Brandon Sterne Email & Phone Number

Global, US

The Cloud, US

• Leading Application and Cloud Security teams, delivering world-class security services to support end-to-end security for all Snowflake products and production cloud environments: Threat Modeling, SAST, DAST, SCA, Pen.
• Overseeing Snowflake's Developer Driven Security program, a highly scalable, decentralized security assurance function that empowers engineering teams to ship software quickly and safely.
• Deployed multiple net new controls for cloud security monitoring and vulnerability management, enabling Snowflake to achieve FedRAMP High authorization.
• Completed a full transition and re-chartering of former security operations team into present cloud security team. Required re-balancing operational responsibilities with numerous engineering teams over a 6-month.
• Reduced production cloud access: Implemented federated identity system and eliminated static IAM users for development use cases. Replaced interactive shells and admin tools with safer, auditable interfaces.
• Established a new ML security practice, hiring the first dedicated ML security engineers and establishing frameworks to provide: ML for security (e.g. generate a threat model from a design doc) and security for ML.

San Francisco, California, US

• $2B+ industry leader in security analytics, observability, and IT operations tooling. Leading the Product Security team responsible for the security of all customer-facing products across the Splunk portfolio..
• Rapidly increased team scale, coverage, and velocity through hiring, staff development, and adopting a Paved Road security strategy. Grew the Product Security team by 40% in 16 months to a total of 24 security.
• Overhauled the reporting and remediation strategy for product security risk and decreased total risk by 38% in 16 months. Created a security risk scoring model, established vulnerability SLAs, built drill-down.
• Authored a state-of-security report for senior management that resulted in major shifts in product strategy and secured significant new investments in product security enhancements.
• Providing world class security services for product teams, offering both manual and automated security reviews: threat modeling, penetration testing, code reviews, static analysis, dynamic analysis, software.

Pleasanton, California, US

• $3B+ leader in enterprise cloud applications for finance and human capital management. Joined Workday when the company was 1,000 employees and Security was 5 people. Have progressed to grow the Security Engineering.
• Leading a team of 60 security engineers and software developers within the Workday Technology org, developing in-house security services and deploying commercial and open source security tools into public and private.
• Building and supporting services that provide multi-factor authentication, transport layer security, secrets management, network and host-based security tools, and logging and alerting platforms used to monitor and.
• Providing security reviews, penetration testing, and consulting for scores of development and operations teams deploying new products, features, and services.
• Adopted CIS 20 as a control framework to assess current security posture, prioritize investments in security, and create transparency for management and peer organizations.

Pleasanton, California, US

• Led the consolidation of Application Security and Security Tools organizations to create a unified Security Engineering team.
• Grew the team from 20 to 50 security engineers over a 4-year period, putting into place a formal training and development program, career ladder, and internal security skills tracking system.
• Replaced a legacy SIEM with a Splunk Enterprise Security deployment containing over 100 custom detection rules, and scaled the data ingestion from 500 GB to 4 TB of logs per day.
• Designed and deployed a suite of host-based security tools providing TLS and IDS to enable simultaneous network encryption and threat detection across internal traffic flows.
• Launched microsegmentation movement at Workday, bringing in a host-based firewall management platform and scaling the deployment from several hundred initial workloads to over 30,000, eliminating the need for.
• Developed Baseline Security Requirements, a document describing standard security requirements to apply to all projects, new features, and new services being deployed. The goal was to provide a transparent, scalable.

Pleasanton, California, US

• Led a team of 10 application security engineers, focused on scaling and automating our security review programs.
• Implemented major improvements to the Static Analysis program, switching the primary SAST vendor, increasing scan coverage to include all critical repos, and reducing the scanning time for all repos from days to hours.
• Developed and launched the Customer Penetration Testing Program, providing customers with high security assurance needs the ability to perform their own penetration testing in a controlled environment. The effort.
• Established dedicated Security Leads for each of the product development teams, enhanced the feature tracking automation to prioritize and route reviews based on security impact and security lead assignment.

Pleasanton, California, US

• Created and led the first Application Security team to provide security reviews and consulting services for app development teams.
• Built the first Secure Development Lifecycle at Workday, including: design review, security impact assessment, threat modeling, source code review, and penetration testing.
• Introduced Security Static Analysis to Workday, completed a multi-vendor bake-off, and implemented a nightly code scanning process.
• Developed the Security Impact Questionnaire, a tool used with product and development managers to gather project details and provide a first-pass assessment of security impact.
• Created and rolled out the Workday Security Training Belt program with requirements defined for 4 levels of security expertise. Certified 5 developers at the black belt level within the first year.

Pleasanton, California, US

• Performed penetration tests, source code reviews, and risk assessments for new features being developed.
• Implemented feature tracking automation to monitor the development ticket queue and notify Security Team when new features are added to the current release cycle.
• Established baseline security requirements for all teams shipping software at Workday, including requirements documentation and user stories, SLAs for fixing security review findings, documented incident response.
• Built out a comprehensive Secure Coding Guidelines as part of the first PCI compliance effort.

San Francisco, CA, US

• Managed a distributed team of six Security Engineers responsible for fuzzing and penetration testing
• Performed risk analysis of Mozilla Engineering initiatives and prioritized projects requiring focused testing
• Lead security design reviews and threat modeling for all new Firefox features
• Created the first comprehensive security testing plans for Boot to Gecko, Open Web Apps, and Web API projects
• Served as first Editor of the Content Security Policy W3C standard

San Francisco, CA, US

• Member of the Mozilla Security Group, the body responsible for shaping security policies and incident responses
• Designed and implemented Content Security Policy, a mitigation framework for content injection vulnerabilities
• Drove adoption of CSP by working with strategic partners and internal web developers and speaking at web security conferences, e.g. AppSec USA
• Created automation system for the collection, processing, and reporting of security bug statistics
• Created and tested fixes for memory safety bugs and other browser security flaws
• Managed the vulnerability remediation process for the Mozilla codebase including bug triage and milestone tracking

San Jose, CA, US

• Member of the Information Security Testing and Monitoring Team
• Responsible for host-and-application level security for eBay Marketplaces and corporate network
• Run weekly and quarterly scans for internal security (ISO 17799) and regulatory (Sarbanes-Oxley) compliance
• Developed a process and supporting web application to facilitate the vendor security program
• Perform periodic penetration tests and code audits of the Marketplaces websites to assess application level vulnerabilities
• Developed Active Content Framework prototype allowing site users to safely include HTML and JavaScript in eBay web pages

• Developed creative websites for new clients including original design and content
• Managed existing websites to keep content current
• Optimized web pages to maintain top rankings on major search engines
• Researched latest Internet trends and technologies and incorporate them in Internet marketing strategies
• Kept clients' CGI scripts and software packages updated and free of security vulnerabilities