Currently: · Designing and implementing an attack surface analysis tool· Acting as a security advisor to companies such as PolyAPI (https://polyapi.io/)Previously:· Researched NoSQL security. Created PoCs (https://github.com/aabashkin/nosql-injection-vulnapp), and custom static analysis rules (https://github.com/returntocorp/semgrep-rules/pull/2585)· Researched low code security (particularly RPA), created PoCs, engineered solutions (https://github.com/robocorp/rpaframework/pull/899/files)Future: Additional low code security research, software security consulting/advising, engineering secure-by-default frameworks and the corresponding static analysis rules to drive adoption, publishing book and course

· Primary author of two reference guides for critical security controls: - https://www.owasp.org/index.php/Bean_Validation_Cheat_Sheet - https://www.owasp.org/index.php/Mass_Assignment_Cheat_Sheet· Latest project is a learning tool that can be used by software engineers,application security engineers, and students to improve their knowledge of application security. Content is based off of the OWASP Application Security Verification Standard (ASVS) and learning is enhanced by Anki spaced repetition software: - https://github.com/application-security-projects/owasp-application-security-verification-standard-anki-deck/

· Designed and implemented secure-by-design library for safely parsing XML and avoiding XXE vulnerabilities· Analyzed the Kubernetes (k8s) security landscape, performed knowledge sharing with security team, delivered a strategic roadmap for securely deploying workloads and presented to the SRE team. Received praise from both teams on account of effective communication and collaboration skills· Created secure coding guidelines with an innovative approach. Presented to entire engineering department as part of a lunch and learn session. Engineering leadership provided positive feedback· Developed custom static analysis rules using semgrep to catch issues that wouldn't be found by a generic SAST tool· Attended regular design/scope review sessions and provided security related advice· Generated threat models for existing and upcoming features· Performed penetration tests on newly released features· Mentored an intern and successfully delivered a security training related project. Received strong positive feedback from all parties involved. Ultimately, intern ended up accepting a full-time offer· Assisted Staff and Lead engineers in conducting numerous hiring interviews. Created an effective, repeatable process to vet candidates

· Led all application security related efforts at one of the top competitors in the fastest-growing segment of the global enterprise software market (Robotic Process Automation aka RPA)· Worked with managers, directors, and VPs to systemically improve the secure SDLC across the entire organization, from design, to implementation, to testing, to post-release.· Worked with multiple stakeholders, including business, legal, product, engineering, architecture as the security SME to deliver high impact high risk projects such as the new web-based release of the company's flagship product· Performed root cause analysis on wide variety of vulnerabilities (OWASP Top 10, CWE Top 25, and beyond) and recommended appropriate security controls/standards· Enabled engineers to understand and remediate vulnerabilities· Worked with various technology stacks including Java + Spring + Spring Security, PHP + Wordpress, Android, iPhone· Worked in a cloud environment (AWS, Terraform)· Documented secure coding standards· Conducted secure design and architecture reviews for security controls and high risk application components/features· Managed dynamic and static security tools (Veracode, Black Duck)· Established and expanded security champions program, thus embedding security within each product team· Created JIRA dashboards to generate metrics for management review· Designed a novel solution to integrate the company's product with Common Access Card (CAC) authentication for a federal client operating in a high risk environment· Improvements made in the SDLC eventually enabled the company to meet the requirements for "Continuous" status (the highest possible grade) in the Veracode Verified Program, thus improving company reputation and competitiveness (https://www.veracode.com/verified/directory/automation-anywhere)· Received excellent performance reviews, recognized by the company for moving the needle forward in application security

· Before moving further in my career I decided to take a quick break to spend time with my family and work on independent projects· Automated Dynamic Security Scanning in CI with Jenkins + TestNG + WebDriver + WAVSEP demo + Arachni: https://github.com/application-security-projects/ci-automation· Application Security Architecture for Modern 4-Tier Web Platforms: https://github.com/application-security-projects/application-security-architecture

· Specialized in web applications, microservices, and mobile. Significant experience working in a large, complex, Agile environment while delivering security at scale and speed· Performed root cause analysis on wide variety of vulnerabilities (OWASP Top10, CWE, domain-specific) across different technology stacks (Java + SpringMVC, JavaScript + NodeJS, Drupal, Android)· Worked with multiple stakeholders, including business, legal, product, risk, engineering, architecture as the security SME to deliver high impact high risk projects such as the Public API release (13 new APIs)· Multiple years of hands-on experience working together with engineers to understand and remediate vulnerabilities. Made the AppSec team more visible and engineers more engaged in security · Balanced business and security needs in difficult or uncertain situations · Designed, implemented, and tested the primary web application security framework w/ platform team· Drove secure software requirements research, validation, and management (200+ requirements)· Conducted secure design & architecture risk reviews, generated threat models (30+ projects)· Created, tested, and evangelized secure coding standards across the organization· Engaged in pentesting and security test automation (DevSecOps)· Worked with Quality Engineering (QE) to develop bespoke test cases regular tools cannot handle· Managed dynamic and static security tools (Arachni, ZAP, Burp Suite, AppScan, Fortify, FindSecBugs)· Evaluated and managed Client Reputation (telemetry) and Bot Management type controls · Developed custom interactive security training, created engaging and immersive learning experiences based on real scenarios (delivered to over 1K developers) · Created JIRA dashboards for metrics· Received excellent performance reviews· Awarded the Critical Talent Retention Bonus reserved for top performers

"The Summer Experience, Colloquium and Research in Information Technology (SECuR-IT). This is a ten-week paid internship with academic seminars, sponsored by TRUST partners UC Berkeley, Stanford University and San Jose State University with internships located in Silicon Valley and the San Francisco Bay Area."Participated in seminars held at McKesson, Fortinet, and Intuit.

Worked on developing the telephony infrastructure of the 2010 Census project. Facilitated change management, created technical documentation, engaged in system requirements gathering and testing. Leveraged the Rational Suite (ClearQuest, ReqPro).

Gathered system user requirements for related projects. Debugged and added additional features to company’s employee time-sheet program. Development performed on the .NET platform with ASP, C#, CSS, and Microsoft SQL.

Series of major projects includes: data encryption solution for executive management use, wireless enterprise level security(RADIUS), Honeypot Intrusion Detection System, Open Solaris ZFS fileserver, configuring firewall/VPN, vulnerability auditing, and technical documentation for previously mentioned projects.