• Deputy CISO for Meta's Augmented Reality organizations. Directly responsible for security of our AR glasses hardware, software, experiences, and services supporting approximately 3000 people.• Developed the security roadmap, maturity criteria, and methodologies for managing product security risks.• Led the cross-functional effort and authored Meta's security standards for biometric auth on AR/VR devices. Partnered with system and silicon architects to design of our secure coprocessors and AI accelerators including TrustZone and DSPs.• Collaborated with experts in adversarial AI and Presentation Attack Detection (PAD) to establish baselines for biometric ML accuracy (FAR), resilience, and avoid bias, for novel biometric modalities.• Designed the cryptography, infrastructure hardening, and physical security for a fleet of custom 18 wheeler petabyte-scale data centers on wheels.• Co-designed the hardware privacy features for AR devices, that gives users hardware control over sensors, with the lead silicon architect and electrical engineers. Led a large XFN effort to align more than 15 stakeholders teams on the product strategy and technical design.• Co-leader of the security strategy for privacy preserving computation in the cloud using TEEs. Advised on tradeoffs between TEE and E2EE strategies.• Designed the cryptography and protocol for the secure communication between consumer devices and Intel SGX enclaves (TEE) in the cloud which integrated X3DH with Intel SGX attestation primitives. • Provided business direction, process improvements, data protection strategies, and technical controls to secure our outsourced ML data collection and labeling work.• Led the security strategy and sandbox architecture for the integration of our voice assistant with large third party appliances and cloud services.• Supported Meta’s RedTeam by identifying campaign opportunities, facilitating engagements, and helping support RT operations to help evolve our security posture.

* Member of the Board of Directors of the ioXt Alliance* Partnered with leaders from Google, Amazon, Comcast, Legrand, Silicon Labs, Resideo, Zigbee, and others to set standards for the security of the security of the Internet of Things (IoT) * Established and chaired the IoT Privacy Extension working group to extend the IoT security vision with trustworthy standards for privacy.

• Bootstrapped a research organization to incubate new security techniques, expand corporate abilities, advance the state-of-the art, and cultivate employee skills• Mentored over 20 research projects including netfilter modules, advanced fuzzing, symbolic execution, embedded device security, and blockchain• Established a practice of providing application security expertise to open source projects to raise the security bar for core industry software• Fostered a culture of knowledge sharing that produced over 50 internal tech talks• Collaborated with the University of Washington to mentor and train student CTF and CCDC teams• Built a hardware hacking lab and expanded our IoT and embedded device research and pentesting

• Managed a team of 10 developers to design, develop, test, deploy, and maintain a custom, highly secure, Ubuntu-based, Linux distribution for the U.S. Federal Judiciary with over 700 production systems in 231 locations• Managed people, project priorities, deadlines, and deliverables• Defined complete system architecture including functional and security requirements• Developed Linux kernel modules, application sandboxing, system hardening, and enterprise management tools• Developed customized fork of Firefox including enterprise policy configuration extensions, domain access controls, and specialized domain specific UI• Responsible for client relationships, product management, development process, UX, and product vision• Collaborated with business partners to understand their unique needs ensure that technical designs satisfied requirements• Designed remote troubleshooting and system diagnostic tools including crash log analysis and AppArmor profile tuning• Personally managed all Tier 3 support operations for 97 unique clients with contractual SLAs• Established and streamlined SDL for quality assurance (QA) and security testing including a repeatable release process and database of test plans• Designed Debian package repository management web services with secure key management and automatic dependency resolution

• Recruited and interviewed technical candidates to grow the security engineering team by over 50 engineers• Performed a PCI gap analysis for a Level 1 Service Provider and designed solution to completely isolate CDE with one-way-doors• Assessed the security of government enterprise Java EE / Perl applications with millions of active users; discovered and remediated numerous critical vulns including RCE, EoP, and complete auth bypass• Provided security guidance for the secure design of SSO, MFA, web services, and password reset systems• Advised on the security of cryptography, network protocols, native code, memory corruption, secure libraries, API design, and infra• Established industry leading Threat Modeling methodology that redefined our professional services offerings • Designed systems to protect privacy that exceed GDPR• Authored blog articles on advanced exploitation (ROP), and cryptanalysis, and advanced web security techniques• Developed a binary exploitation framework for CTFs in Python• Created an engineer recruiting website with binary and web hacking challenges

• Developed an asynchronous Python TCP/IP network library with coroutines and Epoll for brute force, discovery, and automated web service testing• Reverse engineering and dynamic analysis with IDA Pro, GDB, strace, PIN, and Capstone• Analyzed security of embedded Linux devices for secure boot, system image integrity, key management, hardware attacks, SPI flash, JTAG/UART, and DMA attacks• Hardened Linux systems with AppArmor, seccomp, capabilities, iptables, and secure configurations• Linux system developer (Python, C, Qt/QML, GTK/glade, D-Bus, udev rules, cgroups, IPC, system)• Customized several open source applications including Firefox, Evince, and XFCE to improve security

* Focused on application security code reviews, penetration testing, and threat modeling* Implemented an ActiveX fuzzer with automated API discovery and core dump exploit analysis* Improved reporting templates and authored articles for Java security for eLearning coursework * Web application testing with Burp for XSS, SQLi, CSRF, command injection, and session management * Penetration testing with nmap, Metasploit, Sqlmap, Wireshark, scapy, sslyze, netcat, and Python

* Streamlined return management department for online retailer* Statistical analysis of business process to optimize throughput* RMA ticket tracking website in C#