DEBORAH QUAYE

Chicago,IL

Summary

Application Security Engineer | Security Engineer | Product Security | Vulnerability MGT

Overview

years of professional experience

Certification

Work History

Application Security Engineer

IBM

Chicago, IL

11.2023 - Current

Integrated and tuned SAST, SCA, DAST, and secret-scanning tools in Azure DevOps and GitHub pipelines to improve early detection of security flaws.
Contribute to threat modeling sessions for new features and services, producing clear security requirements and design recommendations.
Guided developers through remediation of SAST/DAST findings, improving resolution time by 80%.
Performed AI security assessments for LLM-integrated applications, identifying prompt-injection, jailbreak, and data-exposure vulnerabilities across multiple internal AI tools.
Oversaw enterprise vulnerability lifecycle by centralizing SAST, SCA, and DAST findings (Fortify, Checkmarx, Veracode, Acunetix, Burp) via ArmorCode and Synopsys SRM; engineered automated workflows that reduced manual triage by 85%.
Onboarded 50+ applications into a standardized scanning environment; scheduled scans and enforced security gates to ensure secure production releases.
Developed executive AppSec dashboards to track MTTR, risk trends, and remediation SLA performance, improved enterprise visibility into application risk posture.
Hardened AWS and Azure environments through IAM reviews, Azure policies, encryption enforcement, and container security control.
Supported software supply-chain governance using Sonatype IQ and helped teams adopt SBOM-driven compliance practices.
Developed secure coding guidelines and practical playbooks used by development teams.

Security Engineer (Pentesting and AppSec)

VISA INC.

San Francisco, CA

11.2021 - 01.2023

Integrated SAST, SCA, DAST, and container security scanning tools into CI/CD pipelines reduce remediation by 90% via automated scan tuning.
Validated and triaged bug bounty and third-party pentest findings, coordinating with development teams for timely remediation.
Managed vulnerability tracking and remediation efforts, provided technical guidance to development teams, and reported security posture metrics to leadership.
Created STRIDE threat models and security assessments for internal services document risks, and security controls.
Implemented and maintained a Dynamic Application Security Testing (DAST) using Acunetix, improving visibility across 10+ web and mobile applications.
Conducted penetration tests for web, mobile, and cloud applications, identifying authentication, authorization, session management, and injection flaws.
Onboarded developers to CheckMarx One, supported IDE integrations, and guided SAST vulnerability remediation through secure coding support, reducing the vulnerability backlog by 50%.
Strengthened Application Security (AppSec) posture by delivering secure coding workshops and technical playbooks that scaled developer adoption of security tools and best practices.

Senior, Security Engineer (Pentesting and AppSec)

Geisinger Healthcare

Danville, PA

07.2019 - 03.2021

Developed and enhanced web and API-based applications with a focus on secure design, reliability, and performance.
Automated secure deployments and configuration validation using Python and Java.
Collaborated with developers to conduct code reviews and implement secure coding best practices.
Performed API security testing for vendor integrations and exposed services.
Integrated Snyk (SCA) and Fortify (SAST) and IaC scanning into Jenkins pipelines, identifying 60% of vulnerabilities during the initial PR review phase.
Executed vulnerability assessments for applications, connected medical devices, and infrastructure with Nessus and Qualys.
Hardened IAM roles, KMS settings, and TLS configs in AWS Created remediation guides aligned with OWASP and NIST.
Worked with dev and infra teams to triage and prioritize remediation by business impact.

Education

Bachelor of Science - Applied Science & Technology

Alcorn State University

Lorman, MS

05-2015

Skills

Application Security: SAST, DAST, SCA, IAST, MAST, Secure Code Review, API, Security, Cloud Security, Zero Trust Architecture (ZTA)
Vulnerability Management: End-to-end lifecycle tracking, prioritization (CVSS/CWE), KPI, MTTR reporting, SLA compliance, remediation validation, false-positive analysis
Security Tool: Fortify, Veracode, Semgrep, Checkmarx, Snyk, CodeQL, Burp Suite, ZAP, Invicti, Acunetix), Kali, Sonatype IQ, Snyk, FOSSA, Black Duck, Contrast Security), ArmorCode, Synopsis Software Risk manager (SRM), Nessus, Qualys, Tenableio, AWS Inspector
Cloud, Infra & Container Security: AWS (EC2, S3, RDS, Lambda, Security Hub), Azure AD, Kubernetes Security (Kube-bench, Trivy, Kubescape), TwistLock, Aqua Security, IAM, and CloudMapper
Secure SDLC & DevSecOps: GitLab, Jenkins, UCD,GitHub, Harness Platform, Jira, Security Automation
Programming & Scripting: Python, Java, JavaScript, Automation for Security Testing

AI /LLM Security:
LLM Security Hardening, Model Supply-Chain Security, AI DevSecOps Integration, AI Threat Modeling, AI red teaming & safety evaluation
Threat Modeling: STRIDE, DREAD, MITRE ATT&CK, Microsoft Threat Modeling Tool, IriusRisk
Authentication & Secrets Security: Oauth2, OIDC, SAML, SSO Security Reviews, Vault, AWS Secrets Manager
Risk & Compliance: PCI DSS, HIPAA, GDPR, NIST CSF, ISO 27001, NIST 800-53, FedRAMP, FIPS 140-2
Incident Response: Security Incident triaging, tracking, Reporting, and Root Cause Analysis, ServiceNow, Jira, Slack

Accomplishments

Application Security Engineer with 5+ years of experience securing enterprise applications, cloud-native systems, and AI/LLM-integrated workloads through offensive and defensive practices. Proven success embedding security into the SDLC and collaborating closely with development teams to build secure software from the ground up. Expert in vulnerability lifecycle management, automating SAST, SCA, and DAST workflows, Threat modeling, penetration testing, and secure code review. Deep understanding of secure architecture, encryption, authentication flows, and CI/CD integration in AWS, Azure, and Kubernetes environments, with alignment to PCI DSS, ISO 27001, NIST 800-53, SOC 2, and HIPAA framework. Experienced in AI Security, securing LLM-integrated applications, evaluating model supply-chain and data-exposure risks, hardening prompt/response interfaces, and applying AI-focused threat modeling (OWASP LLM Top 10, MITRE ATLAS) within modern DevSecOps pipelines. Recognized for partnering with development teams to deliver actionable remediation guidance, improving MTTR, and driving secure-by-default engineering across modern DevSecOps pipelines.