Jan 2023 – Sep 2024 · 1 yr 8 mos · San Francisco, California, United States · On-site

• Joined Pave as a Security Engineer (Staff level), third hire on the Security team.
• Focus on a lightweight and dynamic Application Security program, with dynamic testing (internal and DAST), code review (SAST tooling), external testing through pentesters and a bug bounty program. Tactically used techniques from DevSecOps teams to drive program maturity.
• Bug Bounty program management of the whole triage to fix pipeline, accounts, and migration from one bug bounty provider's platform to a new one. Penetration testing program management and logistics to support a twice annual engagement and insure reachable depth and success in coverage across a very customizable application.
• Heavy focus on security logistics and finding configurations for pentesters and bug bounty that enable various testing conditions. Managed hundreds of bounty hunters supported by scripts and internal tooling.
• Internal penetration testing and code review for issues. Semgrep rule development in order to look for special cases of issues unique to Pave. Security design review upon request.
• Security Training: developed custom to Pave security training on topics such as Secure Design Principles, Timing Attacks, IDOR Attacks, and security tool usage. Developed custom CTF target application for Security Awareness Month 2023, highlighting historical issues and providing entertaining puzzles to learn security through.
• Various team strategy projects: custom severity scales, historical vulnerability tracking and research, custom CSP header project, consulting as needed.

Oct 2020 – Nov 2022 · 2 yrs 1 mo · San Francisco, California, United States

• Joined MongoDB as a Staff Security Engineer on the Cloud Security team, part of the Cloud Engineering organization. Focus was application/product security, with contributions to detection & response engineering.
• Strategy consulting on topics from application security program design, incident response program design, trust & safety program design, maturity model measurement against BSIMM and OpenSAMM, and a wide range of other areas based on experiences at other companies.
• Architecture/Security reviews of features and products through the Cloud Engineering's Scope/Spec process, influencing design prior to implementation to address security issues.
• Static analysis code reviews with commercial SAST products, and investigations into other open source tools gosec, semgrep, and CodeQL for Golang.
• Penetration testing of authentication systems, and the Atlas, Realm, and Charts products.
• Designed and implemented the CSEC vulnerability tracking project to get visibility on trends and patterns. Analyzed all available vulnerability data back to January 2019 to establish origins, status, time to close, and other meta-data about vulnerabilities to inform team strategy and approach going forward. Project design based on previous experiences at Netflix and Credit Karma.
• Developed the approach to FedRAMP's Continuous Monitoring (ConMon) requirements for application security concerns, providing artifacts for auditors to achieve FedRAMP Ready status in May 2021.
• Team improvements to process around onboarding, interviewing standards, tracking work on tickets, and more day to day security team tasks.
• Interviewing responsibilities to consider candidates for the team.
• Technologies in use: AWS, MongoDB's cloud products (Atlas, Realm, Charts), BurpSuite, Veracode, Snyk Code, mongodb.
• Programming languages reviewed: Java and Golang.
• Programming languages used: light Java for spot fixes and expanding the in-house encryption libraries, Python.

Jan 2019 – Feb 2020 · 1 yr 1 mo · San Francisco Bay Area

• Joined Credit Karma as the Director of Application Security, one of the seven security organization teams making up the security program. Led the team through the launching of the Savings Account product offering, Noddle re-brand, and the UK environment launch.
• Hired the the team up to 14 individual contributors (ICs) and 1 manager from a team of 6 ICs. Established presence in North Carolina and UK offices.
• Process engineering and refinement for various initiatives in order to increase effectiveness of the team, tracking of vulnerabilities, and engineering team accountability.
• Established the real-time AppSec Metrics Dashboard Project to unify the results of the team's work and raise visibility engineering vulnerabilities.
• Partnered with Platform Security and Cyber (Network/Cloud) Security team to form the Security Design Review Group (SDRG), performing panel based architecture reviews of new features and new microservices. Based on office hours, the SDRG reduced meetings of potentially three or more different one-hour meetings with teams down to a single meeting. Refinement further pushed one-hour sessions to 30 minutes.
• Formulated the AppSec Engagement Model to guide AppSec engineers to engage on a regular basis with teams, drive down vulnerability counts through greater transparency, and inform them of new initiatives and solutions for their specific technology stacks.
• Started Project Insight initiative to develop custom static analysis tooling in a scaleable manner across all code bases.
• Represented Application Security in product security investigations and incidents.
• Management Responsibilities: Hiring, Promotions, 9Box, 1on1s, Monthly Functional Reviews (MFRs), Objectives and Key Results (OKRs), Risk Register updates, procurement, and cross-organization communication.
• Technologies in use: Microservice Architectures, Google Cloud, TypeScript, Scala, Java, PHP, GraphQL, and Thrift.

Dec 2015 – Dec 2018 · 3 yrs · San Francisco Bay Area

• Founded Vallation Security, Inc., a consultancy that provides application security services such as penetration testing, code review, architecture reviews, and application security program strategy.
• Provided expertise in application security as a Principal Security Consultant.
• Designed secure architectures for customers to achieve specialized purposes such as secure storage solutions in the AWS cloud.
• Penetration testing and white paper development to provide a trusted third party perspective on customer's products. Testing included follow-up engagements to assess fixes and track customer investment in product security.
• Developed specialized briefings on security topics for customers covering modern cryptography, secure design principles, and cloud security best practices.
• Navigated the incorporation process to establish an S-Corporation in California.
• Management of outsourced services for the purposes of accounting, quarterly/yearly taxes, and legal matters.
• Developed customer relationships and customized contracting agreements per customer needs.
• Public speaking at OWASP Portland December 2017 on the topic of cloud security principles.
• Programming Languages Reviewed: Java, PHP, Go, and C.
• Programming Languages Used: Java, Python.

Nov 2014 – Aug 2015 · 9 mos · Los Gatos, CA

• Promoted to Manager to lead the team responsible for security intelligence, investigations, and incident response. Based approach on the gap analysis performed while working in the previous application security role with Netflix.
• Security Intelligence: Initial team investments to identify current and potential attackers using OSINT methods on the dark web. Information collected from investigations and intelligence efforts were enriched by various public and commercial threat feeds. Partnership in the Facebook Threat Exchange for sharing threat intelligence.
• Investigations: Various investigatory services for incidents and partner teams requiring digital forensics, assistance with legal inquiries, and security subject matter expertise.
• Incident Response: Adopted a mixture of industry practices for incident response (NIST 800-61) and practical solutions established by the internal Crisis Management team. Procedures were based on an on-call rotation, incident handlers coordinating war-rooms to guide stakeholders through to recovery, and a post-mortem process to identify lessons learned.
• Standardized company run-books for major security incidents ranging from PCI breaches to customer data exposure. Drove for transparency and familiarity with the procedures by establishing regular cyclical table tops with partner teams.
• Team handled incidents ranging from compromised content producers, vendor breaches that impacted employees, internet-scale vulnerabilities, targeted employee phishing, and customer account takeovers.
• Management responsibilities within the Netflix culture: heavy recruiting focus, internal team and cross team communication via regular 1 on 1 meetings, and providing context rather than control over team activities.

Dec 2012 – Oct 2014 · 1 yr 10 mos · Los Gatos, CA

• Joined Netflix’s Cloud Security team as the first dedicated application security engineer. Responsible for devising approaches to security that aligned with the company’s “Freedom & Responsibility” culture, which advocates individual developer freedom over process and ship gates. Higher emphasis on developing automated solutions, monitoring, and Security Operations over traditional SDLC oriented activities.
• Developed tools, capabilities, secure coding guidelines, and training for developers to own the security of their code.
• Code reviews and penetration tests of properties involved in the core customer experience, the digital supply chain, and other edge facing properties.
• Initial design and requirements of a cloud based vulnerability scanning framework known as Monterey (Patent Pending), prior to its redesign to be AWS focused. Subsequently programmed plugins, in particular, the scan results pipeline backed by Threadfix.
• Refined the existing Responsible Disclosure Program and guided it through its growth, in particular the procedures for handling reports, communication strategies, procedures, and updates to the disclosure policy.
• Established the practice of tracking of both internal and external vulnerabilities, and developed subsequent metrics for monthly and quarterly analysis.
• Performed coordination and investigations for various high-impact security incidents, both external (Heartbleed, GMail Breach, Shellshock) and internal (customer and attacker investigations, public API abuse, credential dumps, security mechanism outages).
• Attended Mandiant’s Malware Reverse Analysis course, covering reverse engineering malware with tools such as IDA Pro, OllyDbg, and malware safe handling techniques.

Jul 2012 – Nov 2012 · 4 mos · San Francisco, CA

• Continued to perform the duties of a Principal Application Security Engineer while also working on larger cross-business unit initiatives and projects.
• Developed a new custom Security Development Life-cycle (SDL) for the Application Security team to address the growing needs of the business and the challenges of becoming a large platform for third party and first party games.
• Drove the initiative to secure the arbitrary image upload architecture by identifying security risks and mitigations. System was based on metadata striping/storage, PhotoDNA integration, and destructive transcoding to mitigate the risks of privacy leaks, illegal content, and malicious data.
• Delivered two weeks of in-depth training on Application Security and Penetration Testing to the Game Play Security team, a brother team of the Application Security Team in the Security organization. Covered the full process of penetration testing from reconnaissance to post-exploitation in order to transfer duties and re-scale the application security effort.
• Recipient of the Q3 2012 “Atlas Hero Award”.

Jul 2011 – Jul 2012 · 1 yr · San Francisco, CA

• Performed architecture and security reviews for the key Zynga business initiatives, many of which are still underway to bring Play to 1 billion gamers!
• Extensive knowledge behind current trends in game fraud and its overlap into payments fraud. Performed detailed analysis of fraud detection systems and identified bypasses to protection mechanisms with corresponding mitigations. Review of statistical models to identify behaviors that may go unnoticed in addition to validation that the models caught the behaviors they had intended to catch.
• Code review and penetration tests for popular franchises released on the Facebook application platform such as Indiana Jones Adventure World, CastleVille, TheVille, and as of yet unreleased titles.
• Provided expertise in both iOS security and Android security. Reponsible for the game reviews of HangingWithFriends (iOS), ScrambleWithFriends (iOS), Party (iOS, Japanese Markets Only), ZombieSlice (iOS), In-App Purchase Workflows for iPhone, the WithFriends Game Framework for iOS and Android, WordsWithFriends (Android), and ScrambleWithFriends (Android).
• Updated application security and mobile security training decks with the latest developments in the security industry. Delivered in-person training to classrooms in remote and International offices with guided hands on labs for the topics of web application security, iOS secure development practices, and Android secure development practices.
• Coded prototype Ruby applications to perform automated vulnerability scanning of source code based on both open source vulnerability lists and a known set of targeted “cut-and-pasted”/code-forked propagated vulnerabilities in internally developed core libraries: Internal Library Scanner "Audy" and CVE List Parser "Sauron".

Jan 2010 – Jul 2011 · 1 yr 6 mos · San Francisco Bay Area

• Penetration tests for web applications, online games, payment systems, transactional systems, statistics tracking, messaging systems, online marketplaces, content management systems, email integrations, conferencing solutions, HR systems, financial systems, thick clients, cloud-based applications, firewall products, virtualization products, mobile payment applications, etc.
• Tech Lead in the majority of the reviews I worked on, responsible for delivering the status reports, the creation and readout of the final deliverable, managing customer expectations, organizing penetration tester logistics, post-engagement Q&A, and any crisis that should arise during the engagement.
• Performed multiple code reviews in PHP, Ruby, Java, C/C++, Objective C and ActionScript.
• Architecture reviews for cutting-edge security mechanisms, secure architecture alterations, non-traditional authentication and password recovery workflows, web application and backend integration, etc.
• Security reviews of payment processing systems, in-application purchasing, libraries calling out to payment processor APIs, middle-man software between the merchant and processor to deliver financial services, logging and transaction database security, verification of fraud detection capabilities and their resilience against a variety of attacks (smurfing, refund abuse such as non-referenced credits, purchasing race conditions, and the secure storage of financial data).
• Hardware/OS design review to assess validity of defense in depth protections against reverse engineers.
• Mobile application security reviews for iPhone, iPad, and Android devices to identify security issues related to privacy, access control, intents, activities, and iOS foibles.
• Development of secure coding practices guidelines for a customer in Java, .Net, and PHP.
• Intern project scheduling and management for four months up until my departure in July 2011.

Aug 2007 – Jan 2010 · 2 yrs 5 mos · San Francisco, CA

• Member of the Adobe Secure Software Engineering Team (ASSET), responsible for providing domain expertise in security and supporting all the product teams through Adobe to secure their products.
• Devised a custom secure development lifecycle (SDL) for Adobe based on existing processes, gaps, and risk; developed the process flow based on priority, domain knowledge, feature sets, and the outcome of a self-guided questionnaire for development teams to complete. Inspiration came from the Microsoft SDL and the original BSIMM study. The Adobe SDL drove initiatives such as security metrics, product tracking via spreadsheets, and identified product teams as targets for security pushes and training.
• Conducted security reviews and threat modeling for 50+ Adobe products, services, and technologies. Security reviews consisted of code auditing and penetration tests for common low level issues, web application vulnerabilities, and logical flaws in business flows.
• Responsible for the majority of Creative Suite 4 products security reviews.
• Evaluation of Hardware Security Modules (HSMs), Web Application Penetration Testing software, and Static Analysis code review software.
• Designed and developed programs to support code signing of updates and binaries.
• Responsible for company wide support of security tools.
• Intimate hands-on experience with Fortify and Veracode static analysis engines.
• Assisted design of PCI compliant purchasing modules, identified requirements, reviewed test plans.
• Created training modules on the topics of cryptography, privacy, PII, AIR security, and buffer overflows for company wide dissemination.
• Extensive contributions to the internal security wiki.
• Managed consultant engagements and communications with 3rd party vendors.
• Outreach and evangelism at security conventions like CanSecWest, Defcon, and Blackhat.
• Interviewed candidates for positions as researchers, management, and internships.

Sep 2005 – May 2007 · 1 yr 8 mos · San Jose, CA

• Member of static analysis code review team to harden the code of an in house real-time operating system using static analysis tools, looking for buffer overflows, heap overflows, and other low level access control, authentication, and logging vulnerabilities.
• Member of architecture team responsible for designing kernel subsystems for an in house OS to achieve a Common Criteria EAL 4+ certification.
• Expertise in Common Criteria and the Single Level Operating System Protection Profile.
• Ported BSD libraries/applications to in house OS by adding device drivers and system calls.
• Validation of common-off-the-shelf software products on an in house OS ranging from databases to frameworks.
• Interviewed candidates for positions on the static analysis code review team.
• Established the first company wiki for tracking documentation and technical information.
• Worked in accordance with ISO 9000 processes and adapted code security audit procedures to work within this standard.
• Outreach at Embedded Systems Conference 2006 for in house IDE tool.