Authentication, authorization, and access control. Ruby on Rails. Presented and facilitated tech talks. Led a project to require 2FA for entities. Built a core component of an authorization framework. Learned react-query and AWS (kinesis, sqs). Used semgrep to deprecate and then remove legacy APIs. Revamped culture around project management to pave the way for a groomed backlog and a clear roadmap. Improved on call procedures to deliver better service to other teams. Proposed Codeowner strategy along with inter-team SLAs for better collaboration. Led a working group to remediate and prevent flaky tests.

Organized the 2018 and 2019 events, contributed to the 2020, 2022, and 2024 events.

Engineering manager who hired and onboarded two people, handed off responsibilities to a new team, changed the direction of the team, promoted at least two people.

Led an effort to virtually eliminate account takeovers while improving general account security. This includes requiring email-based challenges from questionable sign ins, improved account audit logging and notifications of significant events, banning the use of passwords found in data breaches, removing password support from the API/git, and many smaller efforts in support of this drive. Worked with the incident response teams on many investigations as an SME to explain data but also to be on the lookout for opportunities to apply extra mitigations based on any business logic vulnerabilities.Streamlined the bug bounty with process. Migrated to the HackerOne platform, built a ruby API client, and integrated with our processes and chatops systems. Reduced time to response, time to pay, increased general quality, and provided more comprehensive and accurate data on the program.Retrofitted the primary rails application with a security header library that allowed us to provide incredibly precise and dynamic content security policies allowing engineers to fully control CSP using a simple to understand API which triggers automation for review.Improved our ruby static analysis automation tooling to be more testable, accurate, and comprehensive. This includes writing custom brakeman rules along with low-hanging regular expressions. The automation is still in use and has spread to cover nearly all of our applications instead of the primary monolith.Moved the team towards more formalized practices using project boards, stand ups, and more. I led the effort on the team to move closer towards the prescribed "how we work" framework with intention but not immediate absolutism.

(Side project) Brakeman Pro is a desktop application used to perform static analysis security scans against Ruby on Rails applications. It was developed using JRubyFX and was acquired by Synopsis. I wrote nearly all of the code for the desktop application while my partners focused on the business and product development.

Worked on the "SADB" project which was one of the first production examples of integrating static analysis into an effective and engineer-friendly manner. Worked on the design and implementation of the initial two-factor authentication feature. Participated in the launch of the bug bounty. Created the secure_headers ruby library and started applying content security policy to all applications. Added similar functionality to Twitter's custom Scala framework so new applications would get a strict CSP by default (with an API for opting out/altering policies). I spoke at numerous conferences and public forums spreading information about security automation and content security policy. Performed various security reviews, bug fixes, static analysis remediations, bounty reports, etc.

Team lead for Ruby on Rails development. RSpec, cucumber, git, javascript.

My work primarily focused on expanding the use of Splunk. This included capturing more data, excluding more data, and managing the deployment across the fleet via our own package manager.

I had split responsibilities between java web development and security engineering. The web development work included bespoke applications that integrate into a larger ERP (tririga) as we transitioned from old systems to a centralized system.The security engineering work included expanding use of Splunk, managing an Imperva WAF, and supporting secure development via dynamic analysis and application reviews