Board Advisor for security and GTM matters for a company that focuses on cyber-risk assessment of critical infrastructure.

Semmle was acquired by GitHub/Microsoft September 2019.Chief Security Officer responsible for Semmle’s privacy and security practices duties including board reporting, internal security, incident response, product security, monitoring, compliance and general security awareness training program.Also responsible for building and leading Semmle’s security research team responsible for finding multiple security vulnerabilities.

Lead the Information Security Engineering team responsible for Google Product Security. A decently large org making sure we support Google shipping secure products by any means necessary.ISE teams help Googlers and our partners build safe products by developing secure-by-default APIs, libraries, and containment frameworks; maintaining automated bug discovery pipelines (fuzzers, security scanners, code quality checks); mitigations (sandboxes, compile time and runtime exploit defenses, CSP and other web mitigations); providing day-to-day security review and consulting services (including crypto); and handling vulnerability response & management for almost everything that's happening within Google.

Lead of several groups at the Information Security Engineering team including ISE-TPS (third party security) and API hardening focus areas (at that time about half of Google Product Security team) responsible for finding thousands of security vulnerabilities (http://www.google.com/about/appsecurity/research/), fuzzing cluster development, sandboxing, security third party software/libraries used at Google and exploits mitigation.

Relevant activities: Technical background for MSRC dealing with new reported vulnerabilities, hacking for variations, source code review, fix validation, mitigations, technical review of bulletins, etc… Primary owner and developer of EMET (Enhanced Mitigation Experience Toolkit): http://support.microsoft.com/kb/2458544. Designer and developer of EAF (Export Address Table Filtering) and Mandatory-ASLR. Found more than 80 new vulnerabilities and variations of MSRC cases. Development of fuzzers, code coverage tools, etc… Part of the SSIRP response team. React case owner of MS08-067, (netapi32 rpc case, conficker).

Relevant activities: - Design and development of an Application IDS for web servers: NGSecureWeb, a Host IPS StackDefender, a Home User IDS LogIt and an Embedded Firewall ForceFilter. - Development of AntiPharming in collaboration with the Spanish Police (GuardiaCivil) and government. - Development an AntiPedophilia crawler on P2P networks for the spanish police (GuardiaCivil) as a contractor for a third party company. - Ethical Hacking, security consultant and auditor for the major spanish Telecoms and Banks. o Development for a third party company of an embedded device using ARMcores, RFID devices, etc… - Collaboration with US-CERT in the disclosure of the ISC DHCP vulnerability (http://www.cert.org/advisories/CA-2002-12.html).