个他们不想解决的可怕术语.

我带头完成了大部分的工作,日常操作几乎没有中断. 从政策到技术实现的所有工作都在30天内完成. 审核员在一周后提供了SOC 2, Type 1认证. 监测期间没有发生任何事故,我们如期获得了SOC 2, Type 2.

Languages

Python, Bash Script, Python 3, PHP

Paradigms

HIPAA合规性,渗透测试,管理,DevSecOps, DevOps

Platforms

Amazon Web Services (AWS), Amazon EC2, Docker, Linux, MacOS, Windows, AWS ALB, Burp Suite, Web, WordPress, Kubernetes, Azure

Industry Expertise

Cybersecurity, Network Security

Storage

Amazon S3 (AWS S3),谷歌云,数据库安全,WP引擎

Other

Incident Response, Incident Management, Information Security, Cloudflare, SOC 2, Vulnerability Assessment, IT Audits, PCI DSS, PCI Compliance, Team Leadership, Host-based Intrusion Prevention, Intrusion Detection Systems (IDS), Team Management, HITRUST Certification, Web App Security, ISO 27001, Vulnerability Management, Risk Management, Data Loss Prevention (DLP), Policy, Disaster Recovery Plans (DRP), Compliance, Training, Threat Intelligence, SIEM, Web Security, Cloud Security, PCI, IT Security, Security Audits, Security, SaaS, System Administration, System-on-a-Chip (SoC), Business Continuity & Disaster Recovery (BCDR), Security Architecture, Security Analysis, Content Delivery Networks (CDN), Consulting, OWASP, Technical Hiring, Interviewing, Cloud, CISSP, Vulnerability Identification, Antivirus Software, IDS/IPS, SecOps, Mobile Security, 认证信息系统安全专业人员, Incident Handling, GitHub Actions, Firewalls, Technical Training, 入侵防御系统(IPS), Application Security, Mobile Device Management (MDM), 端点检测和响应(EDR), CISO, Web Application Firewall (WAF), Military Operations, Hacking, Ethical Hacking, CI/CD Pipelines, Architecture, NIST, Single Sign-on (SSO), 静态应用安全测试(SAST), 动态应用安全测试(DAST), Data Privacy, GDPR, Task Analysis, APIs, Source Code Review, Authentication, Cloud Architecture, Security Engineering, Data Governance, Data Protection, IT Governance, Microsoft 365, Monitoring, Teamwork, Okta, Group Policy, Threat Modeling, CrowdStrike, OWASP Top 10, FedRAMP, Social Engineering

Libraries/APIs

Python API

Tools

AWS Fargate, GitHub, Sumo Logic, SaltStack, Virtualenv, VMware, Amazon弹性容器服务(Amazon ECS), Ansible, OWASP Zed Attack Proxy (ZAP), Amazon Firewall, VPN, Metasploit, Amazon CloudWatch, Puppet, Terraform, Nessus

Frameworks

Flask, React Native

OCTOBER 2022 - PRESENT

认证信息系统安全专业人员

国际信息系统安全认证联盟(ISC)

JANUARY 2017 - PRESENT

AWS Business Professional

Amazon Web Services

JANUARY 2017 - PRESENT

AWS Technical Professional

Amazon Web Services

SEPTEMBER 2015 - PRESENT

Programming for Everybody (Python)

Coursera

JULY 2015 - PRESENT

Python交互式编程简介(第1部分)

Coursera

DECEMBER 2007 - DECEMBER 2011

GIAC认证事件处理员(GCIH)

Sans Institute

JULY 2007 - JULY 2011

GIAC Security Essentials (GSEC)

SANS Institute