Woodinville, Washington, United States
Loves delivering training on security-related topics. Starting out of college in technical support, Alun moved into software development in FORTRAN, C++, xBase, and eventually VB.Net and C#. Moving to the US in 1992 led to meeting his wife, Debbie, and eventually starting his own business, Texas Imperial Software. This gave him more exposure to the security field than anyone should enjoy, and convinced Alun that this was where he wanted to be. After a brief stint as a developer at Microsoft, largely to pay off his cancer treatment bill, Alun moved into Security Engineering and then Security Architecting. Currently lead security automation engineer, but still with an AppSec focus. Specialties: Windows Security, Web application security, secure coding practices, network development.
Lead engineer for a group of talented and dedicated engineers, devoted to supporting the tools and services depended on by the cyber security operations team, the broader global cybersecurity team, and the company as a whole. Services include: Cloud Posture Management, Asset Discovery & Identification, Subdomain Takeover Detection & Prevention, Domain Name Service provisioning, Host-based network firewall, enterprise-wide event logging, PKI and Certificate Management, and other services as needed. Continuing the support, ongoing development, and maintenance of SubMon, the subdomain takeover prevention tool described at my 2020 RSA presentation, which has saved up to around $350,000 in prevented bug bounty payments. Writing and maintaining security operations automation in Python, C#, PowerShell, Golang, etc.
Leading a distributed team of interns, engineers and senior engineers, in providing an automation "centre of excellence" to the Security Operations Center, as well as the broader global security organisation. Standing in for unfilled manager role for several months, reporting to Director and VP. Leading the team by modelling great work, mentorship, sprint management, one-on-one meetings, and regular education / information sharing on security and development topics. Primarily using a "Rapid Application Development" environment (Palo Alto's XSOAR), and writing custom Python automations, integrations, playbooks, etc, to create and handle incidents, passing them to human agents when human intelligence and creativity is required to address the incident. Writing and managing cloud-hosted automations in Python, C#, PowerShell, etc to create and improve network defences. Coaching cross-department teams through their "Defenders Learning Journey" project and presentation. Sharing knowledge on information security with junior members of the team, informally and formally, to ensure that their time in the Global Cyber Security team includes security knowledge, as well as the software development skills they use daily. Providing consulting services to the Application Security & SOC teams on bug bounty issues where prior expertise, or diplomatic handling, is required. Maintaining connections with bug bounty researchers built through nearly three years of bug bounty handling. Planning, developing and securing Azure-based cloud applications. Continuing the support, development and maintenance of SubMon, the subdomain takeover prevention tool described at my RSA presentation in 2020, saving $125,000-$350,000 in bug bounty payouts.
Protecting customers, partners and brand, by assisting application developers and designers in creating and maintaining secure software. Responding to bug bounty researchers reporting security issues, settling disputes, deciding and awarding bounties, setting policies, managing expectations and keeping the researchers happy. Presented at RSA Conference 2020 in San Francisco on subdomain takeovers, including prevention and detection tool, SubMon. Creating solutions and techniques to prevent / detect issues commonly reported by bug bounty researchers, reducing the overall bounties paid, and ensuring the bounty program rewards novel and technically challenging bugs, rather than automatable scan results. Creating the SubMon tool, to curb the thousands of dollars paid out in bug bounty rewards for subdomain takeovers against Starbucks subdomains, protecting customers from malicious hacker exploitation. Providing documented patterns and practices to developers, to complement the prohibitions and protections normally in application security; combining these two in a balanced way to ensure that applications are delivered on time, functioning securely. Performing penetration testing as well as dynamic security tests on existing and pre-release applications. Installing, configuring, managing and overseeing a number of different code scanning solutions (Fortify, Snyk, Veracode, Synopsys Coverity, etc) to allow software developers to find many of their bugs before engaging with the AppSec team. Consulting with developers on scale-appropriate fixes to ensure that bugs found by the hundred are fixed by the dozens. Creating and analysing Threat Models of new and existing software, to predict, recognise, and address security vulnerabilities before code is even written. Develop and deliver training for interns, application developers, and other application security team members, to improve team knowledge and understanding of application security topics.
Creating and improving on an LED display system for Diabolo ("Chinese Yoyo"), controlled by Bluetooth LE from a phone app. This has required me to learn Printed Circuit Board (PCB) design and assembly, Bluetooth LE, soldering, Arduino and mobile app development, as well as 3D design and printing. Details at https://github.com/alunmj/DiablePhone Writing a (currently unreleased) 2nd order SubDomain Takeover (SDTO) extension for Chrome / Edge, which has already earned me $5,000 in bug bounty payouts. Presented at Seattle BSides 2022, on uncommon subdomain takeover techniques, in a talk titled "I had quarter of a million Office users, and so can you", referring to a 2nd order Subdomain takeover I discovered at the setup.office.com site using my SDTO extension. Introduced the Dinkley-Rodgers quadrant diagram. Info at https://www.bsidesseattle.com/2022-talks.html Wrote a padding oracle encryption cracker for AES-CBC encryption. During my commute. On a bus. To beat the other AppSec engineers. On a CTF. Runs several times faster than PadBuster. Details at https://github.com/alunmj/PaddingOracle
Windows Credential Provider in C++ Debug & add features to C, C++, C# ASP.NET, HTML, JavaScript code related to AuthAnvil on Demand software and its components Windows Installer writing / modifying (WiXTools) Chrome / Edge / Firefox extension development Deliver training on application development security practices
Train developers & other staff in information security and secure application development - REST security, OWASP Top 10 defences, AppSec best practices, cryptography, SSO, etc Assess application security through automated tools (HPE Fortify Online), code review, threat modeling, vulnerability finding Assist Compliance team with security compliance efforts related to HIPAA, HITECH, PCI, OWASP, etc Advise CTO & CIO on application security, information security, incident response, etc Act as Information Security SME
Address information security scaling issues enterprise-wide through creation and ownership of the Security Certifiers programme, educating and empowering SDEs to provide security review and mitigation Improve security knowledge throughout the enterprise through creation and delivery of training from New Hire Orientation to advanced topics Travel to Europe for 'on-the-ground' handling of security incidents Find and demonstrate vulnerabilities in applications across web, back-end, UI, etc - SQL injection, Cross-Site Scripting (XSS), Remote Code Execution, etc Review application security at all stages of development from concept through design to development and delivery Subject Matter Expert on encryption, certificates & PKI, access controls and authentication, Single Sign-on (SSO), XSS, SQLi detection and protection