Seasoned Application Security and Offensive Security professional. I can build a vulnerability management program, run red team exercises, or find 0-days and develop exploits depending on what you want to pay me to do.
I'm also an experienced developer, though at this point in my life I mostly prefer to code in Python unless there is an application specific need for another language.
Hobbies include gardening, tending chickens and ducks, playing with my dogs, sewing, pottery, generic yard work and home improvement. I've visited 25 countries and enjoy international travel.
GlossGenius Feb 2023 - Present
Created an Application Security program from scratch, including but not limited to a Vulnerability Management Program, Design Document Security Reviews, and Feature Penetration tests.
Establishing the vulnerability management program included:
- Deploying SAST across our engineering organization
- Creating a way to manage vulnerabilities from various sources in our ticketing system
- Defining roles and responsibilities for both security and engineering
- Establishing SLAs for remediation
- Gaining buy-in from leadership across the org
- Automating ticket creation, assignment, and resolution where possible
- Creating vulnerability deferral and acceptance processes
- Creating actionable metrics to inform on program health
- Creating automations to alert on SLA violations
After creating the Vulnerability Management program I analyzed our vulnerabilities by classification and prevalence, and identified that 90% of our vulnerabilities could be attributed to container security concerns or the use of vulnerable components. I worked with engineering to reduce the number of containers used across the organization, and replace the containers with slimmer containers. I then worked with infrastructure and engineering teams to deploy a Dependency Management solution org wide, thus minimizing the engineering workload required to address vulnerabilities associated with the use of vulnerable components.
I also created and implemented a Design Document Security Review process to integrate security into the design phase of our SDLC. To date multiple architectural and implementation vulnerabilities have been preempted by this process.
I also conduct penetration tests and handle ASV scans for compliance efforts and create developer resources.
Jhowillies LLC Nov 2020 - Present
- Co-founded and established a company using a work-for-hire software development consultancy model.
- Worked to establish a niche by restricting our offerings to highly specialized web applications solving business logic problems that cannot be solved with existing commodity software.
- Established foundational practices allowing Jhowillies to ship reliable code quickly.
- Fostered and established a security-first development culture, allowing Jhowillies to acquire risk-adverse clients.
- Accomplished 100% client retention over the lifetime of the company, using bespoke consulting arrangements and continuous feedback to turn customer's ideas into reality.
- Guided junior staff through project tasks and professional development.
Datto, Inc Nov 2020 - Feb 2023
Performed full "Gloves Off" red team exercises focusing on realistic adversary emulation. True red team exercises allowed us to test the efficacy of our security controls and discover the true impact an adversary could have to the organization. These exercises focused on initial access, gaining persistence, pivoting laterally and escalating privileges, and data exfiltration.
Worked to develop the concept and initial iteration of a Tactical Advanced Phishing Exercise, focusing on bypassing security controls and divining true impact in terms of susceptibility and blast radius. The initial exercise was a great success and data was used to drive adoption of Fido2 YubiKeys and WebAuthN. The exercise served as a foundation for subsequent phishing tests performed by the red team.
Solved the endemic problem of attack surface enumeration with a large internal network stack containing over 40,000 devices across multiple disparate WANs and LANs by developing a distributed scanning orchestration framework in Python that could continuously enumerate both the internal and external attack surfaces and aggregate the results.
Solved the endemic problem of grouping similar web applications and devices in huge network scans using distributed screenshots and image deduplication.
Performed penetration tests and vulnerability assessments. Created standardized templates for Penetration Test notes and reports.
University of Central Florida · Contract Jan 2021 - Mar 2021 (Contract)
Associate Instructor for "Introduction to Python for Security". Assisted with lab exercises and facilitated classroom logistics.
New Jersey Institute of Technology · Contract Jan 2021 - Mar 2021 (Contract)
Associate Instructor for "Introduction to Python for Security" and "Ethical Hacking". Assisted with classroom logistics. Ran labs demonstrating common offensive security techniques. Graded assignments and assisted with extra individual instruction.
Lodestone Security Nov 2018 - Present
Project lead on numerous vulnerability assessments, penetration tests, and OSINT projects. Developed a system to automate OSINT procedures and developed a reporting system in Python and Flask to process vulnerability scans and simplify the reporting system, increasing the productivity and utilization of consultants throughout the company.
Candor (via Acquisition of Tenex Developers) Jan 2018 - Oct 2018
Worked on the backend and frontend of an iOS React application to match users with health insurance plans available to them based on their specific needs. (Ruby on Rails, golang, React, React Native)
Tenex Developers Jan 2017 - May 2018
First non-founding employee of Tenex Developers.
Worked remotely on multiple projects requiring both full-stack and DevOps skills. At Tenex I was project lead on two projects, one Angular and Ruby on Rails application and one Python Flask machine learning application. I also worked to migrate projects from various cloud hosting services to k8s running on Google Cloud. My favorite aspect of the work was working remotely and being largely independent. From a technical aspect I really enjoyed working with Ruby on Rails and Python scikit-learn.
FactSet Research Systems Jun 2012 - Jul 2015
Central Authentication Group - Developed a distributed, authenticated reverse proxy for a service oriented architecture. Developed a web authentication portal. Responsible for deprecation of and transition from legacy authentication systems. Developer for a distributed message bus system.
Security Assurance Group - Performed web application security assessments on internal products. Threat modeled internal infrastructure. Administered and tuned web application firewalls.
Security Assurance Intern (Jun 2011 - Nov 2011) - Wrote fuzzers. Audited custom filesystems. Developed security and authentication systems.
MITRE Jun 2010 - Aug 2010
Developed software to allow realistic IP network simulations using layer 1 data derived from AGI Satellite Toolkit scenarios.
Rensselaer Polytechnic Institute Bachelor of Science (BS) Computer Science and Psychology, 3.82 2008 - 2012
- Tau Epsilon Phi Fraternity House Computing Chair
- Tau Epsilon Phi Fraternity House Scholarship Chair
- OpenEMR
- Metasploit
- Rails Assets
- OpenEMR: CVE-2019-16404, CVE-2019-16862, CVE-2019-17179, CVE-2019-17409
- Blauuw Kilns Remote Kiln Control: CVE-2019-18865, CVE-2019-18868, CVE-2019-18867, CVE-2019-18864, CVE-2019-18866, CVE-2019-18872, CVE-2019-18870, CVE-2019-18871, CVE-2019-18869