Pittsburgh, Pennsylvania, United States
Hi friends! I am a Penn State and Carnegie Mellon graduate managing the advisory database at GitHub. I am an extremely driven person who is passionate about vulnerability reporting and coordination, technology for the social good, video games, and animals (especially cats). I also enjoy mentoring young women who are new to information technology and promoting diversity and inclusion within the field of cybersecurity. I participate in a few community organizations, such as the OpenSSF, CVE Board, and the Pennsylvania State University College of IST Alumni Board.
I manage the Advisory Database security and engineering teams within the GitHub Security Lab. https://github.com/advisories
I manage a small team of individual contributors within the Advisory Curation team that is part of the Security Labs organization. My team manages the content within the database that powers Dependabot and other automated vulnerability notification tooling, and operates one of the highest assigning CVE Naming Authorities (CNA). As part of this role, I am also involved in the CVE community working groups and Open Source Security Foundation (OpenSSF) community working groups.
I worked alongside other members of the GitHub Security, Engineering, Legal, PR, and Support teams to coordinate incident response across the platform. I investigated malicious or anomalous activity, coordinated technical response and incident communications, and worked to turn security incidents into opportunities to better secure GitHub and the internet at large through comprehensive incident retrospectives. I also helped manage the GitHub product-focused CVE Naming Authority (CNA). During my brief tenure in this role, I was a lead analyst and coordinator for the GitHub response to these high profile incidents: - CVE-2021-41117, Weak SSH Key Generation Fix in GitKraken v8.0.1, that resulted in GitHub revoking all keys generated by vulnerable versions of the GitKraken client. https://github.blog/2021-10-11-github-security-update-revoking-weakly-generated-ssh-keys/ - CVE-2021-44228, log4shell, that resulted in a lot of high intensity coordination among the entire security community. https://github.blog/2021-12-13-githubs-response-to-log4j-vulnerability-cve-2021-44228/
As an alumna of the College of Information Sciences and Technology, I was voted into the board in 2018. I was also elected to serve as an officer of the board as the Secretary. During my time on the board, we have created the College's first Alumni funded endowment that gives financial awards to student organizations.
Professor of IR 462 - Applied Threat Systems. This course seeks to broaden the perception of how organizations perceive digital vulnerabilities, exploitation, malware, network communications, memory forensics, and malicious actors in general. Moreover, work focused on advanced detection threats, as well as integrated approaches for solutions across the digital attack surface. The semester included hands on labs and culminated in the students analyzing either open source or self-gathered honeypot data to detect threats.
As a Member of the Technical Staff at the SEI, I worked specifically in vulnerability coordination and acted as the coordination lead for the last 7 month of my tenure. I worked with organizations and researchers across the globe to responsibly disclose vulnerabilities, which included coordinating technical information, patches, disclosure dates, and more between many different stakeholders. I also actively participated in the CVE Program and FIRST SIGs on behalf of the CERT/CC and contributed back to both of these communities. I also helped develop and deliver a Vulnerability Response Capability Development for PSIRT Teams course from the Software Engineering Institute on demand for customers and at conferences.
I worked as in intern on the Threat and Vulnerability Analysis team. I worked on a number of different projects, including triaging and managing vulnerabilities for the Department of Defense's Vulnerability Disclosure Program (Hack the Pentagon) where I have personally worked on over 250 different reports. I also performed various vulnerability management software reviews for government sponsors and completed vulnerability research on embedded devices.
Responsible for supporting consulting staff on a variety of security projects, including cloud computing and risk assessments, SharePoint, and corporate phishing awareness