- I am passionate about my work – it’s not simply a job.
- I want to work where my skills are challenged, and I can learn new things.
- I don’t believe in giving up or settling for “good enough” – I demand better than that of myself.
- I consider myself extremely lucky to be paid to write and break code; it’s both a hobby and profession for me.
Security: I have a knack for breaking things; I leverage my knowledge of developers to choose approaches that others miss. I enjoy system analysis and reverse engineering – both desktop and mobile. My free time is often occupied with independent research, and I’ve discovered issues in numerous products.
Code: For the last few years, I’ve primarily been working with Python and Ruby; before that, I was mainly focused on C# (and Visual Basic), and before that was PHP. I am proficient in Java, Go, C/C++, and perhaps a few others.
Source Control: I’m familiar with Git, Mercurial, Subversion, SourceSafe, and CVS.
Operating Systems / Software: Windows, Linux (Ubuntu & Kali primarily), and macOS. Visual Studio, PyCharm, RubyMine, Microsoft Office, Adobe Photoshop, Highrise, Fiddler, Wireshark, Eclipse. Metasploit, Burp Suite, Nessus, Qualys, soapUI, and various other tools.
From 2020 to 2024 I served in various roles at 1Password (AgileBits):
2023 to 2024 I was the Security Architect. My responsibilities included:
- Directly supported the newly created VP of Security role, serving to address tactical and operational issues, allowing the VP of Security to remain focused on strategic issues.
- Acted as a subject matter expert on a broad array of topics, and as a strategic and tactical advisor both inside and outside of the security organization.
- Mentored managers and individual contributors, both inside and outside of the security organization.
- Active in the design of new product features and security controls, including design and architectural reviews.
- Provided expertise to teams within security when addressing particularly complex issues or high workloads.
- Served as an advocate for individual contributors to senior leadership, ensuring issues were identified and addressed quickly.
2021 to 2023 I was the Director of Security. My responsibilities included:
- Leading all aspects of security, including Product Security, IT & Infrastructure Security, Privacy, Compliance (including SOC2, GDPR, CCPA, &c.), Risk Management, Incident Response, Training, and others.
- Responsible for a budget of more than $6M USD.
- Implementing new processes and procedures to facilitate rapid growth while maintaining the highest security standards.
- Working closely with executives, and teams throughout the company, including Legal, Product, Engineering, DevOps, HR, Marketing, and others to ensure that policies are followed, that security & privacy are central to their work, and ensuring they receive the support they need.
2020 to 2021 I was the Principal Security Engineer. My responsibilities included:
- Leading a team of 15 managers, engineers, developers, and specialists working remotely from multiple countries.
- Creation of the Security Engineering organization, starting from scratch to a highly effective and experienced team of six security engineers.
- Created cross-functional security-focused development teams, blending security engineering and product development to optimize the integration of security into development.
- Mentored team members to develop their skills in a variety of areas.
- Led efforts to improve security across the organization, such as new training programs, updates and expansion of security policies, creation of a Security Ambassador program, implementing new systems and controls, department reorganization to improve scalability and resilience, and a variety of others.
- Performed code reviews in a variety of languages, including Go, Rust, TypeScript, Python, and others. I also performed design and architectural reviews for products and services across a variety of platforms.
- Active in the design and development of new product features.
- Acted as a key source of expert information for press & public relations.
From 2018 to 2020 I was the Director of Application Security Testing for AppSec Consulting, Inc. in San Jose, CA. My responsibilities included:
- Managing a team of six application security consultants working remotely, including managing their projects and schedules.
- Mentoring application security consultants, providing guidance in testing techniques, and assisting in the development of exploits for complex vulnerabilities.
- Improving testing techniques and methodology via original research, custom tool development, defining new testing standards, and aligning testing procedures with various industry standards (OWASP Top 10, OWASP ASVS, etc.).
- Performing technical reviews of assessment reports and collected evidence and performing manual testing to verify reported findings.
- Performing remediation testing and working with customers to develop remediation strategies.
- Leading sales, scoping, readout, and customer support calls.
- Training new consultants in AppSec Consulting’s proprietary testing methodology and reporting techniques.
From 2016 to 2018 I was a Senior Application Security Consultant for AppSec Consulting, Inc. from San Jose, CA. During my time in this role, I worked with companies of all sizes, from small start-ups to some of the largest financial institutions in the world. My responsibilities included:
- Penetration testing of various types of applications, including web applications, mobile applications (iOS, Android, Windows Mobile), and desktop/server applications.
- Developing custom exploits for vulnerabilities targeting a wide range of frameworks using a variety of programming languages.
- Providing training for developers on secure web application development techniques.
- Developing new training material for AppSec Consulting’s training classes.
- Providing formal assessment reports, remediation options, and insight into preventing security issues.
- Performing design and code reviews to identify security issues.
From 2005 to 2016 I was the Application Development Manager at Advanced Call Center Technologies, LLC in Johnson City, TN. I managed a team of nine developers, both local and remote. My responsibilities included:
- Penetration testing applications prior to deployment.
- Ensuring compliance with security standards.
- Designing and reviewing other developers’ designs for system architectures.
- Mentoring new developers.
- Auditing implementations to ensure compliance with various certifications (PCI-DSS, ISO 27002, SSAE 16), as well as client security policies.
- Designing application architectures and managing implementations.
- Developing applications and tools in C#.
During my time here, I believe I have achieved many things:
- Attitude change to think about quality and security first – instead of “just fix it later.”
- Led effort to update applications to be compliant with PCI-DSS.
- Designed a new internal framework that reduced turnaround time by 20% to 30% for large requests and up to 80% for smaller requests.
- Migrated source control away from Visual SourceSafe to Mercurial, and implemented a continuous integration system.
- Standardized data access, security, and other sensitive code into a standard library to improve security and consistency.
- Replaced various third-party communication/integration libraries with fully-managed custom implementations (digital voice recorder, PBX, Avaya dialer).
- Led development of Python/MongoDB system that improved application performance and reduced dependence on Oracle.
From 2001 to 2005 I worked as an independent contractor and a co-founder of an ISV. During this time, I built a number of interesting systems:
- Custom e-commerce systems in PHP/MySQL.
- Customized ASP/SQL Server commercial e-commerce system.
- Various websites in PHP/MySQL, some simple; some were effectively custom CMSs.
- Various desktop software (processing tools, RSS client, IRC client, Gmail client, network monitoring, etc.).
- Custom sales system to sell cars on eBay.
During this time, I also performed security audits on client sites, provided software and hardware support, and various other IT-related functions.
From 2000 to 2002 I worked with a now-defunct security research group as a volunteer, building new tools and scripts to automate pen-testing. These tools were primarily to speed delivery of exploit payloads to identified potential targets and report results.
I have found issues in many commercial and open-source systems, and I was part of the team that released the first working BadUSB code. Exploits based on my research are included in Metasploit.
CVEs: CVE-2012-3477, CVE-2012-4673, CVE-2013-4467, CVE-2013-4468, CVE-2013-7382, CVE-2014-2890, CVE-2015-8267, CVE-2016-2346.
I blog on security and development-related topics and stay engaged with the community via various social media services. For example, I was a moderator on what was once the largest forum for Visual Basic developers (XtremeVBTalk.com) and received their highest peer-voted award for knowledge.
I’ve contributed to many open-source projects, including YAWAST, bbPress, ccsrch, openssl-net, libsodium-net, and others. I’ve also managed a few open-source projects – the most interesting of which was a fault-tolerant load balancing system for an IRC network that provided much better leveling than DNS round-robin could.
I co-founded the BSides Knoxville security conference and the Underhanded Crypto Contest.
I am a member of the Open Web Application Security Project (OWASP) and the International Association for Cryptologic Research (IACR).
From 2001 to 2003, I attended Florida Metropolitan University in Melbourne, Florida, working towards a degree in Computer Information Science. I completed all major-related classes with a 4.0 GPA, and I received multiple Dean’s & President’s List awards during my time there. Unfortunately, I did not complete the program due to a family illness.