Parsons Software Security Consulting Blog

Archive for November 2010

OWASP top ten reviewed by Software Security Expert

leave a comment »

OWASP Top 10 –2007 (Previous)
A2 –Injection Flaws
A1 –CrossSite Scripting (XSS)
A7 –Broken Authentication and Session Management
A4 –Insecure Direct Object Reference
A5 –Cross Site Request Forgery (CSRF)

A8 –Insecure Cryptographic Storage
A10 –Failure to Restrict URL Access
A9 –InsecureCommunications

A3–Malicious File Execution
A6 –Information Leakage and Improper Error Handling

OWASP Top 10 –2010 (New)
A1 –Injection
A2 –Cross-Site Scripting (XSS)
A3 –Broken Authentication and Session Management
A4 –Insecure Direct Object References
A5 –Cross-Site Request Forgery (CSRF)
A6 –Security Misconfiguration(NEW)
A7 –Insecure Cryptographic Storage
A8 –Failure to Restrict URL Access
A9 –Insufficient Transport Layer Protection
A10 –UnvalidatedRedirects and Forwards (NEW)

I was looking at the new OWASP top ten for 2010. I think that I agree with most of the findings. I find it interesting that OWASP has dropped SQL injection and changed it to injection. There are command injection findings that I see consulting from the code review level but I have never seen it from a pen test level. I have also seen LDAP query injection from both a code review level and pen test level. I agree that Cross Site Scripting is one of the most prevalent attacks in web application security today. Many of the developers that I interact with still do not see this as a risk. This is a huge vulnerability especially in phishing schemes.

Broken Authentication and Session management is something I see out in the wild all the time. Many of the cookies that I see on web sites are not marked as secure and are not random. This allows for attackers to steal the session or even guess another person’s session leading to information disclosure of another user. This could be devastating in high risk environments like banks.

Insecure object redirects is a vulnerability that I just started to see this year on my penetration testing engagements. I have yet to find this vulnerability in a code review. Has any one found this vulnerability in a code review?

Cross Site Request Forgery is a hard vulnerability to explain to developers and even harder to exploit. I would cogitate that this vulnerability is only exploited by the highly funded and well organized and motivated attackers and not the script kiddies.

Security Misconfiguration is something I see on a daily basis in penetration testing whether the server is Apache or IIS.

Insecure Cryptographic Storage are vulnerabilities that I have only found doing a code review. Many times I see people have plain text production database passwords inside of the web.config file. I also see people use insecure hashing algorithms like MD5 and SHA-1.

Matt Parsons, CISSP, MSM

mparsons1980 [at]

Written by mparsons1980

November 20, 2010 at 10:27 am

Posted in Uncategorized

Software Security Checklist

leave a comment »

For the next few posts we will be going in detail on what is necessary for a software security checklist.   This is the one that Parsons Software Security Consulting, LLC uses.   I will first post a high level overview of the checklist and then detail it out.


  1. Where is the application? Where does it reside?
  2. Who uses the application?   What is the use case scenario?
  3. Who are the attackers?
  4. What does the application do?
  5. What are the vulnerabilities in the application?
  6. Implement policies that are already being used BSIMM.
  7. Use automated review for large applications.
  8. Create a secure coding check list.



Parsons Software Security Consulting, LLC

Matt Parsons, CISSP, MSM

mparsons [at]




























































































Written by mparsons1980

November 20, 2010 at 10:10 am

Posted in Uncategorized

Introduction and blog purpose

leave a comment »

Hi my name is Matt Parsons with Parsons Software Security Consulting, LLC The purpose of this blog is to discuss all things related to software security, application security, web penetration testing and ethical hacking.   This will include some of the methods that I have learned over the years in my software security practice.   There will be discussions of real life vulnerabilities and examples of real world exploits.   This blog will talk abthiout many of the Open Web Application Security Project,, vulnerabilities.   As we create this blog together hopefully we can make the Internet more secure, one application at a time.

Matt Parsons, CISSP, MSM

Written by mparsons1980

November 20, 2010 at 9:36 am

Posted in Uncategorized

Parsons Software Security Consulting, LLC Blog

leave a comment »

Matthew J. Parsons, CISSP, MSM

6075 Monte Vista Lane #1628

Fort Worth, TX, 76132

Blackberry: (315)-559-3588


mparsons1980 [at]




Parsons on Passwords news Spot

Open Ounce and Static Code Analysis



Matthew J. Parsons,

MSM, CISSP, Application Security Engineer, Senior Security Consultant

Software Security/Application Code Review/ Senior Security Engineer/C.E.O/Owner/Ethical



  • Certified Information Systems Security Professional.  (CISSP)  326814
  • Pursuing CSSLP and Global Information Assurance Certification. GIAC for Java Programming Security
  • Eight years of professional experience in Security.
  • Six years experience in Software and Database Security.
  • Eleven Years experience in Information Technology and Programming.
  • Held a secret clearance.
  • Honorable Discharge United States Air Force Reserves.
  • Self employed, Parsons Software Security Consulting, LLC.
  • Member of OWASP member number 73N4Q4M27PH.
  • Pursuing Certified Physical and Information Security Consultant
  • References below and available on request.
  • CORP to CORP contracts only.  Fully insured for four million dollars errors and omissions.
  • Passed Drug Test and Background Check on June 1, 2010 and September 15, 2010.



Masters of Science in Management, Colorado Technical University

Focus in Information Security May 2006- August 2007 GPA: 3.94


Bachelor of Arts in Information Science, State University of New York at Oswego

Focus in Psychology and Human Computer Interaction   August 2001-August 2004 GPA: 3.25      

Information Studies minor Entrepreneurship, Syracuse University

Focus in military studies, Information Science August 1998-May 2001 GPA: 3.93


Parson Software Security Consulting, LLC Fort Worth, TX

June 2007-Present

Senior Information Security Consultant, Owner, CEO, CIO, CTO, Vice President

  • Errors and Omissions Insurance and General Liability Insurance for four million dollars.
  • Subject Matter Expert in Payment Card Industry, Data Security Standard compliance, Software and Database security, Enterprise Risk Management.
  • Created awareness in the Java and .NET developed community by creating a biweekly newsletter for LinkedIn.
  • Java and point of contact and senior security analyst for Aetna insurance.
  • Worked and trained Raymond James static code analysis project
  • Worked with Fishnet Security on Secure Coding project with Walmart.
  • Found keystore password on SAMS membership and Marketing Application.
  • Senior Security Consultant for Fishnet  Security.
  • Web penetration test for
  • Specialized in Java, J2EE and ASP.NET, PHP, Perl, Mainframe, C and C++ security.
  • Member of Open Web Application Security Project(OWASP)
  • Featured Blogger for
  • Found Software security vulnerabilities for clients including: SQL injection, XSS, Cross Site Request Forgery and multiple other vulnerabilities.
  • Submitted bugs for Google Chrome Project. bug number 37040 buffer overflow, 37042 No Validation, 37043 buffer over flow, 37044 Buffer Over flow.
  • Scanned open source software to report software security vulnerabilities with Ounce Labs and full disclosure.
  • Clients include: Verizon Telecommunications, Bank of America, Merrill Lynch Bank Suisse companies, Financial Institutions and South West Airlines.
  • Implemented and became subject matter expert for Database Hard drive encryption for Harris County Toll Road Authority.
  • Training of offshore developers in India, Singapore, Peru, Italy, England, Switzerland and Hong Kong, Germany, Brazil at a Large Fortune 100 Financial Institution implementing and teaching Fortify Static Code Analysis tool enterprise wide at World Wide Bank.
  • Subject Matter Expert for Contract Land Staff, Houston Texas  Lead security web penetration test of main Right of Way Land application, completed manual and automated source code review.  Developed Remediation plan of action.  
  • Scanning of source code for a large financial Institution using Fortify.
  • Doing source code review with Fortify and Ounce Labs to find software security vulnerabilities.
  • Found Software security vulnerabilities in open source software including Second Life.
  • Website Administration and Development with Various clients.
  • Worked with Martindale and Lexus Nexus helping lawyers get a web presence.
  • Worked with Info Vision Consultants
  • Worked with Genesis10
  • Partnered with Fortify Static Code Analysis Company.
  • Partnered with Vera Code.
  • Partnered with Ounce Labs static analysis tool, Ounce Certified Partner,
  • Partnered with IBM.
  • Created and developed basic static code analysis class for Ounce Labs.   Ask for presentation.
  • User, Developer, Consultant and Administrator of Open Ounce
  • Actively writing a blog about software security.
  • Partnered with Application Security Database Security Tool.
  • PGP and software security consulting with various clients in the Dallas Fort Worth Area including Venray Technology.
  • Training at Bank of America for bug of the month club.
  • Programmer in C#,NET, VB.NET and Java for various freelance projects
  • Parts and PC’s web penetration assessment.
  • City of South Lake Network Security and physical security risk assessment audit.
  • Performed Network Security Testing for clients using tools such as NMAP, NESSUS and NET Saint.
  • Worked on testing Armorize Code Secure Software Security Computing Cloud Technology




  • Subject Matter expert in Software Security for Dallas station The 33 News for Conficker Worm outbreak.


Bank of America, Fort Worth, July 2009-January 2010

Genesis 10, Contractor

Specialist Information Security Engineer for Enterprise Information Management Enterprise Security Assessment

  • Provided security code reviews using the Fortify Source Code Analysis Product and evaluated results for security vulnerabilities for eCommerce applications.   Trained, documented and advised application developers for security risks, secure coding best practices, with practical remediation guidance to developers.
  • Created Custom Rules matrix.
  • Started Malicious Code review program for offshore developers.
  • Helped complete the Cyber Security Mandate of a 706 target applications.   With team identified 1274 Critical/important issues.   Closed 700 at year’s end prior to exploitation.
  • Deployed early life cycle service source code scanning to 232 internet facing web applications.   Completed 100 percent Bank developed internet apps for 2009.
  • Reviewed Source code in .NET, PHP, Internet-Web, J2EE, Java, Java Script.
  • Created documentation for bank on software security via private and public Wikipedia.
  • Was scribe for Enterprise Security Management meetings.
  • Reviewed peers ethical hacking assessments and offered feedback.
  • Migrated from finding security problems to finding elegant and effective business security solutions for bank.
  • Completed software security assessments of banking applications to meet banking regulatory compliance and to start software security program early in the software security life cycle by on boarding different software development line of business groups from around the country and around the world in the Fortify Self Service scanning.   To train developers to write secure code using the OWASP software security testing guide.
  • Successfully onboarded and helped implement new software security program at Bank of America.   Updated internal wiki and onboarded and trained developers how to write secure code and use the Fortify Static Code Analysis tool and Fortify Manager.   Trained Developers in India, England, Switerzland, Singapore and Hong Kong and on the West Coast, Central and East Coast of the United States from my remote office in Fort Worth, Texas.
  • The bank ended up with thousands of developers trained in software security and the Fortify Static code analysis tool including Fortify Manager.   New processes and ideas were documented for the next generation of software security experts.  Helped reduce the attack surface at the bank and limited the number of vulnerabilities, by finding software security bugs early in the development life cycle well before the application was in the public space.



Verizon Business/ Verizon Corporate, Richardson, TX Oct 2007-April 2010

Info Vision Consultants, Contractor

Senior Internet Software Security Systems Engineer for Information Technology Application Security

Security Source Code Java/.NET

  • Hired for strategic role in the development and maintenance of extremely complex network security/protection systems and architectures. Provided security solutions that required resolution of complex operational and integration issues associated with networks, data systems, and applications to successfully deploy secure technologies and to enhance existing technologies. Lead computer security incident response activities, conducting technical investigation of security-related incidents and conduct post-incident digital forensics to identify causes and recommend future mitigation strategies.
  • Served as the highest level of information security consultant to all internal clients and technical management in all areas of Verizon to ensure conformity with corporate information security standards.
  • Comprehended large Enterprise Applications and Source code.
  • Responsible for performing security code reviews and application risk assessments for customer facing applications at Verizon.  Audited applications written in multiple languages, including Java/JSP, VB.NET, ASP.NET, C#, C/C++, COBOL, PHP, and Classic ASP.  Utilized OWASP and Ounce Labs formal methodology to conduct code reviews and risk assessments.
  • Used internal documents at Verizon Business, ultra-edit, and static analysis tools like Ounce Labs and Open Ounce to supplement manual code reviews.
  • Worked closely with business units, vendors, and developers onshore and offshore to understand applications, analyze business processes, and identify areas of risk.
  • Worked with management to access risk and certify all applications for PCI compliance.
  • Responsible for the code review infrastructure at Verizon Business and administered all Windows and Linux servers regarding code review.
  • Created custom scripts to take out certain security vulnerabilities.
  • Used regular expressions to search for sensitive data, like credit card numbers and social security numbers.
  • Developed and documented a software security program.
  • Found software security vulnerabilities in 200 million dollar annual revenue Verizon Core application.
  • Applications scanned for PCI compliance, Minute Pass, IPM, E-payment, Voice Portal, IP manager, Single Sign On, Speech Services, Epoem.
  • Completed Malicious Code Review for offshore developers.
  • Developed and implemented malicious code review program for Verizon Business.   Created Training for Malicious Code Review, created one hundred question test, for malicious code review training.  Developed Power Point Slides that trained thousands of Security analysts to complete Malicious Code Review for Offshore Developers.
  • Served as a key member of the Information Technology Application Security Review team and founding member of the code review team of three for all of Verizon Business and Verizon Telecommunications.
  • Successfully audited, remediated and approved five Payment Card Industry applications for 2008 PCI compliance.
  • Audited and reviewed 500K LOC of Perl and PHP for configuration management system and Verizon.
  • Worked with a team to discuss vulnerabilities, trends and risks and protect Verizon software and information assets.
  • Contributed to weekly team meetings by researching new vulnerabilities, security threats and attacks.
  • Personally Audited and reviewed eight million lines of source code in Java, .NET, ASP, C#, Visual Basic, PHP, Perl, COBOL, C and C++.
  • Found and helped remediate Software Security Vulnerabilities including credit card numbers and social security numbers, SQL injection, Cross Site scripting, Stored Cross Site Scripting, Buffer Overflows, Improper use of Cryptography, Malicious code and various other vulnerabilities.
  • Found Software Security vulnerabilities in twenty billion dollar Networx project ( and potentially saved Verizon Business from millions of dollars in fines for failed compliance and lose of contract.
  • Networx is a 40 million LOC java application and consists of 170 projects.  Directly responsible for the security and remediation of 85 projects. Had to build application without help from development staff.  Found social security numbers, credit card information and other personal customer information using advanced searches in ultra-edit.
  • Created, Deployed, Taught and Developed Software Security Program and Ounce Labs Training Program which consisted of live webinars, teleconferences, Power Point Presentations and multipage internal training documents.
  • Worked as a liaison between Ounce Labs and Verizon Business addressing the needs of both parties.
  • Lead Remediation efforts of several applications as subject matter expert and reduced the number of software security vulnerabilities in multiple applications.   Provided ongoing security advice to developers taking all questions and either answering the question or researching the question to provide the best answer for the developer and the company.
  • Web Penetration testing of various vulnerabilities for confirmation.   Manual and automated methods for testing XSS, SQL injection and various other Web Security Vulnerabilities listed by OWASP.
  • Verizon ended up passing PCI compliance saving the company millions of dollars of fines and brand name damage in 2007, 2008 and 2009.


Lockheed Martin Software Design and Integration/ Aeronautics Fort Worth, TX Feb 2006-June 2007

Lockheed Martin is a large multinational aerospace manufacturer and advanced technology company formed in 1995 by the merger of Lockheed with Martin Marietta. It is headquartered in Bethesda, Maryland, in the Washington Metropolitan Area. Lockheed Martin employs 140,000 people worldwide.

Systems Integration Analyst, Enterprise Information Systems

  • Secure Coding and Database Auditing Point of Contact (POC) for Fort Worth,   Aeronautics Business Unit and Enterprise Information Systems SD&I Fort Worth
  • Member of Elite Lockheed Martin Aeronautics, Network Operations Security Center (NOS)                                    Active Secret Security Clearance
  • Kept senior management informed of Information Security Risks, Vulnerabilities and Trends.
  • Developed, Started and implemented Software Security Program.
  • Performed Network Security Audits in Network Operations Command Center.
  • Web Penetration testing to prove Software Security Vulnerabilities with Web Inspect, Burp and manual fuzzing and penetration testing.
  • Security reviewed three million LOC in Java, C#, VB.NET, and ASP.
  • Security Reviewed F-22 application Global Task Management System and certified application to meet customer requirements.
  • Certified and Reviewed mission critical code for the infrastructure of Lockheed Martin.
  • Developed and trained developers in software security best practices.
  • Selected static code analysis tool for Lockheed Martin and with 1.5 million dollar purchase.
  • Mentor to Lockheed Martin Network Support Employee in Liverpool, NY.
  • Certification and Accreditation of Various internal documents to Department of Defense Policies including:  DoD 8550.2.
  • Security Engineer, Technical lead and Subject Matter Expert (SME) on multiple projects.
  • CISSP Site coordinator to corporate wide CISSP class.
  • Reviewed and found suspicious and malicious code internally and externally.
  • Programmed in Java and .NET development environments.
  • Worked on International Espionage case working on code forensics.


Lockheed Martin Superior Technical Resources, Syracuse, NY              Dec 2004-Feb 2006

Desktop Support Analyst

  • Worked as a System Support Analyst supporting 2300 end users on a team of three as Windows Administrator.
  • Completed 20-40 tickets a week through Incident Response and problem resolution and customer support to clients with computer problems.
  • Removed viruses and spyware on clients systems.
  • Physically destroyed and degaussed hard drives with sensitive company information on them.
  • Researched latest security threats, installed latest patches, installed software on clients’ computers.
  • Built and deployed computers for clients working at Lockheed Martin
  • Performed Network Security Audits on Local Area Network.
  • Worked with Microsoft Digital Rights Management on a client server environment.
  • Network Administrator, Installing Catalysts and Network Troubleshooting.
  • Helped plan and install Voice Over Internet Protocol System. (VOIP)
  • Programmed in VB.NET and C#.NET to create scripts to automate tasks.
  • Lead an asset reduction program that saved the company thousands of dollars in duplicate PCs.


Verizon Wireless, Dewitt, NY Aug 2004-Dec 2004

Customer Service Technician-Contract Solectron

  • Increased sales revenue in accessories and enhanced features.
  • Incident response and problem resolution.
  • Investigated internal fraud of fellow employee.
  • Decreased work time on cell phones from four hours to 45 minutes
  • Checked account status and activated User Account Management.


Career Services, NY Oswego, NY                                                                Sept 2003-Aug 2004

Information Technology Administrator

  • Assisted staff with Information technology including Mac’s and PC’s site administrator.
  • Created and administered accounts for local users.
  • Administrated and installed Virus Management software.
  • Network Administrator.
  • Researched Viruses and Security Patches.
  • Installed latest security patches on PC’s.
  • Programming.
  • Instructed employees on the proper use of computing assets.
  • Managed Career Services Database as Database Administrator.
  • Protected Database and monitored e-mail list-server.


The Raven Pub, Oswego, NY                                                                                       June 2002-Aug 2004

Head of Physical Security

  • Supervised Security Personnel to ensure that proper security procedures were in place.
  • Identified patrons were of the age of 21.
  • Physically removed any patrons that were in violation of the Establishments’ code of conduct.
  • Established a relationship with local police department and called upon them in emergencies.


United States Air Force Reserves, Syracuse, NY                                       Aug 2000-Oct 2001

· Active Secret Clearance May, 2001, E-3 Airman 1st class, Honorable Discharge


­­­­­­­­­­­­­­­­­            · Studied in military science, leadership development training and professional training activities.

­­­            · Acted as General Military Science Advisor.

· Studied the field of Information Science for Detachment at Syracuse University.


Eddies Big M Grocery Store     Mexico, NY                                               Oct 1996– June 2002

Computer Receiving Clerk

  • Checked in all store goods into grocery store through computer DOS system
  • Started this career while in high school. Worked as a cashier, stock clerk and meat department and during summers and weekends while in college. Worked 20-40 hours a week.



Certified Information Systems Security Professional ID number: CISSP 326814

Member of Open Web Application Security Project, member number 73N4Q4M27PH,

Project Management Certificate, 2007

Information Systems Security Certificate, 2006,

Information Systems Security Management Certificate, 2006,

Information Systems Certification and Accreditation Certificate, November, 2006

Active Secret Clearance since May, 2001 good through January, 2017,

Cigital Software Security Series,, August 2009

Foundations of Software Security Principles, TECH210039, August 2009

Advanced Fortify Analysis Scanning, TECH230700, August 2009

Architecture Risk Analysis, TECH210041, September 2009

Defensive Java Programming, TECH210040, August 2009

Aspect Security Secure coding .NET course, March, 2007,

Aspect Security Secure coding J2EE/Java course, May, 2007,

Ounce Labs Advanced Static Analysis Training, San Francisco, CA July 2009

Software Security Summit, Baltimore, MD, June, 2006

Attended Qualified Systems Engineering Training Class, July, 2006,

Foreign Object Debris Training, September, 2006

International Traffic and Arms, (ITAR) briefing, August, 2006,

Attended Network World Security Conference, Dallas, TX Fall, 2006,

Attended IEEE, Metrocon, Arlington, TX Fall, 2006,

Guest Speaker for Information Science Department at Oswego State University, November, 2005

Guest Speaker at Fort Worth Java User Group on Software Security, February, 2007

Guest Speaker at Fort Worth Web Design User Group on PCI compliance, August 2007

Site Coordinator for Lockheed Martin CISSP corporate class, December, 2006- April, 2007

Book Review for CISSP, Software Security, Building Security In, By Dr. Gary McGraw, November 2009

Security Awareness and Software Development Training for Oswego State University, December, 2009

Aetna Software Security and Design Classes 1-3

Aetna Medicare Fraud and Abuse Class

Aetna Business Conduct and Integrity  Class

Fishnet Security Technical Writing Class Monthly Series, 2010

Fishnet Security Secure Application Development 1, October, 2010

Fishnet Security Threat Modeling, October, 2010

Fishnet Security Secure Code Review Methodology, October 2010

Fishnet Security Application Security Methodology, October 2010

Anthony Robbins Personal Power Two, 2009-2010,

SCIPP International’s Secure Web-Application Development Awareness (SWADA) certificate program

Pre-paid Legal Associate, Small Business and Group Certified Licensed for the state of Texas, 2008-2010




Air Force ROTC Scholarship      Aug 1999-May 2001

Winner, Cadet of the Semester Dec 2000, Syracuse University Detachment 535

Honorable Discharge United States Air Force Reserves, DD-256 Airman 1st class Oct. 2001

T-38 incentive ride and Air Force ROTC internship at Sheppard Air Force Base, Texas

Dean’s list multiple semesters at both Universities

Achieved a 4.0 GPA Fall Semester 2000, Syracuse University

Commanding Officer of a 110 cadets, Marine Corps JROTC Mexico High School, Mexico, NY, Sept 1998- June 1999


Computer Operating Systems: UNIX, Linux, Ubuntu, Windows 95, 98, 2000, XP Windows 7, Vista, Server 2003, Mac OS 9, OS X, MS-DOS, Solaris 9, Solaris 10

Software: Microsoft Office, Quick Books 2007, Microsoft Project, Microsoft Visio, Outlook, MARS Remedy, Microsoft Share Point, Windows Administrator Tools, Active Directory, Microsoft Exchange Server 2000, Directory Resource Administrator, VS 6, Visual Studio .NET 2003, Visual Studio 2005, Visual Studio 2008, Fortify Static Analysis Tool, Ultra-edit, Serena  Change Man Dimensions, Perforce, IBM Rational Developer, Eclipse, App Detective database scanning tool,  Windows SQL Server 2000, Internet Information Services, Ounce Labs Static analysis tool, SPI Dynamics Dev-inspect, HP Web Inspect, IBM AppScan, IBM App Scan Source, NTO Objectives, VMware, Web Scarab, Web Goat, Paros, 010 editor, X-way Forensics, Win-Hex, PGP, Microsoft Threat Modeling tool, Mozilla Firefox plug-ins including: Firebug, Web Developer, XSS ME, SQL inject ME, Hackbar, Switch Proxy, Tamper Data, Live HTTP headers, User agent switcher, Js-view, Burp Suite, Ethereal, Nessus, Microsoft Baseline Security Analyzer, GRC-Shields UP!, Zone Alarm by Check Point, Ethereal, PGP Desktop Email, PGP Net share, PGP whole disk encryption, SMAC, telnet, putty, SSH, Net stumbler, Cisco wired and wireless Linksys routers, VPN, md5deep hash, Metasploit, Qaulsys, IDA Pro, Regex Buddy, Confluence, Wiki Markup. Fiddler Web Proxy, Snagit editor.   Net Sparker Pro, Burpe Suite Pro, SQL Map, Clear Case.


Languages: C, C++, C#, Visual Basic.NET, Java, J2EE, SQL, CLIPS, Perl, PHP, Prolog, XML, HTML, Java Script, SQL, COBOL, Python

General Skills: PCI compliance remediation, security engineering, manual and static analysis tool code review, web penetration testingfuzzingnetwork security fundamentalsNIST Network Security Tool Kit, HTTPrint, NMAP, Security Risk Assessments, Software Security Risk Assessments, knowledge of Orange Book (TCSEC) and Rainbow series, Security Policies and Procedures, Security Management, Security Engineering Capability Maturity Model (SSE-CMM), Defense Information Systems Agency (DISA) publications, National Institute Standards and Technology (NIST) publications,  DoD 8550.2, DITSCAP, Evaluation Assurance Levels (EAL) Common Criteria of Information Security Evaluations, Open Web Application Security Project. (OWASP). advanced searching, system analysis design, project management, leadership, time management, public speaking, knowledge of networking, accounting, strong written and verbal communication skills, customer service, consulting, software development life cycle (SDLC), knowledge of binary and hexadecimal number systems,  sales, problem solving, computer building hardware and software, computer deployment, break fix, trouble shooting. Architecture risk analysis, threat modeling, Cigital White Box Secure Assist, Armorize Code Secure, VeraCode, NuBridges, Samurai Web Testing Framework, OWASP Live CD, OWASP ESAPI.



Member, ISC2 Certified Information Systems Security Professional, CISSP, 326814 January 2009-Present

Member, IEEE Member #87051477                                                                                                  Aug -2006- 2007

Member, OWASP, 73N4Q4M27PH Aug-2009-Present

Member, Phi Kappa Phi      Honor Fraternity Member #11272553                                                      April 2003 –2007

Member, Information Systems Security Association                                                                    Aug- 2006-Present

Member, Lockheed Martin Recreation Association Cycling Club                                                 Feb 2006-June 2006

President, Oswego State Cycling Club                                                                                   Jan. 2004 – Aug 2004

Member, Theta Chi Fraternity, Syracuse University Alpha Chi chapter                                           Mar 2001-Jan 2006

Teaching Assistant, Systems Analysis and Design Syracuse University                                    Aug 2000-Dec. 2000

Research Assistant, Institute for Sensory Research Syracuse University                                     Aug 2000-May 2001

Member, Onondaga Cycling Club                                                                                              May 2000-Jan 2006

Member, Lockheed Martin Auto Club                                                                                       Aug 2006- June 2006

Certified Level 1 Snowboard Instructor Feb 2003- June 2006

Certified Life Guard Sept 2001- Sept 2003

Certified CPR Sept 2001- Sept 2002

NASTAR Alpine Snowboard Racer Dec 2004- Jan 2006

Member, Fort Worth Java User Group March 2006-June 2006

Men’s Christian Bible Study, Fort Worth, TX March 2009-Present

Member, Fort Worth Cycling Club January 2010-Present

Member, Fort Worth Golf Club August 2010-Present

Partner, Daystar Christian Television Station August 2008-Present

Member, 24 hour Fitness Personal Training January 2010-Present



Internet Security Analyst

“I had the pleasure of working with Matthew Parsons while he was a consultant for Genesis10 at our client, Bank of America.  Matthew performed as a Source Code Analyst on a six month assignment.  He was an exceptional consultant.  He always completed his work on time, was flexible, was a team player, communicated well with us and received great reviews from his reporting manager.  Matthew represented us well and I would recommend him as a Security Consultant.”


Regards ~

Katie Culpepper

“Matt is a man of character and integrity with strong Application Security skills instilled by his extensive work experience. I am confident that he is an ethical practitioner of his profession, an involved and informed leader in the AppSec community, and a friend. I highly recommend Matt Parsons and wish him success in his future development.” August 12, 2010

Brandon Rose

Information Technology Recruiter, Apex Systems, Inc. (colleague)
worked with you

Verizon Communications

“Matt is a dedicated and highly skilled Security Analyst – his technical skills in the area of Source Code Reviews and deciphering insecure code, vulnerabilities and malicious code are some of the best in the nation. Matt is a team player and has proven himself in the area of teaching others in a highly technical area – and retaining participants attention and interest. Matt is a valuable and integral member of my team.” September 30, 2009

George Turrentine, CISSP, CISM, Mgr – IT Security, Verizon Communications
managed Matt at Verizon Communications

Senior Internet Security Engineer Contractor

Verizon Business

“Over the past 2 years I have worked closely with Matt. Through out our relationship, he has been very professional, willing to learn as well as taking on projects to learn. Our field is a very new field in the industry and the majority of experience comes from hands on work. I am very impressed with both his work ethics and his quest for knowledge.” September 18, 2009

Scot Cairns, CISSP, CSSLP, Application Security Analyst, Verizon
managed Matt indirectly at Verizon Business


Verizon Business

“Matt is the single most smart guy I have ever known in my entire life. He constantly strives to do what is right. While he often appears orthodox in his methods, he is actually as cowboy and as unorthodox as people can get.” July 26, 2009

William Copley, Senior Internet Software Systems Engineer II, Verizon
worked directly with Matt at Verizon Business



Verizon Business

“Matt is very detail oriented, intelligent, hard working, and customer oriented, which makes him my first choice for source code analysis projects. He is always looking to educate himself on the latest security technologies and trends to stay on top of his field. A pleasure to know and work with him.” March 30, 2009

Markus Bohlander, CISSP, Director, Application Security, InfoVision
worked directly with Matt at Verizon Business


CEO, CIO, CTO, Security Consultant

Parsons Software Security Consulting LLC

“I’ve had the opportunity to work with Matt on several related projects. Matt knows his strengths and works hard to make his strengths stronger. He is wise enough to seek out advice and guidance when he encounters a subject that isn’t his strength. I recommend Matt for his professional integrity, his ability to deliver on his strengths and his willingness to seek out advice when he recognizes the need to tap into someone else’s strengths.” November 5, 2009

Jeff Snyder, President, & J.A. Snyder & Associates, Inc.
was with another company when working with Matt at Parsons Software Security Consulting LLC


CEO, CIO, CTO, Security Consultant

Parsons Software Security Consulting LLC


“Matt is a consummate professional and a pleasure to work with. He seeks to find the appropriate solutions to his client’s needs while still keeping your cost in mind. Matt adapts his problem solving approach to each client’s unique business concerns. He also focuses on the quality of the solution rather than the quantity which assures your businesses the right product the first time. Above all else, Matt is trustworthy and will give you practical appraisals and solutions based on your business needs.” July 20, 2007

Top qualities: Great Results, Personable, High Integrity

Nick Grimshaw
hired Matt as a IT Consultant in 2005, and hired Matt more than once


Security Engineer

Lockheed Martin

“Matt gave our security product a fair an extremely thorough examination last year. The level of expertise, maturity and rigor he brought to this action, upon which the security standing of the greater Lockheed corporation depended, was very impressive indeed, especially for someone so young. I recommend him for increasingly demanding positions of trust in the future, whether as an employee or a service provider.” December 26, 2007

Andy Bochman, Director, Federal Markets, Ounce Labs, Inc.
was a consultant or contractor to Matt at Lockheed Martin


Customer Support

Solectron Contractor for verizion Wireless

“Matthew was a dedicated employee concerned with assuring customers received the best experience with Technical Services with Verizon Wireless. Matt consistently went above and beyond to assist these customers with their needs on an ongoing basis.” March 22, 2009

Brendon Scarano, Area Team Leader, Solectron
managed Matt at Solectron Contractor for Verizon Wireless


“I would heartily endorse Mr. Matthew Parsons. I have known him for several years – as both a colleague in the Computer Security field and as one of my OUTSTANDING students at Colorado Technical University. Matt’s attention to detail, thoroughness in his work (and assignments) and his integrity are just a few of the qualities that I feel make Matt an exemplary person, employee, and colleague. I would recommend Matt to anyone looking to find and hire top-notch talent – I know that if I had an opening on a team – he would be one of the first people I’d call. Derek E. Isaacs” May 1, 2010

Derek Isaacs , Adjunct Professor , Colorado Technical University
taught Matt at Colorado Technical University



We have worked with Matthew Parsons for several years and find him to be honest, trustworthy, knowledgeable and reliable. His prices are fair and he is a most necessary asset in this day and time. We would recommend him to everyone.


Parts & PC’s

Danny Schiffner

Craig Newnam.


Written by mparsons1980

November 20, 2010 at 4:43 am

Posted in Uncategorized