Profile

Hi, I'm Ian Norden. I enjoy tackling complex architectural problems, remaining flexible enough to solve AppSec and Red Team gaps, and find joy in automating the boring. I've recently returned to AppSec, after helping found and build the Red Team at Intercontinental Exchange(NYSE: ICE), the leading network of regulated exchanges and clearinghouses for financial and commodity markets.

Experience

Senior Security Engineer - Application Security

Sep 2018 - Present

Placeholder for updates...

Senior Security Engineer - Red Team

Mar 2017 - Sep 2018

Recognized as a leader within InfoSec at ICE. Architected and operated all facets of the vulnerability scanning architecture as well as the Red Team Ops Infrasture. Leading most initiatives to create automation solutions through a Python / Django dashboard bringing together disparate InfoSec teams, tools, and processes. Architecting and implementating an always-on security controls testing platform, Verodin. Pursuing OSCP Certification. Considered the ICE subject matter expert on TLS implementations and the go-to Crypto nerd. Regularly develop and publish TLS policy. Developing configuration standards for SSH and SFTP servers throughout ICE.

Security Engineer - Red Team

May 2016 - Mar 2017

Challenged as the first member of the Red Team to build a platform for penetration testing and scenario developement dors for automating Red Team scenarios, building networks and infrastructure for penetration testing. Managing numerous penetration testing vendors, executing against policy and best practices. Pursuing OSCP Certification. Developing a platform for automated assessment of SSH / SFTP configuration hardening to expand on the TLS / dashboard dev project. Own and manage the Bug Bounty platform.

Security Engineer - Application Security

Mar 2016 - May 2016

Created first hardening and configuration guidelines. Key resource in producing proof of concepts for improving password hashing standards. Continued aggressive expansion of the vulnerability scanning platforms. Developed a proof of concept HTML based Pentest Report Generation tool. Key automation resource for scripting heavy lift tasks from other InfoSec teams. Key resource in overhaul of vulenrability scanning policies. Built pentest produced POC's for internal use.

Security Analyst - Application Security

Mar 2015 - Mar 2016

On day one, challenged to overhaul, expand, and own the entire infrastructure vulnerability assessment platform. Expert technical resource for SSL / TLS hardening, created automated platform for scanning TLS configurations throughout the enterprise (inspired my personal SSLDash project). Wrote the vulnerability assessment policies and procedures. Coordinated numerous penetration tests of ICE web and thick client applications. Championed the AppSec Web App Dashboard project to automate clunky metrics, reduce human error, and enhance AppSec assessment capabilities using Python / Django. Lead resource in implementing Bug Bounty program.

Sr. Security Engineer - Professional Services

Jan 2015 - Mar 2015

Lead role and customer advocate within the Security Professional Services. Lead on all customer engagements and a key technical resource for major sales engineering efforts. Performed numerous penetration testing scenarios and assessments. Overhauled reports to integrate with new toolsets and align with industry best practices. Re-engineered the Network Professional Services assessment infrastructure.

Security Engineer - Professional Services

Nov 2014 - Jan 2015

Built a new team and infrastructure within the Security Professional Services organization. Expanded and strengthened our vendor management functions for backfill on special tests coordinating numerous testers. Rewrote the penetration testing policies and procedures in a customer facing function. Planned an overhaul of all capabilities within the organization.

Security Analyst II - Enterprise InfoSec

Sept 2013 - Nov 2014

Continued as a key leader within the Information Security department. Agressively broadened coverage of the infrastructure vulnerability management platform. Contributed to appliction and information security policies. Key role in the incident response team, and coordinated a number of cyber forensics efforts. Lead for mentoring and training new team members.

Security Analyst I - Enterprise InfoSec

Jan 2012 - Sept 2013

Part of a broad InfoSec team that coordinates incident response, SIEM investigation, and vulnerability management. By year one, I led engineering and management of the infrastructure vulnerability remediation program. Introduced vulnerability assessment to infrastructure before production. Key technical resource in coordination on penetration testing throughout the environments.

Projects

My Resume Site :
This website, backed up thanks to Github.
Probable Word-lists :
I earned an attribution with a good chunk of heavy lift (CPU @ homelab and bandwidth) to apply some better sort filtering in the early days.
Discover Scripts :
Trusted contributor to this OSINT and pentest automation resource.
DistroSeed :
I co-founded this open source project which is an automated assistant for finding, downloading, and managing Linux Distributions. Trying to solve the "what can I contibute to with just bandwidth and a spare PC"
SSLDash :
Beautiful dashboard for automated scanning, grading, and reporting on SSL / TLS strength for websites. Homelab style project to be open sourced.
Awesome-Sec-Talks :
I regularly contribute to this well maintained security talks and conferences reference.
"Home Lab" +Dashboard :
This homelab project will integrate each of my disparate VM's web interfaces, manage backups, and handle monitoring all in one concise web frontend (name to be improved).