Chris Partridge

Scaling CloudSec & AppSec @ Amazon

United States

About

Experience

  • Amazon (Remote)
    • Senior Security Engineer, Engineering Manager
      Apr 2024 - Present · 2 yrs 4 mos

      Increased scope to manage Amazon's Cloud Security team, with 12 Security Engineers + 1 TPM. ROI is always in style, and we ensure that Amazon teams can build in the cloud easier, safer, and faster. We build security in (fast and easy!) instead of ticketing about security later (slow and awful!). My organization blends security and software expertise to develop both Amazon-internal and public AWS security tools, such as CDK Blueprints (https://docs.aws.amazon.com/cdk/v2/guide/blueprints.html).

    • Security Engineer II, Engineering Manager
      Nov 2023 - Apr 2024 · 6 mos

      I was the lead engineer for a specialist team securing Amazon's last-gen and next-gen cloud environments. We designed security controls for critical cloud workloads at Amazon, advised internal engineers across software and security teams, supplemented visibility and internal auditing capabilities, and designed and implemented architectural guidance which we (hope) will last Amazon for over 20 more years. Directly managed a team of three multifaceted security engineers, who fused InfoSec, Cloud, SoftEng, Pentest, and ML skills to achieve our team's ambitious goals. While we were still in the early days of my team at Amazon, I'm proud to say that we started crushing major goals and wiped enough annualized risk off our ledger to justify the team's existence within a quarter.

    • Security Engineer II
      Jul 2022 - Nov 2023 · 1 yr 5 mos

      I was responsible for leading internal cloud security and application security projects across all stages of their lifecycle, and provide feedback to both my team and other teams on projects they lead based on my experience at Amazon and broad background outside of Amazon. While deprecating legacy security software, I noticed that Amazon didn't have tools that my team needed to effectively secure certain web applications - so I designed, built, integrated, and scaled these tools from scratch. These tools are now used to scrutinize Amazon's web assets both on the perimeter and internally, are used by teams across Cloud Security and Vulnerability Management, and are an integral part of how SDO ensures millions of applications are properly secured. My product significantly improved accuracy for our security campaigns (improving relationships with developer teams), produced new insights for security teams, and opened new frontiers for security assurance within Amazon. Finally, I lead the internal SDO Security Research Group, where staff can develop themselves through independent or collaborative exploration of the Information Security field.

  • Adjunct Faculty at Rochester Institute of Technology
    Jan 2023 - Present · 3 yrs 7 mos

    Lecturer within RIT's Computing Security department as a professor of practice.

  • Member at Machines Never Sleep, LLC
    Jun 2018 - Nov 2022 · 4 yrs 6 mos

    Machines Never Sleep LLC was a cybersecurity research company I founded for fun & (no) profit. We hunted for vulnerabilities across the internet, found plenty of things we shouldn't have found, privately disclosed issues, and got some cool stuff fixed. MNS LLC gradually dissolved as we all got busier with our day jobs, and many members are now Sr./Principal track in their own software and security careers.

  • Security Engineer (Tier 3), Vulnerability Management at Luta Security
    Jun 2020 - Jul 2020 · 2 mos

    Worked on a vulnerability management team for Zoom Video Communications, Inc., eliminating zero-day risks. Performed gap analysis on Zoom's vulnerability handling process maturity, and advised on improvements to streamline internal and external interactions, tracking, and remediation. A statement on Luta's work with Zoom is available here: https://www.lutasecurity.com/post/luta-security-highlights-for-zoom-bug-bounty-programs

  • Datto, Inc. (Full-time · 1 yr 5 mos)
    • Product Security Engineer
      Dec 2019 - May 2020 · 6 mos

      (PRE-KASEYA) Took on application security leadership role for Datto Networking and implemented strong product security practices modeled after BSIMM. Improved security posture across all layers of the product stack: web, cloud, and firmware. Time was spent across three main areas: people, process, and technology. People: Participated in architectural design discussions for new products and systems to advocate for sensible security measures that would enable Datto Networking to build a resilient product stack. Provided security training with a focus on engagement, effectiveness, and retention. Built internal security guild to help broker information exchange between engineering, product, and security. Process: Introduced shared security responsibility to the agile SDLC across four core teams, shifting security feedback and modelling left without introducing frustrating or cumbersome policies. Assisted organization in deploying security practices and policies to conform with compliance standards such as SOC2, GDPR, and PCI. Technology: Added security intelligence and auditing capabilities, without generating friction, to many components of the software development lifecycle. Expunged entire classes of vulnerabilities from production code where needed and built scalable processes to prevent regression. Performed incident response duties, threat modelling, and other corporate security functions where desired.

    • Software Engineer I
      Jan 2019 - Dec 2019 · 1 yr

      (PRE-KASEYA) Joined the vertically-integrated Agile SCRUM development team responsible for the Datto DNA, a high-performance cloud-managed router that provides business & network continuity to SMBs around the world. Participated in all aspects of the software development lifecycle with an emphasis on secure software analysis, design, implementation, and testing. Notable technical contributions include moving infrastructure to a fully orchestrated and modernized stack, revamping CI/CD integrations, penetration testing riskier new features to ensure continuous security of the product, developing new features and integrations related to big data for analytics, and more. Assisted in hiring process for new engineers both screening and conducting paired interviews. Inherited a summer intern and provided guidance, onboarding and offboarding appropriately, and technical mentorship where desired.