- I am passionate about my work – it’s not simply a job.
- I want to work where my skills are challenged and I can learn new things.
- I don’t believe in giving up or settling for “good enough” – I demand better than that of myself.
- I consider myself extremely lucky to be paid to write and break code; it’s both a hobby and profession for me.
Security: I have a knack for breaking things; I leverage my knowledge of developers to choose approaches that others miss. I enjoy system analysis and reverse engineering – both desktop and mobile. My free time is often occupied with independent research, and I’ve discovered issues in numerous products.
Code: For the last few years I’ve been working in primarily in C# and VB, before that much of my time was spent with PHP; for personal & open source projects I’m focusing on Ruby. I know my way around C, Java, Python and perhaps a few others, but not well enough to claim any expertise.
Source Control: I’m familiar with Git, Mercurial, and Subversion. I’ve used SourceSafe and CVS, but I’d rather forget those.
Operating systems / software: Windows, Linux (Ubuntu & Kali primarily), and OSX. Visual Studio, Microsoft Office, Adobe Photoshop, Fiddler, Wireshark, Eclipse. Metasploit, Burp Suite, soapUI, and various other tools.
I am currently a Senior Application Security Consultant for AppSec Consulting, Inc. from San Jose CA. My responsibilities include:
- Penetration testing; web and mobile applications, web services, etc.
- Providing formal assessment reports, remediation options, and insight into preventing such issues.
- Performing design and code reviews to identify security issues.
From 2005 to February 2016 I was the Application Development Manager at Advanced Call Center Technologies, LLC in Johnson City, TN; I have been with the company since December of 2005. I managed a team of nine developers, both local and remote. My responsibilities included:
- Penetration testing applications prior to deployment.
- Ensuring compliance with security standards.
- Designing, and reviewing other developer’s designs for system architectures.
- Mentoring new developers.
- Auditing implementations to ensure compliance with various certifications (PCI-DSS, ISO 27002, SSAE 16), as well as client security policies.
- Designing application architectures and managing implementations.
- Developing applications and tools in C#.
During my time here, I believe I have achieved many things:
- Attitude change to think about quality and security first – instead of “just fix it later.”
- Led effort to update applications to be compliant with PCI-DSS.
- Designed a new internal framework that reduced turn-around time by 20% to 30% for large requests and up to 80% for smaller requests.
- Migrated source control away from Visual SourceSafe to Mercurial, and implemented a continuous integration system.
- Standardized data access, security, and other sensitive code into a standard library to improve security and consistency.
- Replaced various third-party communication/integration libraries with fully-managed custom implementations (digital voice recorder, PBX, Avaya dialer).
- Led development of Python/MongoDB system that improved application performance and reduced dependence on Oracle.
From 2001 to 2005 I worked as an independent contractor and as a co-founder of an ISV. During this time I built a number of interesting systems:
- Custom e-commerce systems in PHP/MySQL.
- Customized ASP/SQL Server commercial e-commerce system.
- Various web sites in PHP/MySQL, some simple; some were effectively custom CMSs.
- Various desktop software (processing tools, RSS client, IRC client, Gmail client, network monitoring, etc.).
- Custom sales system to sell cars on eBay.
During this time I also performed security audits on client sites, provided software and hardware support, and various other IT-related functions.
From 2000 to 2002 I worked with a now defunct security research group as a volunteer building new tools and scripts to automate pen-testing. These tools were primarily to speed delivery of exploit payloads to identified potential targets and report results.
I have found issues in many systems, both commercial and open source, and I was part of the team that released the first working BadUSB code. Exploits based on my research are included in Metasploit.
CVEs: CVE-2012-3477, CVE-2012-4673, CVE-2013-4467, CVE-2013-4468, CVE-2013-7382, CVE-2014-2890, CVE-2015-8267, CVE-2016-2346.
OSVDB IDs: 85140, 85141, 92089, 98902, 98903, 98948, 98949, 98904, 102518, 105999, 107394.
Open Source & Community
I blog on security and development related topics, and stay engaged with the community via various social services. I was a moderator on what was once the largest forum for Visual Basic developers (XtremeVBTalk.com), and received their highest peer-voted award for knowledge.
I’ve contributed to a number of open source projects, including bbPress, ccsrch, openssl-net, libsodium-net and others. I’ve also managed a few open source projects – the most interesting of which was a fault-tolerant load balancing system for an IRC network that provided much better leveling that DNS round-robin could.
I founded the BSides Knoxville security conference, and the Underhanded Crypto Contest.
From 2001 to 2003 I attended Florida Metropolitan University in Melbourne Florida working towards a degree in Computer Information Science. I completed all major-related classes with a 4.0 GPA, and I received multiple Dean’s & President’s List awards during my time there. Unfortunately I did not complete the program due to a family illness.