Leading the Application Security, Infrastructure Security, and Privacy Engineering teams

After hours instructor for a six month programming bootcamp.Taught full stack development with HTML, CSS, JavaScript, TypeScript, Angular, NodeJS, Express, and SQL.

Tech Lead for both the Platform Security team and the Identity, Safety and Trust team.

Responsible for day to day AppSec activities, such as threat modeling, code reviews, and triaging of suspected issues. Lead security educator for Duo Engineers. Taught "Intro to Application Security", which covered interesting vulnerabilities and attacks, along with hands on labs and CTF challenges. Also taught "Intro to Threat Modeling", which covered topics such as DFD's, STRIDE, DREAD, attack trees, and the "attacker mindset". Lead developer for the Duo Security Engineering Platform - A platform for managing all Application Security activities. This includes: dependency management for all of our source code, tracking findings and issues, and the frontend for our security testing pipeline. Note: Duo has recently been acquired by Cisco!

Consulted on embedded security and cryptography for vehicle security, including: PKI design and architecture, key management, and the use of in-vehicle HSMs. Worked with OEM's and suppliers on implementing security controls to meet Ford/GM/FCA requirements. Travelled intentionally to work with customers in European and Asian markets.

I was the lead developer at QA Reader, one of the fastest growing EHR platforms for the long-term care industry. We track and trend serious incidents, such as falls, medication errors, and abuse allegations, and identify patterns and root causes of risk in buildings. I was responsible for taking the initial software from the proof-of-concept stage to overseeing the development of applications in use in over 700 facilities nationwide. I also helped manage customer support teams and outside contractors. The software is built with C#, ASP.NET MVC, Typescript, KnockoutJS, SQL Server, and ElasticSearch, and hosted in Microsoft Azure, with additional services in AWS.

In 2008, I founded a software development and consulting firm focused on security and cryptography. Our software was an enterprise key management appliance, with a desktop and web app for securely sharing information within organizations. I was responsible for all software development and managing the day to day operations of the company. I was also responsible for our initial sales, and raising multiple rounds of venture capital.The backend was built with C#, ASP.NET MVC, SQL Server, and Microsoft Azure. The initial client was built with C++ and wxWidgets, with later versions in C# and WPF in order to give a better experience to Windows users (our primary target).

I co-founded a marketing and business development firm with a friend as a side project. Our clients included collegiate sports programs, an athletic training center, and a nationally recognized chain of restaurants and entertainment venues. We managed all website development and content, a large number of billboards, as well as affinity programs and print and radio advertising campaigns.

When I first started at Ford, I was responsible for maintaining all of Ford's internal encryption tools, as well as writing policy and consulting with other teams and vendors on security best practices. I was involved in the rollout of Ford's globally rooted PKI, including the logical and physical design of the CA architecture, selection of HSM's, writing the certificate policy (CP) and certificate practice statement (CPS), and the issuing of hundreds of thousands of certificates. After the PKI rollout, I moved to the Sync Security Team, where I built cryptographic services, performed penetration testing, and designed the PKI architecture for Ford Sync, an infotainment platform in use in millions of vehicles.

I was fortunate to get my first opportunity as a cryptographer and security researcher at the National Institute of Standards and Technology. I worked in the areas of PKI and identity management, hash functions, and block cipher modes of operation. I authored SP800-52, a NIST standard on transport layer security, and three RFC's: 4822, 5310, and 5709 on authenticated routing protocols. I was a member of the NIST SHA-3 Competition, to find a replacement for the SHA family of hash algorithms, the Federal PKI Technical Working Group, the IETF, and was a referee for Indocrypt 2005.