Mar 2021 – Present · 5 yrs 3 mos · Hybrid

• Director, Software Engineering for Google's central product security team (ISE). Strategic areas:
• Safe Coding, where we prevent security vulnerabilities from occurring in large codebases. (Preventing common classes of bugs from injection (XSS and SQLi), to eliminating memory safety bugs in our C++ codebase, and advocating the use of memory-safe languages. Maintaining and running the cryptographic libraries at Google, preventing unsafe crypto usage, and ensuring our secret keys are adequately protected.
• Systems Security, where we discover and mitigate high-profile vulnerabilities in our production infrastructure and hardware. We implement sandboxing technologies for both confidential and untrusted workloads at Google (protecting machine learning models, but also protecting Google against bugs in third party code).
• Web Security - where we focus on enabling Google and the industry to ship secure web applications (both through external work, by pushing for new security mechanisms to be standardized and adopted in all browsers, and internal work where we ensure our products are secure by default against common web vulnerabilities).
• Security Reviews, Consulting and Vulnerability Research. We perform security reviews for thousands of applications, and run the federated security program where we advocate for other security teams to be embedded in a product area. We run the Vulnerability Reward Program, where we engage with external researchers and pay them for vulnerabilities discovered in Google's products, the Security Review process, etc.
• Responsible for >100 staff in the US and Europe (primary: Seattle, San Francisco Bay Area, New York, Zurich, and 20% remote staff in Europe and the US). Highly experienced in building and running distributed teams, and understand the balance of in-person collaboration with the need for deep specialists to be able to focus and work remotely to deliver the best results, in the specialized field of information security.

Aug 2007 – Mar 2021 · 13 yrs 7 mos · Hybrid

• Tech Lead for Google's product security review process for 9 years. Performed >2000 security reviews and consultations, embedding myself and helping numerous parts of Google bootstrap their security programs. Reviewed and designed security-sensitive protocols, steered teams to use preferred hardened frameworks, authored security-critical code (readability in C++, Java), performed reviews for all new Google products and features before they get released to the public.
• Worked in a wide variety of projects, eg:
• Writing the main library to handle untrusted content serving in our web applications, and some other security-critical code,
• Sandboxing/reducing risk of memory corruption vulnerabilities, especially third party/open source software, from impacting our infrastructure (2007->onward),
• Self-driving cars (bootstrapping the security program, working in a 20% capacity for 5 years until we hired/built a security team in 2019). Organized multiple internal hacking events, helped remediate vulnerabilities, set security strategy.
• Defining how Google's Apps Script project can contain untrusted code in our production infrastructure safely,
• etc
• Later on, I became a Tech Lead Manager and bootstrapped our Cryptography team, responsible for Google's use of cryptography, including a migration plan for Post-Quantum Cryptography. We built Tink, our open source cryptography library used in our production infrastructure, but also mobile applications and Cloud applications. My management responsibilities expanded gradually, also encompassing building our Cloud Security function and more.
• I was a co-author on several chapters in Google's Building Secure and Reliable Systems book.

May 2006 – Aug 2006 · 3 mos

• Summer internship with the Information Security Engineering team.
• Demonstrated a remote command execution bug in our production environment, and worked on a project to sandbox a large component of our search infrastructure responsible for it.
• Spent the majority of the summer on performance optimizations and seamlessly securing our infrastructure - the code I wrote was successfully rolled out to production prior to the end of my internship (and ran in production unmodified for over 12 years, catching a real external breach about 10 years later).