United States
Security engineer and architect with 30+ years building and securing software at scale — from authoring runtime security tooling for the Java platform (1B+ devices) to leading product security for Oracle NetSuite and Yahoo properties handling 80B+ transactions per day. I write the tools, ship the code, and bring the research to the stage. Signature work: Creator of JVMXRay, an open-source IAST that brings observability-grade runtime visibility to security, 19 modular sensors injected into the JVM monitor file, network, SQL, crypto, auth, and process activity without code changes. Creator of DeepViolet, the TLS/SSL analysis engine adopted by OWASP ZAP and powering ~9.5M monthly security scans. Founded and led the JavaOne security track (2013–2017). Featured presenter at the Black Hat USA Executive Summit (2013) alongside Alex Stamos and General Keith Alexander. Technical Editor/contributor to Iron-Clad Java book. Open to: Distinguished/Principal Security Engineer, Security Research, and Leadership roles, remote or hybrid — where I can contribute to runtime-observability, build runtime defenses, mature an AppSec program, harden cloud and JVM workloads, or take on emerging AI/ML security problems.
Develop and code specialized security automation tools. Present and past projects include, OWASP DeepViolet for TLS/SSL analysis of SaaS services. OWASP Security Logging Project, and JVMXRay (an open IASP) for near real-time analysis of application access to protected resources. Collaborate with industry on technology projects. Socialize security and projects at application security industry forums/events. Seed internal security projects.
Security architecture, secure coding & review, and education. Mostly in the area of Java security education materials for engineers/architects. However, due to my high quality results I was asked to do a few projects outside my area of expertis like vehicle security: CAN bus, infotainment systems, and TPMS (tire pressure management systems).
Lead global team of security engineering professionals for the NetSuite product division. My responsibilities include, * Partner with key product development leaders to ensure security is incorporated in all customer-facing product offerings. * Build out team of security professionals to support the global product security program. * Spearhead strategic vision to manage both internal and external risks associated with our products. * Define scope and priority matrix to help focus efforts in the appropriate direction. * Lead efforts to influence positive security improvement throughout all levels of the software development process. * Build working relationships and educate business stakeholders to improve product and application security processes. * Contribute to maturing process, policy, and standards guidance. Ensure excellent consistency, documentation, and process across all programs. * Collaborate with other departments (e.g., Risk Management, Internal Audit, HR, Legal, etc.) to direct compliance issues to appropriate existing channels for investigation and resolution. * Work with business units to identify, capture, escalate, and close security vulnerabilities found in NetSuite services; make recommendations and coordinate remediation with Engineers. * Communicate relevant business impacts to executives for high profile incidents in the press. Recommend courses of action as a trusted business partner. * Assist Compliance function by coordinating technical assessments required for certification activities. * Participate at industry application security forums and events with a specific focus on the cloud application and service technology stack. * Lead Engineers to develop complex software security tooling supporting unique business needs of the NetSuite cloud environment.
Engage as a security consultant on highly strategic projects that span business units. Provided security consultation for projects like Oracle's IoT efforts, project Draco which is now the OCI Cloud platform, and influence development of internal PaaS frameworks. Other areas of impact include, * Develop innovative security tooling for use in the cloud environment like OWASP DeepViolet TLS/SSL scanning API/tool set. * Project Leader and Developer for both OWASP DeepViolet and OWASP Security Logging projects. * Java Security Content Chair and leader for Oracle's JavaOne software developers conference event in San Francisco. * Participate at industry security events and forums.
Responsible for Java platform security which include products like: Java SE, JavaFX, Java Embedded, and JavaCard. I am also a lead contributor to Oracle’s Internet of Things project. My security role is strategic position of influence and not a traditional PM role. • Top security leader in a global organization of 650+ software development team • Develop Java platform strategic security vision touching 1+ billion devices and millions of developers • Founder and leader of the security track at Oracle’s JavaOne software developers conference. Over 8000 software developers attend JavaOne. • Respond to important security escalations. Communicate externally with security researchers on technical concerns • Establish key partnerships with customers, industry groups, industry analysts, and governments around the world • Influence development of platform security features, remediation, develop policies, internal communications, IP violations, and broad legal concerns Top representative on Java security matters both internally and externally for Oracle. Represent Oracle and the Java team around the world at industry events.
Engage business and technical leads across organizations to solve hard security problems. Drive consensus for solutions, project architecture review, manage security professionals assigned to local and remote teams, and draft security policies. • Top security leader for Yahoo User Data Analytics property receiving over 80-billion transactions per day, on 450,000 servers, across 36 data centers around the globe • Lead security for following Yahoo global properties: analytics, video, mobile, and grid computing • Perform project security architecture review, make recommendations, to ensure products deploy securely • Assist in the development and implementation of global software development and IT security policies across all Yahoo properties • Measure security programs for effectiveness and make recommendations • Visit and liaison with software development locations and engineers around the globe • Review and approve security and project resource requests (e.g., grid computing resources, firewall rules, etc.) for all products under my purview • Lead and host enterprise security triage program for all Yahoo properties Respond engineering inquiries regarding security. Provide expert leadership to Engineering for project security concerns and challenges. Negotiate contracts with vendors.
Develop and manage global Security Engineering team for one of the largest cloud application companies in the world. Develop and manage security controls throughout the development lifecycle: architecture, static analysis, dynamic analysis, vulnerability management, compliance, etc. • Manage global Security Engineering team (Shanghai and US) • Develop and monitor automated security controls within the software development lifecycle • Report to CIO and regularly deliver security progress to C-level executives • Manage security concerns for transition of corporate acquisitions. Assisted with purchase and integration of companies like CubeTree and Plateau • Foster deep customer adoption of cloud products by reducing security concerns: evangelize security, white papers and books, and speaking engagements as required Provide expert leadership to customers and engineering for project security concerns and challenges. Negotiate contracts with vendors.