Experience Seesaw Learning, San Francisco, CA (remote) June 2023-September 2025 Sr. Application Security Engineer

Initial security hire on Growth and Scale team for 8m+ MAU multi-tenant SaaS student learning application. Spearheaded successful effort to achieve SOC 2 certification - established comprehensive security policy set and formalized Secure Software Development Lifecycle (SSDLC) and incident response, vendor management and risk management processes. Implemented Vanta GRC tooling, including custom integration with main application. Led internal Security and Data Privacy Working Group, coordinating security efforts with legal, customer success, IT, and HR teams. Advised engineering teams regarding application security, architecture, IdAM, and security by design at all phases of the project lifecycle. Bootstrapped and led risk assessment, threat modelling, and disaster recovery exercises. Facilitated annual penetration tests, external audits, and managed bug bounty program.

Implemented numerous features and bugfixes in Python/Typescript/React/Angular codebase as part of Core Systems team, including migrating large-scale (5m+/day) application email-sending from Mailgun to AWS SES, automating AWS key rotation, and building internal administration tooling. Implemented and supported core initial RBAC implementation, including tooling for synchronizing roles into main application database from Salesforce contracts. Triaged, mitigated and remediated internally-identified and bug-bounty-submitted vulnerability reports across the application. Reviewed feature designs and code changes from developers on multiple teams for security concerns.

Application Security Leadership Governance/Risk/Compliance Policy Development SSDLC Privacy GDPR SOC 2 Vanta Secure SDLC Python Typescript React Angular.JS AWS DynamoDB CloudFormation Troposphere Terraform DataDog Copilot Fiveable, Milwaukee, WI (remote) July 2021-March 2023 Sr. Full Stack Engineer - Application Security

Member of four-person development team responsible for all aspects of development on https://fiveable.me/ and related sites. Implemented application features (both frontend and backend) in two different applications, primarily Javascript/Typescript/React-based. Instrumental in setting architecture direction for the overall application. Led code maturity project, guiding team in migrating significant portions of legacy Javascript code to Typescript and modernizing backend code-base to use a well-structured architecture. Refactored local development experience to provide for a straightforward "check out and run" onboarding experience into the code.

Spearheaded migration of platforms from disparate and chaotic hosting environments into Google Cloud Platform, with consolidated and robust CI/CD pipelines. Implemented highly-scalable video-conferencing system using Jitsi software running in Google Kubernetes Engine. Consolidated numerous logging sources into single cloud log sink and implemented traceability within code to provide for better visibility of issues and troubleshooting.

 Typescript React Next.JS Express.JS Node jest MongoDB Postgres Hasura GraphQL Google Cloud Platform Kubernetes Terraform SemaphoreCI Github Actions New Context Services, San Francisco, CA (remote) November 2019-July 2021 Principal Developer/Sr. Application Security Engineer - LS/IQ

Principal developer and customer liaison for New Context's LS/IQ virtual CISO SaaS product. Responsible for ground-up rewrite of aging Ember/Ruby on Rails/Postgres application into modern Vue.JS/Typescript/GraphQL/MongoDB application, as well as implementation of Infrastructure-as-Code for AWS-based infrastructure. Modernized legacy Jira integration and worked with Product Manager to design and develop new application features.

Worked directly with customers as "virtual CISO", to set direction and prioritize steps in their DevSecOps journey. Provided white-glove security and DevOps consulting to C-levels at multiple clients.

 Typescript Vue.js Node.js cypress jest MongoDB postgres Ruby Rails Route 53 AWS ECS CloudFront Google Cloud terraform DataDog DevSecOps Gitlab nginx Jenkins Linux October 2017-November 2019 Sr. Application Security Engineer/Solutions Architect

Consultant and team lead on multiple client projects, including Application Security program review and revitalization for worldwide insurance company, developing proof-of-concept secure IoT device provisioning system, and full-stack application development and support for production IoT platform.

Developed SoWs & project proposals, solution design and architecture, and acted as embedded project management for small development teams.

Conducted technical interviews of candidates for employment, worked with Hiring Committee for design/review of interview process, and worked closely with HR to drive focus on Diversity and Inclusion in hiring process.

 IoT Javascript Angular github Splunk Azure Google Cloud Platform Threat Modeling DevSecOps Architecture SSL/TLS python Terraform PKI Hashicorp Vault Solutions Architecture nginx Linux Windows RiskIQ, Shawnee, KS September 2016-September 2017 Sr. Software Engineer - Engineering

Application development and support for RiskIQ's primary SaaS application. Full-stack development work in an Agile SDLC on a React-based application with Java/Grails backend. Responsible for end-to-end implementation of PingFederate-based SSO solution, including SAML2 integrations with multiple partners. Dealt with day-to-day application support, enhancements, troubleshooting, and bug fixes. Responsible for continued support and expansion of reporting system. Worked with fellow developers to remediate application security vulnerabilities and implement processes to prevent reoccurence. Actively engaged in day-to-day support of other departments based around the globe.

 Java Groovy Grails React SAML2 SSO PingFederate LDAP Malware Analysis Kafka RabbitMQ Cassandra Kibana Grafana apache Linux August 2015-September 2016 Solutions Architect - Customer Success

Worked directly with RiskIQ customers to solve complex issues around application support and integration into customer environments. Developed RiskIQ's original Splunk and ArcSight integrations. Used Angular, jsreport, node.js, and Docker in AWS to create a custom reporting solution for Customer Success organization, including report templates, user interface, and back-end integration with company data services.

python Javascript Angular Docker Splunk ArcSight jsreport Node.js AWS mysql Linux UMB Bank, Kansas City, MO December 2012-August 2015 Information Security Engineer - Application Security

Spearheaded design and implementation of Enterprise XML Gateway functionality using IBM DataPower Appliances and X.509 Certificates as part of Enterprise SOA initiative. Acted as Information Security specialist on commercial banking upgrade project utilizing SOA architecture.

Acted as architect for Application Security decisions and projects within the Information Security team, as well as working heavily with other teams to create architecture standards to be used across the bank. Member of Enterprise Architectural Review Committee, providing architecture-level input and gate-level decision-making for new projects being implemented within the bank. Worked with many teams across the enterprise to maintain a good working relationship with other departments and to ensure Information Security's involvement in projects at an architectural level.

Successfully launched monthly Application Security training program based on OWASP Top 10, with average monthly attendance of 50 people.

Rockwell Collins, Cedar Rapids, IA April 2012-December 2012 Sr. Application Security Administrator UMB Bank, Kansas City, MO August 2005-April 2012 Application Developer III; Sr. Data Security Engineer Sprint, Overland Park, KS 2001-2005 Sprint Paranet, Overland Park, KS 1999-2001 US Geological Survey, Rolla, MO 1997-1999
Education Missouri University of Science and Technology Bachelor of Science, Computer Science
Certifications Certificate of Cloud Security Knowledge (CCSK) July 2020 Certified Information Systems Security Professional (CISSP) December 2004 (inactive) SANS GIAC Certified Incident Handler (GCIH) September 2007 SANS GIAC Certified Web Application Penetration Tester (GWAPT) August 2009
Volunteer Open Web Application Security Project, Kansas City Chapter August 2015-January 2022 Volunteer Chapter Leader

Planning monthly meetings, scheduling meeting location, contacting speakers, and providing content for local chapter of global Application Security organization.

 Ragtag August 2018-Present Volunteer Developer

Volunteer software developer and technology adviser for various non-profit and progressive political organizations.