Experience Fiveable, Milwaukee, WI (remote) July 2021-present Sr. Full Stack Engineer - Application Security

Member of four-person development team responsible for all aspects of development on https://fiveable.me/ and related sites. Implemented application features (both frontend and backend) in two different applications, primarily JavaScript/TypeScript/React-based. Highly involved in setting architecture direction for the overall application. Led code maturity project, guiding team in migrating significant portions of legacy JavaScript code to TypeScript, and modernized backend code-base to use a well-structured architecture. Refactored local development experience to provide for a straightforward "check out and run" onboarding experience into the code.

Spearheaded migration of platforms from disparate and chaotic hosting environments into Google Cloud Platform, with consolidated and robust CI/CD pipelines. Implemented highly-scalable video-conferencing system using Jitsi software running in Google Kubernetes Engine. Consolidated numerous disparate logging sources into single cloud log sink and implemented traceability within code to provide for better visibility of issues and troubleshooting.

Typescript React Next.JS Express.JS Node jest MongoDB Postgres Hasura GraphQL Google Cloud Platform Kubernetes Terraform SemaphoreCI Github Actions
New Context Services, San Francisco, CA (remote) November 2019-July 2021 Principal Developer/Sr. Application Security Engineer - LS/IQ

Principal developer and customer liaison for New Context's LS/IQ virtual CISO SaaS product. Responsible for ground-up rewrite of aging Ember/Ruby on Rails/Postgres application into modern Vue.JS/TypeScript/GraphQL/MongoDB application, as well as implementation Infrastructure as Code for AWS-based infrastructure. Re-implemented legacy Jira integration and worked with Product Manager to design and develop new application features.

Worked directly with customers as "virtual CISO", to set direction and prioritize steps in their DevSecOps journey. Provided white-glove security and DevOps consulting to C-levels at multiple clients.

Typescript Vue.js Node.js cypress jest MongoDB postgres Ruby Rails Route53 AWS ECS CloudFront Google Cloud terraform DataDog DevSecOps Gitlab Gitlab-CI nginx Jenkins Linux
October 2017-November 2019 Sr. Application Security Engineer/Solutions Architect

Consultant and team lead on multiple client projects, including Application Security program review and revitalization for worldwide insurance company, proof-of-concept secure IoT device provisioning system development; full-stack application development and support for production IoT platform.

Statement of Work & Project Proposal authoring/review, solution design and architecture, project estimation and project management.

Technical interviewing of candidates for employment; member of Hiring Committee for design/review of interview process; worked closely with HR to drive focus on Diversity and Inclusion in hiring process.

IoT JavaScript Angular github Splunk Azure Google Cloud Platform Threat Modeling DevSecOps Architecture SSL/TLS python Terraform PKI Hashicorp Vault Solutions Architecture nginx Linux Windows
RiskIQ, Shawnee, KS September 2016-September 2017 Sr. Software Engineer - Engineering

Application development and support for RiskIQ's primary SaaS application. Full-stack development work in an Agile SDLC on a React-based application with Java/Grails backend. Responsible for end-to-end implementation of PingFederate-based SSO solution, including SAML2 integrations with multiple partners. Dealt with day-to-day application support, enhancements, troubleshooting, and bugfixes. Responsible for continued support and expansion of reporting system. Worked with fellow developers to remediate application security vulnerabilities within the application, and implement processes to prevent them from reoccurring. Actively engaged in day-to-day support of other departments based around the globe.

Java Groovy Grails React SAML2 SSO PingFederate LDAP Malware Analysis Kafka RabbitMQ Cassandra Kibana Grafana apache Linux
August 2015-September 2016 Solutions Architect - Customer Success

Worked directly with RiskIQ customers to solve complex issues around application support and integration into customer environments. Developed RiskIQ's original Splunk and ArcSight integrations. Used Angular, jsreport, node.js, and Docker in AWS to create a custom reporting solution for Customer Success organization, including report templates, user interface, and back-end integration with company data services.

python Javascript Angular Docker Splunk ArcSight jsreport Node.js AWS mysql Linux
UMB Bank, Kansas City, MO December 2012-August 2015 Information Security Engineer - Application Security

Spearheaded design and implementation of Enterprise XML Gateway functionality using IBM DataPower Appliances and X.509 Certificates as part of Enterprise SOA initiative. Acted as Information Security specialist on commercial banking upgrade project utilizing SOA architecture.

Acted as architect for Application Security decisions and projects within the Information Security team, as well as working heavily with other teams to create architecture standards to be used across the bank. Member of Enterprise Architectural Review Committee, providing architecture-level input and gate-level decision-making for new projects being implemented within the bank. Worked with many teams across the enterprise to maintain a good working relationship with other departments and to ensure Information Security's involvement in projects at an architectural level.

Successfully launched monthly Application Security training program based on OWASP Top 10, open to interested parties across the UMB footprint, with average monthly attendance of 50 people.

IBM DataPower X.509 Certificates PKI F5 BigIP Service-Oriented Architecture Enterprise Architecture Application Security SAST (Fortify) DAST (WebInspect) VMWare ESX Oracle DNS XML/XSL/XSLT SOAP
Rockwell Collins, Cedar Rapids, IA April 2012-December 2012 Sr. Application Security Administrator

Lead for enterprise Application Security initiative. Responsible for creating, presenting, and implementing strategy and roadmaps for Application Security and Cloud Security, and developing policy and process documents for Encryption and Secure Coding Standards. Interfaced with senior management and enterprise architecture team to integrate roadmaps and strategy plans into corporate strategies. Acted as Information Security representative on enterprise projects to create awareness of potential application security issues.

Engaged in application and network penetration testing activities, including hands-on penetration testing of embedded systems and web applications, liaising with third-party penetration testers, and working with application developers to provide guidance and direction for remediation of vulnerabilities.

Actively involved in day-to-day administration, configuration, and troubleshooting of application gateway systems, including Imperva Web Application Firewalls (WAFs) and Cisco ACE XML Gateways. Developed requirements for XML gateway replacement project and aided in planning for WAF upgrade through multiple major versions.

Security Strategy Application Security Penetration Testing (nmap BURPsuite scapy Kali Linux Imperva Web Application Firewalls (WAF) Cisco XML Gateway
UMB Bank, Kansas City, MO July 2011-April 2012 Application Developer III - Java, UMB Application Development

Designed and developed audit log aggregation and analysis infrastructure, to facilitate passing of user event stream to outside partner for analysis. Developed Java Data Access Object (DAO) interface to Splunk log aggregation system to enable querying of Splunk from Java code. Wrote python scripts to augment log data from LDAP directly in Splunk. Configured parsing and querying within Splunk.

Rebuilt/upgraded Java revision-control and continuous integration (CI) infrastructure to enable a higher level of automation for code deployments. Worked with Network Engineering team to implement F5 iRules for SSL certificate-based authentication for SOAP- and REST-based web services.

Acted as a liaison between Application Development and Data Security teams, presenting relevant web application security and infrastructure topics to development teams. Worked closely with many parts of the IT organization to quickly troubleshoot, fix, and provide recommendations for remediation of customer-impacting issues.

Java Splunk C# .Net python LDAP SOAP REST F5 BigIP X.509 Certificates RSA SecurID Authentication Authorization Application Security Jenkins Artifactory Subversion
August 2005-July 2011 Sr. Data Security Engineer

Member of a six-person team responsible for all aspects of Data Security. Acted as subject matter expert for web application security and authentication/access control, making strategic and architectural decisions in those areas and working closely with development and systems teams to implement directives. Active in most day-to-day operations of the team, including Identity Management, authentication, encryption, firewalls and network security, and intrusion detection systems (IDS). Responsible for providing guidance to QA and development teams on identifying and remediating application security vulnerabilities.

Chief driver for multiple technology refresh and implementation projects, including Novell Access Manager deployment and Identity Management System upgrades. Worked closely with members of multiple departments and teams as well as outside contractors to coordinate and manage implementations of infrastructural projects. Developed numerous tools, libraries, and systems to close security vulnerabilities, improve incident response, and eliminate day-to-day workload for the entire team.

Snort IDS perl Java Checkpoint Firewalls SMTP RADIUS Oracle Novell Access Manager Novell Identity Manager (IDM) VMWare Archer GRC IPSEC VPN E-Mail Gateways Authentication Encryption Vulnerability Management
Sprint, Overland Park, KS 2001-2005 Sprint Paranet, Overland Park, KS 1999-2001 US Geological Survey, Rolla, MO 1997-1999
Education Missouri University of Science and Technology 2003 Bachelor of Science, Computer Science
Certifications Certified Information Systems Security Professional (CISSP) December 2004 Certificate #67579 SANS GIAC Certified Incident Handler (GCIH) September 2007 (expired) SANS GIAC Certified Web Application Penetration Tester (GWAPT) August 2009 (expired)
Volunteer Open Web Application Security Project, Kansas City Chapter August 2015-January 2022 Volunteer Chapter Leader

Planning monthly meetings, scheduling meeting location, contacting speakers, and providing content for local chapter of global Application Security organization.

Ragtag August 2018-Present Volunteer Developer

Volunteer software developer and technology adviser for various non-profit and progressive political organizations.