Apr 2020 – Present · 5 yrs 11 mos · San Francisco, California, United States

• Helping push the state of AppSec forward with the team building Semgrep, an open source, lightweight static analysis tool.
• Lead the security research team.
• Work closely with Product to influence the direction of Semgrep and r2c's other commercial offerings.
• Work closely with Marketing to share our top tier research with the world.

Feb 2019 – Present · 7 yrs 1 mo · San Francisco Bay Area

• Keep up with cybersecurity in 7 min per week with the best security tools, blog posts, and research sent right to your inbox for free. Do your job better and faster and advance in your career.
• https://tldrsec.com/

Dec 2018 – Mar 2020 · 1 yr 3 mos

• Deliver technically complex security engagements requiring specific expertise, usually within the SDLC, security automation / DevSecOps, and static analysis spaces.
• Perform security research and deliver talks at top conferences, release open source tools, and publish technical blog posts.
• Provide technical input to as well as help define and deliver new NCC Group-wide service offerings.
• Support account managers in discussing custom engagements and defining scope to ensure successful project delivery and happy clients.
• Mentor other consultants, helping them grow technically and professionally.

Sep 2017 – Mar 2020 · 2 yrs 6 mos

• Research lead for NCC Group's San Francisco Bay Area offices, including over 30 technical security consultants. Research projects I've overseen have resulted in:
• Talks at top industry security conferences.
• New security tools that have been covered by various online security outlets.
• Whitepapers that cover an important vulnerability class, technology, security best practice, etc.
• My core responsibilities as Research Director include:
• Mentoring, guiding, encouraging, and helping to scope research projects proposed by consultants.
• Managing and allocating research budget, including $ and time that can be used to provide dedicated research time for consultants.
• Providing guidance and mentorship to consultants at all stages of the security research process, including: determining novel research projects to pursue, scoping the projects, helping write CFP submissions, and planning tool architecture and features.
• Reviewing slides and presentations, whitepapers, and new tools before release to ensure high quality standards were met.

Sep 2017 – Sep 2017 · 0 mo

• Led black, white, and gray box security assessments of high-profile enterprise and rapidly growing start-up software. Worked across the stack from web and mobile applications to network penetration tests and red team engagements. Specialized in web application penetration tests, code review, static analysis, and security automation (DevSecOps).
• Developed tooling to assist security assessments and enhance long-term product security, ranging from one-off, application-specific test drivers to stealth network persistence and exfiltration mechanisms.
• Final author of client-facing deliverables. Extensive technical writing experience describing complex vulnerabilities, financial and reputational risk, concrete exploitation scenarios, and complete mitigation paths to a wide variety of audiences and stakeholders.
• Designed and facilitated internal and external trainings on threat modeling, secure coding practices, and security-focused code review.
• Assisted clients early in the assessment process to define engagement scope, identity high priority attack surfaces, and model realistic threats.

Jan 2016 – Sep 2017 · 1 yr 8 mos

• Dr. Clint Gibler is a Security Consultant with NCC Group, a global information assurance specialist providing organizations with expert security consulting services. Clint has performed penetration tests on a wide variety of companies, ranging from small startups to established companies with tens of thousands of employees. Clint currently specializes in assessing web applications, APIs, and mobile apps.

Jul 2014 – Dec 2015 · 1 yr 5 mos · San Francisco Bay Area

• Performed secure code reviews, developed security-relevant software components in a service-oriented architecture (SOA) Ruby on Rails environment.
• Lead the creation of a draft of the .trust mobile security policy.
• Pursued self-directed security research projects, one of which involved data analysis
• and visualization that resulted in a presentation at Virus Bulletin 2015.

Jul 2013 – Sep 2013 · 2 mos · San Francisco Bay Area

• Worked on improving existing Android dynamic analysis infrastructure.

Mar 2012 – Jun 2012 · 3 mos

• Partnered with two MFA in acting graduate students to create and lead a seminar class through UC Davis' drama department to teach the basics of improv comedy.

Sep 2009 – Jun 2014 · 4 yrs 9 mos

• Researched several mobile security and privacy-related topics, advised by Professor Hao Chen. See publication list for details.

Jun 2010 – Sep 2010 · 3 mos · San Mateo, CA

• Prototyped static analysis support for Objective C in Fortify’s main product, the
• Source Code Analyzer.
• Leveraged LLVM’s clang to translate Objective C to equivalent C++ and wrote
• Objective C-specific security rules to find several types of security vulnerabilities.

Jun 2008 – Aug 2008 · 2 mos · Dulles, VA

• Created a plug-in for Microsoft Visual Studio using C# to display secure coding practices and
• common pitfalls.

Jun 2007 – Aug 2007 · 2 mos · Cincinnati, OH

• Worked at Northrop Grumman as an intern for both the 2006 and 2007 summer.
• 2007 - Wrote a Python interface for automatically running test scripts from a MySQL database, wrote Python scripts that used Selenium to test a web application, tested
• a product and found several bugs that were then fixed before it was shipped.
• 2006 - Utilized Javascript libraries to prototype a responsive web application UI for
• a product.