United States
Security Leader with engineering, management, mentorship, and thought-leadership experience. Over a decade of experience building security departments, teams, and processes to deliver trustworthy software to customers and users. Strengths include ability to write code to solve problems & lead programs to steer company direction, thinking both strategically and tactically to deliver results, integrating a culture of security into a company, team leadership, security engineering, vulnerability management, cloud security, access management, and security architecture.
Build and manage 3 Product Security Engineering teams at Discord Work with teams across the company in Product, Safety, Infrastructure, Comms, and Legal Application Security: - Securing the internal Developer Experience and SDLC - Building developer-friendly Security Controls (both libraries and CLIs) - Implemented tailored Static Analysis to deliver high-quality results in < 5 minutes - Delivering customized Security Training for Developers Security Features: - Securing the product by building new user-facing features - Defeat Account Takeovers with novel and holistic approaches - Implementing WebAuthn and passkeys Vulnerability Management: - Handle security reports, bug bounty, and findings across the product - Manage and grow the bug bounty - Implement bug bounty campaigns to target new/high priority areas of the product - Create and deliver useful KPIs and metrics for teams and Directors to show our security maturity
Built the Product Security department - Application Security team: Securing the Code SDLC and development of both legacy and new platforms - Infrastructure Security team: Securing the Cloud SDLC and design of a secure AWS system - Enhance Security Maturity - Provide cutting-edge services to internal developers - Foster a security-aware culture and secure-by-design architecture Major projects: - Policy-Based Authorization architecture and rollout - Secure Secrets Management architecture and operation with Vault - Zero-Trust networking and cross-cloud mTLS - Secure SDLC process, including Secure Coding Standards Program with a "Shift Right" mentality: - Collaborate with Architects for end-to-end security - Teach and utilize Threat Models for all designs - Embed ProdSec experts in high-profile teams - Influence organization priorities and direction - Ensure customer security expectations are met or exceeded Open Source Automation: - Watchtower: Automated Static Code Analysis and image security reports - Synapse: Metrics aggregation for Security Scorecards - Blueprint: Simplified Policy creation with OPA's Rego Language
Lead for the Advanced Security group - Research and Development projects - Security Assessment activities - Automating Security Leadership: - Led team focused on R&D engineering and security research, managing tasks and projects across the team - Implemented Scrum methodologies for faster project results and clear communication with management - Mentored team members - Trained new staff (grew from 3 to 10 in 1 year) Security Engineering: - Integrated multi-layer security automation into SDLC to prevent vulnerabilities reaching customers - Developed a Static Code Analysis tool to track data flow and identify vulnerabilities in 5 languages - Created "Default Secure" control libraries to streamline code development - Designed and implemented CSRF prevention framework and led a team to develop a unique, patented approach Community Engagement: - Established the Security Champions program for Commerce Cloud - Acted as a security subject matter expert for customer-related issues - Collaborated with OWASP Boston Chapter for meetups and training sessions
Customer First - Streamlined Support department to handle security inquiries, reducing Time to Close on requests by hours - Developed interactive learning modules for customers and partners to learn about vulnerabilities through hands-on labs - Collaborated with CISOs and customer leaders to align security expectations with Demandware's posture Security Assessment - Conducted thorough assessments of new features and products - Developed a standardized Security Assessment Process for consistent pentesting and reporting - Performed rigorous black and white box tests to uncover critical vulnerabilities Security Engineering - Integrated automated security tools into SDLC to catch vulnerabilities early and protect customers. - Led Engineering projects as Project Manager, ensuring secure APIs and customer interfaces. - Implemented context-sensitive XSS protection, allowing customers to remove vulnerabilities and secure their code without disruption
- Built security libraries to remove classes of vulnerabilities (XSS, Cross Frame Scripting, CSRF) automatically - Created self-service tool to automatically analyze pre-packaged plugins built by Pega for security issues - Implemented security tooling into SDLC to automatically find and alert on custom vulnerabilities - Fostered a security culture with security training and customized engineering how-tos