Resume

Note: This page is still under construction as I adapt a custom hugo template, styling, and format

Product Security Engineer and OSCP holder with over 10 years of experience in secure software development, secure coding best practices, developer training, code security tooling and implementation in CI/CD pipelines and local workflows, metrics and KPIs, team management, manual testing and exploitation, threat modeling, secure software architecture, usable security features, automation and security utility development, red teaming, and offensive security.

Experience

Principal Product Security Engineer

Apr 2020 - Present
iHerb
iHerb • Irvine, CA
iHerb is a global online retailer of nutritional supplements and health products. As iHerb’s first senior hire I spearheaded their first appsec program.

Security Engineering / DevOps Engineer / SRE / Cloud Engineer

Jun 2021 - Jan 2024
Self Employed Consultant
Provided freelance consulting services to various clients, focusing on application security, DevOps, and cloud infrastructure.

Application Security Senior Manager

Jan 2019 - Apr 2020
L'Oréal USA
L'Oréal USA • New York, NY
L’Oréal USA is the American subsidiary of L’Oréal Group, the world’s largest cosmetics and beauty company. As the first appsec hire globally I championed the first program for eCommerce and eMarketing sites for hundreds of brands on the SFCC platform and CMS systems like Sitecore and Wordpress while also starting the first red team to exploit internal systems including POS devices in stores.

Application Security Consultant

Aug 2015 - Dec 2018
L'Oréal USA
L'Oréal USA • New York, NY
L’Oréal USA is the American subsidiary of L’Oréal Group, the world’s largest cosmetics and beauty company. As a full time consultant I focused solely on security for their global eCommerce initiative.

Consultant

Jan 2013 - Aug 2015
CTI Global • New Town, PA
CTI helps customers solve their Identity challenges through advisory services and assessments, focused IAM projects, support services, and staff augmentation. At CTI I was a GRC consultant, Postini email security specialist, MobileIron BYOD specialist, and Google Workspace specialist performing sales engineering, migrations, implementations, and support for large clients like the UNFPA.

Web Developer

Sep 2010 - Dec 2012
PCG Digital Marketing
PCG Digital Marketing
A full-service automotive digital marketing agency committed to delivering exceptional customer service and tailored, data-driven strategies that drive results and empower dealerships of all sizes. At PCG I started as an SEO specialist but quickly found passion in web development and moved to that team in my first year, teaching myself how to code at night. I eventually was building wordpress themes, plugins, and bespoke marketing apps in the LAMP stack.

Consultant

Jan 2004 - Dec 2010
Intron Group
A boutique IT consulting firm specializing in small to large enterprise IT solutions. Here I implemented and support small to medium size business IT needs from networking, active directory, email, firewalls, printers, etc.

Certifications

  • Offensive Security Certified Professional (OSCP)

Skills

Software I’ve worked on

  • Containerized backend web services
  • CLIs
  • automation systems
  • API clients
  • event consumers and producers
  • exploits
  • Web and mobile front ends

Languanges I’ve Reviewed

  • Python (Django, FastAPI, Flask, ML)
  • JavaScript (React, Next.JS, TypeScript)
  • Golang (Cobra, APIs)
  • C# (.NET)
  • Swift
  • Kotlin
  • Java (spring)

Languanges I’ve Coded

  • Python (Django, FastAPI, click, celery)
  • Golang (Cobra, Gorm, native HTTP)
  • JavaScript/Typescript (web crawlers, bots, Atlassian Forge, CDK)
  • Rust (serde, actix)
  • Shell
  • PHP (wordpress themes and plugins, codeigniter, cakephp)
  • C (exclusively for exploitation development or modification)
  • HTML/CSS (everyone starts somewhere :D)
  • Google Apps Script (google sheet apps)

Application Security Tools

  • SAST: Coverity, Checkmarx, Snyk, Semgrep, Vericode, Bandit
  • SCA: Snyk, OSVscanner, lacework codescan, Jfrog Xray, DependencyTrack
  • SBOM: CycloneDX

CI/CD

  • Jenkins (declarative or scripted)
  • Bitbucket pipelines
  • Azure Pipelines

IAC

  • Terraform
  • AWS CDK

Cloud

  • Azure AKS
  • AWS: EKS
  • AWS ECS with Fargate
  • AWS Lambda
  • AWS Cloudflare Workers
  • AWS SNS
  • AWS SQS
  • AWS S3