Aug 2020 – Present · 5 yrs 7 mos

Feb 2020 – Present · 6 yrs 1 mo

• Lead a globally distributed team of engineers, product and program managers, designers, researchers, and data scientists responsible for Google Chrome, the world’s most popular web browser. In this role, I’m responsible for managing a team of 1000+ across 10+ offices, evolving the product across Windows, macOS, Linux, Android, and iOS, and protecting the data of billions of users around the world.
• Executive sponsor for product inclusion work across Chrome, Android, Photos, and multiple other Google products, ensuring we design and build products with inclusion and accessibility in mind to best serve the diversity of Internet users around the world.
• Independently manage Project Zero, an offensive security research team, and regularly speak at external industry, academic, and government events.

Sep 2018 – Feb 2020 · 1 yr 5 mos

Aug 2016 – Sep 2018 · 2 yrs 1 mo

• Took over responsibility for Chrome’s desktop browser and multiple core services and features. Tackled technical and organizational debt, defined and aligned a 200+ person org to a new strategy, and ultimately grew Chrome usage overall and in enterprise environments.
• Delivered on a multi-year effort to drive HTTPS usage on the world wide web, launched Site Isolation, an industry-leaving advancement in browser sandboxing, and launched OSS Fuzz, continuous and free security fuzz testing for open source software.
• Took over management of Project Zero, an offensive security research team dedicated to reducing the harm caused by targeted zero-day attacks. Project Zero has published thousands of vulnerabilities in modern operating systems, open-source libraries, security products, firmware, hardware, & other popular software, and published dozens of technical posts that aim to advance the broad understanding of exploitation among defenders.

Jan 2012 – Aug 2016 · 4 yrs 7 mos

• Led and grew the distributed engineering org that makes Chrome the most secure product and platform to browse the web. Established strategic focus areas (secure architecture design and implementation, finding and fixing security bugs at scale, addressing user experience safety problems, providing general security consulting group for the larger open source Chromium project), provided technical input and handled exceptions and escalations, awarded $XM to security researchers via Chrome’s vulnerability reward program, and otherwise get out of the way so teams can execute with autonomy. Chrome is regularly recognized as a leader in security and has been credited as redefining the standard for online security.
• Co-created infosec.rocks, a collection of activities and training resources for children (or anyone) interested in learning about information security topics and hacking in a fun and easy way. Facilitated these activities at r00tz (a.k.a. DEFCON kids) and with the Girl Scouts of San Bernardino.
• Regularly engaged with media and news outlets to promote awareness about Chrome security, how to stay safe online, and career paths in STEM.

Sep 2011 – Jan 2012 · 4 mos

• Led and grew a team of globally distributed “hired hacker” engineers with a mission to make Google products more secure via security consulting, engineering, incident response, and outreach programs. Helped improve team focus and communication, ensured balance between long-term proactive efforts and critical reactive security work, and helped individuals find work that is important, interesting, and an opportunity for personal and career growth.
• Scaled security education and outreach programs for Google via online courses, documentation, and hiring dedicated staff.
• Founded Hardcode, a coding contest to promote secure development practices for students around the world.

Feb 2007 – Sep 2011 · 4 yrs 7 mos

• As a “hired hacker” engineer and self-appointed “Security Princess,” improved Google's product security by finding application security bugs, helping teams fix them, and preventing them from happening in the first place. Personally security reviewed dozens of Google projects that spanned the entire software stack, with a focus on web application security.
• Developed and led Google’s software security education and training efforts, one of our most effective ways of scaling security knowledge and awareness across Google.
• Engaged with data protection authorities across the European Union regarding accidental wifi data collection from Google Street View cars.
• Co-developed a tool that detected potential 0-day cross-site scripting attacks based on vulnerabilities detected from live traffic, and co-created Gruyere, an open-source web hacking codelab that guides students through exercises about common web security vulnerabilities and how to avoid them.

May 2006 – Aug 2006 · 3 mos

• Developed a web vulnerability detection system for Google's products via log detection and replay.

Nov 2014 – Nov 2016 · 2 yrs · Washington D.C. Metro Area

• Advised the Executive Office of the President on industry best practices to enhance network and software security, and confirmed that the West Wing is smaller in real life than it looks like on TV.
• Alongside members of the Defense Digital Service, assessed status of the OCX project, dubbed, "the most troubled program," from the US Air Force.
• Achieved functional fluency in federal government acronyms, hacked bureaucracy in order to help teams be more effective, and left with a huge respect and appreciation for those that work in civil service.

May 2005 – Aug 2005 · 3 mos

• Researched methods to passively fingerprint wireless devices, then published how we did it in USENIX Security 2006.