Damien Suggs

Dynamic Product Security Specialist with over 23 years of comprehensive experience in Information Security, spanning a broad spectrum of roles from penetration testing and ethical hacking to developing and managing full-scale application and product security programs.

Recognized as an Atlanta information security community leader, I've dedicated over 12 years to serving on the board of directors for the Metro-Atlanta ISSA chapter, fostering professional growth and networking within the industry. Expertise lies in strategically implementing security practices tailored to product development environments, ensuring seamless security integration from the initial design phase to product deployment.

• SANS: GPEN
• ISC2: CISSP

Presentations: 

• Kennesaw State University Information Security Program - 2018
• SAP Sapphire - 2017
• ISSA International Conference - 2016 and 2017
• HP Protect - 2016

Security Organizations:

• Information System Security Association: 2007 - Present
• OWASP: 2011 - Present
• InfraGard: 2010 - 2016
• Association of Contingency Planners: 2007

• Keyaan Williams, Managing Director, CLASS LLC., Keyaan.williams@class-llc.com, 770.354.9341
• Haddon Bennett, CISO, Inspire Brands, hbennett@inspirebrands.com, 404.543.3779
• Aaron Merkle, CISO, Pagoda, aaron@near.org, 830.200.0023
• Lynn Goodendorf, Former CISO Mandarin Hotel, President of ISSA Chapter, lgoodendorf@gaissa.org, 404.333.3779

Application Security Program Justification and Beginning

• The need for an application security program is discussed among executive leadership.  Requirements that justify the need for the program are discussed.  These requirements may be any of the following or more:
o Compliane

• Key Skill(s): PCI (Payment Card Industry), HIPAA (Health Insurance Portability and Accountability Act of 1996), SOX (Sarbanes Oxley), SOC (System & Organization Controls Reporting), or other compliance frameworks such as FISMA (Federal Information Security Modernization Act).
  o Brand Security
  o Customer Security
  o Corporate Protection
  
  
  Assessment
  • I conduct an assessment to understand the current security posture in the Continuous Integration/Continuous Deployment cycle. Ten to Thirty personnel with various responsibilities are chosen to determine the effectiveness and maturity of existing processes, people, and technology.
  o Key Skill(s): OWASP Software Assurance Maturity Model (SAMM) or Building Security in Maturity Model (BSIMM) frameworks.
  • I create a report and roadmap outlining steps to bridge the gap from the current application security posture to what is required to achieve a globally recognized security standard by security professionals and per regulatory requirements.
  o Key Skill(s): In-depth understanding of OWASP guidance to bridge the gaps between current and desired security posture.
  • The roadmap and report are communicated to the organization in two phases:
  o Executive leadership
   Key Skill(s): I have demonstrated effective communication with non-technical personnel.
  o Development leadership
   Key Skill(s): I have demonstrated effective communication with technical personnel.
  
  
  People
  
  Security Champion Program
  • A Security Champion program is created with support from executive and development leadership. The program consists of one to three developers if they are from a development team or one to three key personnel if they are from a non-development team. The program has the following features that benefit the company:
  o Prior Respect: A Security Champion is already a trusted and known resource on their team, so their words carry more weight than someone outside the team.
  o Context: Security Champions know their team best and can translate and filter security information to ensure relevance.
  o Efficiency: Security questions and concerns can be worked through the pre-identified team Security Champion instead of finding the right person when needed.
  o Specialization: Additional time is spent by a select few, the Champions, in learning security concepts and performing security-focused duties instead of everyone.
  o Implementation: The Security Champions assist in evaluating and implementing new components for the application security program. The Security Champions evaluate new processes, procedures, or technologies to determine their impact on their team.
   Key Skill(s): Experience effectively setting up security champion programs. I have set up three myself and have contributed to the creation of three others.
  Application Security Training
  
  • Training is integral to all development and non-development groups concerning application security, and the Security Champions evaluate the suggested training conduits. The training is integrated into the company’s LMS (Learning Management Solution) and becomes a mandatory requirement depending on the responsibilities of the recipient of the training.
  o Key Skill(s): I created videos from 5 minutes to 1 hour of training using Camtasia for development and non-development personnel.
  o Key Skill(s): I implemented the Security Journey solution (https://www.securityjourney.com/) to train development and non-development personnel.
  o Key Skill(s): I created CISSP and CEH workshops to train security engineers for companies I have worked for and the Metro Atlanta ISSA Association.
  o Key Skill(s): I created and conducted training for security engineers to implement security solutions such as DAST and threat modeling.
  o Key Skill(s): I created and implemented training for developers to properly implement SAST solutions into their development strategies.
  
  Process
  
  Policies and Standards
  • Policies and standards are created for all aspects of the Application Security Program and kept in a central location to be quickly accessed by personnel from various departments within the organization.
  o Key Skill(s): Implementation of a centralized repository in LockPath, Archer, Confluence, SharePoint, and ClickUp that all departments in the organization can access.
  o Key Skill(s): As a full-time employee or consultant, I have created the following policies and standards for various organizations.
   SAST (Static Application Security Testing) usage and implementation.
   DAST (Dynamic Application Security Testing) usage and implementation.
   Developer Training Guidance: OWASP requirements for an application that is considered secure. This becomes a procedural document.
   API (Application Programming Interface) development standards and requirements.
   Threat Modeling: Defining and guidance for effective threat modeling.
   Security Champion Program: Defining and implementation guidance.
   Docker Container and Kubernetes Security Guidance
  
  Application Security Metrics
  
  • Application metrics are created to facilitate the Application Security Program's effectiveness and communicate the return on investment for the chosen application security components.
  o Key Skill(s): I have created the following metrics for several organizations and kept them updated. The metrics are kept in a centrally accessed location such as SharePoint, Confluence, ClickUp, etc.
   Number of Vulnerabilities Detected: Both SAST and DAST.
   Vulnerability Severity Levels: SAST, DAST, and Threat Modeling.
   Vulnerabilities by Category (or Types): SAST, DAST, and Threat Modeling.
   Time to Detect: SAST, DAST, and Threat Modeling.
   Time to Remediate: SAST, DAST, and Threat Modeling.
   Code Coverage: SAST
   Trend Analysis: SAST, DAST, and Threat Modeling.
   Repeat Offending Vulnerabilities: SAST, DAST, and Threat Modeling
   Compliance Score: SAST, DAST, and Threat Modeling
  
  Non-Application Security Program Modules
  
  • Depending on the organization's maturity or the organization's security program maturity, ancillary modules to the application security program must be created for the application security program to succeed in all aspects.
  o Key Skill(s): I have created or contributed to the following sub-programs for various companies that tie into the Application Security Program:
   Risk Vulnerability Program
   Vendor Assessment Program
   PCI Compliance Process
  
  Vulnerability Remediation Ticketing Process
  • A ticketing system must be created, approved, and implemented to properly address and track security defects and vulnerabilities in code and third-party components.
  o Key Skill(s): I established an efficient ticket-tracking system for managing and prioritizing security defects, ensuring swift resolution and minimal impact on product development and delivery.
  o Key Skill(s): I engineered daily support for internal and external firewalls, ensuring continuous operational security and immediate response to threats against client products.
  
  Bug Bounty Program
  
  • A bug-bounty program should be leveraged with the application security program to detect security programs in a controlled environment that enhances product security through community-driven insights and comprehensive documentation.
  o Key Skill(s): I managed a HackenProof bug bounty program focusing on blockchain attacks.
  o Key Skill(s): I implemented and managed a BugCrowd bug bounty program.
  
  Threat Modeling
  • To understand the attack surface of the product, a threat model must be conducted and updated at intervals in the product lifespan.
  o Key Skill(s): Coordinated with Security Champions to conduct exhaustive threat modeling for the product portfolio, ensuring a deep understanding of potential security risks and implementing strategies to mitigate these threats effectively. The Threat Models were updated at significant product modifications and semi-annually.
  o Key Skill(s): Implemented and utilized Devici (https://devici.com/) with Security Champions.
  o Key Skill(s): Implemented and utilized IriusRisk (https://www.iriusrisk.com/) with Security Champions.
  o Key Skill(s): Implemented and utilized MS Threat Modeler (https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling)
  
  Technology
  
  SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), and SCA (Source Component Analysis)
  • A SAST solution is chosen for an inside-out approach to product security. Each solution has strengths and weaknesses and must be analyzed against the current development framework, the development languages in use, and the Security Champions' participation in all aspects of the solution decision-making, testing, and implementation.
  o Key Skill(s): I have evaluated and implemented the following SAST solutions in various organizations. Some are open-source solutions, but most are commercial solutions:
   MicroFocus/OpenText: Fortify and Fortify on Demand (https://www.microfocus.com/en-us/products)
   Checkmarx (https://checkmarx.com/)
   Snyk (https://snyk.io/)
   Veracode (https://www.veracode.com/)
   Cider Security (https://www.cidersecurity.io/)
   Semgrep (https://semgrep.dev/)
   Brakeman (https://brakemanscanner.org/)
   MobSF (https://mobsf.live/)
  o Key Skill(s): I have obtained proficiency in the following development and scripting languages to effectively communicate with development teams on their findings:
   Python
   RESTful APIs
   JavaScript
   C/C++
  • A DAST solution is chosen for an outside-in approach to product security. Each solution has strengths and weaknesses and must be analyzed against the current web technology stack and development process. Security Champions' participation in all aspects of the solution decision-making, testing, and implementation are essential.
  o Key Skills: I have evaluated and implemented the following DAST solutions:
   WebInspect (https://www.opentext.com/products/fortify-webinspect)
   Acunetix (https://www.acunetix.com/)
   NetSparker (https://www.invicti.com/)
   StackHawk (https://www.stackhawk.com/)
  • Third-party dependencies and components, which comprise most of the applications in place by organizations, must be recorded and assessed for security defects as these components in use for an application represent an attack surface for the organization.
  o Key Skill(s): I have evaluated and implemented the following SCA solutions:
   Checkmarx SCA (https://checkmarx.com/cxsca-open-source-scanning/)
   Snyk SCA (https://snyk.io/product/open-source-security-management/)
   SonaType (https://www.sonatype.com/)
   Black Duck (https://community.synopsys.com/s/article/Black-Duck-Introduction-to-Scanning)
   Cider Security ((https://www.cidersecurity.io/)
  o Key Skill(s): I implemented and configured the OWASP Dependency Tracker Project (https://dependencytrack.org/) to track third-party component usage on the organization's network and create an SBOM (Software Bill of Materials).
  WAF (Web Application Firewall)
  • The organization’s WAF instance should be utilized to determine common attack patterns against applications.
  o Key Skill(s): I maintained the corporate CloudFlare WAF and monitored common attack vector patterns. I ensured these attack patterns were also considered in the organization’s DAST, SAST, and SCA analysis.
  
  Logging
  
  • All applications must log suspicious activity employed by application users.
  o Key Skill(s): I worked with Security Champions to ensure that production applications were properly logging events in accordance with NIST and OWASP standards.
  
  Penetration Testing
  
  • To adhere to many of today’s regulatory requirements, a member of the organization or a third party must carry out an annual penetration test.
  o Key Skill(s): I have personally conducted penetration tests against applications, networks, cloud environments, and IoT devices for over twenty years.
  o Key Skill(s): I have maintained a relationship with third-party penetration testing companies to ensure penetration testing by third-party organizations has been routinely carried out.
  
  ASPM (Application Security Posture Management) Solution
  
  • An ASPM solution should be implemented to monitor and track communications among, from, and to organizational applications.
  o Key Skill(s): I evaluated, implemented, and monitored a Bionic (https://www.crowdstrike.com/products/bionic/) implementation.
  
  Software Security Center of Excellence
  
  • There are many more ancillary components of an effective application security program. All components should be implemented and adjusted to adapt to the development environment during the course of a year. Once the Application Security Program has reached a steady state of operation, all components should be incorporated into the organization's official Software Security Center of Excellence.
  o Key Skill(s): I have worked with several companies to create a Software Center of Excellence.