Me on the web


I am not a designer.


AppSec Engineer

Now I work at GitHub doing AppSec. Working for GitHub is like living on the bleeding edge for many web standards. CSP, Subresource Integrity, HTTP Public Key Pinning, Referrer Spec, etc. I also get a chance to develop security features, such as revoking GitHub Oauth tokens as they are pushed to public repositories and revoking "stale" OAuth tokens that haven't been used in over a year.


  • Security Automation
  • Coffeescript
  • Content Security Policy
  • Ruby on Rails

Brakeman Security Inc.

JRubyFX Engineer, co-founder

Brakeman Pro as you may have guess is the enhanced version of the open source Brakeman with a native desktop application for managing scans and scan results. It's built using JRuby and JavaFX (JRubyFX). Brakeman Pro 1.0 has been released!.


  • Brakeman
  • JavaFX
  • JRuby
  • JRubyFX
  • Static Analysis


Product Security, AppSec Engineer

After a fun interview, Twitter offered me a role on the security team. At the time, there was one team. Over time, my role moved to product security and then to application security.

When I joined the company, there was only one Scala endpoint and about 1,200 employees. I helped Twitter's application security program scale to not only the increasing adoption of scala, but also with the increasing number of engineers. Obviously, I did not form the entire program but I did contribute significantly to a program than handled the growth well. At the time I left, only a few Rails endpoints were left and the company had tripled in size.

I became heavily involved in the Content Security Policy spec and lead the effort to deploy "security headers" across all Twitter properties. This included an open source library (secure_headers) as well as providing guidance, augmenting the custom Twitter framework, and providing tools to help track progress.

While I was part of the security team, I helped improve and integrate security static analysis into the deployment pipelines of every Rails project at Twitter with Brakeman. This went through many iterations with varying success, until we finally came up with SADB. SADB received high praise.

During my time on the product security team, I was given the opportunity to work on the complete overhaul of the Twitter authentication mechanisms as we moved to Scala. This includes helping design and implement two factor authentication.

After transitioning to a role on the AppSec team, I helped lock down APIs in Twitter's custom Scala framework. This work can best be described as finding dangerous APIs, providing safe alternatives, and detecting deviations in use while providing education and guidance. Eventually, this came down to a series of Regular Expressions. We never explored static analysis because we felt that our strict coding guidelines, safe APIs, and culture of doing the right thing could easily be managed with simple scripts, usually just a regular expression.


  • Security Automation
  • Content Security Policy
  • Strict Transport Securtiy, preloads
  • Static Analysis, Brakeman
  • Application framework hardening
  • SDLC intregration, policy, architectural review
  • Privacy engineering
  • Ruby on Rails, Scala, Macaw


Ruby on Rails Engineer

After spending a few years in security, I noticed my programming chops were a bit rusty. It's hard to talk about web security when your understanding of web programming is outdated. Working for RealPractice helped me get up to speed and eventually I became a team lead, responsible for 2-3 people. I vowed to never get too far away from code ever again. It's also where my javascript knowledge exploded, and I was quickly writing power libraries based on jQuery to solve domain problems. The main product was a website builder that made heavy use of javascript and ajax.


  • jQuery
  • Ruby on Rails / AT&T Interactive

Security Engineer

AT&T was a big departure from UC Irvine. Things moved much more quickly and pulling off company wide initiatives was that much harder. During my time there, I greatly augmented the centralized logging project and encorporated some basic security standards for the web applications and database configurations. I also developed a now defunct crypto library (I was highly unqlalified to write crypto code) for keeping passwords out of source code that included integration with an HSM.


  • Splunk
  • WebInspect
  • Ruby on Rails

UC Irvine

Java developer, Security Engineer

After interning and working full time as a java developer, I had a chance to explore security. It started with a task: learn the OWASP Top 10, and then teach it to everyone in the company. Not knowing anything about security, I quickly fell in love after a short period of research. This was mostly focused around Webgoat, the intentional vulnerable web application. I developed a 4 hour training course that I gave to the company as well as multiple Educause and JASIG events. I also managed a WAF, centralized logging, and an application review program.


  • Imperva SecureSphere WAF and database gateway
  • Splunk
  • IBM AppScan
  • Spring Framework

subscribe via RSS