Working as part of a team dedicated to improving product software and systems, using my expertise to improve coding practices and operational security.
Over 25 years’ experience with computer security.
Over 20 years’ experience in software quality assurance.
Over 20 years’ experience in systems administration, including Web server administration.
Security Assessment Tools
I am familiar with OWASP guidelines, and Mitre's CWE list, and the use of many security and debugging tools to find and address design and coding security vulnerabilities.
nmap, netcat, Achilles web proxy, MetaSploit Framework, Wireshark (Ethereal) network sniffer, tools from SysInternals and Foundstone, and many others.
ZoneAlarm Extreme Security Suite, Check Point Endpoint Security
McAfee SiteAdvisor and Windows Security Suites
I have experience automating QA scripts and creating detailed bug reports, including analysis of system and application dumps.
Load Runner, Win Runner, X runner
Bugzilla, Clear Quest
I have written production code and documented secure coding standards for the following languages. I easily learn new languages, and can achieve fluency in two weeks of self-study.
Shell scripts (C, Bourne, Bash, DOS, PowerShell)
Windows (32-bit and 64-bit), including Windows 7, Windows 8, 8.1, and Windows 10
Android (2.2 [Froyo] through 5.1 [Lollipop])
Linux (RedHat and SuSE), SPLAT (Check Point secure Linux)
Unix (HP-UX, Solaris)
San Jose State University
Fields of study: Mathematics, Humanities (honors)
Dates attended: 1981 – 1987
Technical Training Courses
Ultimate Hacking: Windows Security
SANS Advanced Incident Handling and Hacker Exploits
Win Runner/Load Runner/Test Director
Sun Solaris 2.x Systems Administration
Accessing Internet Resources
Shell Programming on UNIX
Stratus VOS System Administration
Migrating HLL Applications to OpenVMS AXP
Amdahl Mastering Basic MVS & VM
GLOBALFOUNDRIES, Santa Clara, CA Oct 2017 – Mar 2019
Senior Information Security Engineer
Develop security roadmap for existing, new, and evolving applications
Assess security risks to the corporation's systems, networks, and information, and propose process improvements.
Research and document the latest vulnerabilities and threats affecting the company.
Assist team in analysis of forensic artefacts.
Provide technical leadership and oversight of cloud hosted infrastructure
Symphony Communication Services, LLC Palo Alto, California Oct 2015 – Feb 2017
Conducted security tests using automated tools, ad-hoc tools, and manual testing.
Conducted penetration testing against different technological domains including, but not limited to, web applications, web services, iOS and Android devices, Mac OS and Windows computers, virtualized environments in the cloud.
Assessed and calculated risk based on vulnerabilities and exposures discovered during independent testing and also those reported via external assessors and security researchers.
Provided input on security controls, including compliance with cryptographic export controls, U.S./EU Privacy Shield, and Service Organization Control (SOC) level 1 and level 2.
Created required information security documentation and completed requests in accordance with requirements.
Escalated to appropriate management, and provided timely, relevant updates and periodic reports as needed.
Security Champion and QA Team Lead Santa Clara, California April 2010 – June 2015
Designed threat models for antimalware products, and implemented Secure Development Lifecycle, maintaining team's document repository.
Performed penetration tests, writing UNIX shell scripts for production and automation, and once I even patched buggy Python code for a time-critical deployment.
Kept up-to-date on security issues, attending Black Hat and DefCon conventions, and reading Android and Windows systems internals books.
Tested the SiteAdvisor web reputation product, including performing C and Java API tests, advising developers on POSIX compliance features supported in NTFS, and also avoidance of SQL injection and Cross-site Scripting (CSS) issues with Unicode.
Zone Labs/Check Point Software Technologies Ltd San Francisco, California March 2004 – March 2009
Managed QA team for consumer and enterprise security products. Under my mentoring, two direct reports were promoted to team lead, and the automation group's performance was greatly improved.
Orchestrated changes in the Belarus development center to integrate with global QA, focusing on development QA testing and reporting. Attended various management classes including: Leadership, Managing change, Holding Effective Meetings, and Time Management.
Assisted major Fortune 500 customers on-site with rollout of installations and upgrades of an enterprise firewall suite, channelling feedback to the development team for product improvements.
Performed functional, design, and performance QA of consumer and enterprise security products. This included full disk encryption, network firewall, antivirus, anti-spyware, browser virtualization and anti-phishing features.
Received award for completing Common Criteria (CC EAL4+) evaluation under budget and seven months ahead of schedule. This was a matter of critical importance for the company, to be in compliance with U.S. Government directives.
Maintained security knowledge through Foundstone’s Ultimate Hacking training and attendance of DefCon and Black Hat briefings. Created and presented internal training both locally and internationally for QA, IT, and Development staff on various topics including: format string exploits, cross-site scripting (XSS), Unicode and local code page handling, file scanning evasion, and XML and database injection.
Oracle Corporation Redwood City, California October 1991 – August 2003
Sr. Security Analyst, QA Specialist, Developer, Sr. Technical Support Analyst
Co-authored secure coding standards for Java, C, PL/SQL, and various operating systems, ensuring that Oracle’s software had state-of-the-art security, training developers and Webmasters.
Wrote external security alerts, and coordinated responses to external researchers. Evangelized security as part of cross-organizational team. Lead Birds-of-a-Feather discussion on tiger team penetration testing, for SANS Black Hat symposia.
Performed design audits and penetration tests to assess security risks of both internal production systems and software products, with stop-ship authority when any severe vulnerabilities were discovered. Coordinated work of Y2K team.
Designed and implemented Oracle's first corporate Support Web site, porting CERN Webserver C code to OS/2.
Performed on-site bug remediation, including source code analysis of customer applications. Authored and presented white paper on database backup and recovery at DECUS Symposia.
Processed customer support for all Oracle products on all supported platforms, including installation, performance, and troubleshooting, handling of down production databases during off-hour and weekend support calls for all global customers.
Adaptec Corporation Milpitas, California August 1990 – May 1991
Supported VMS and FORTRAN applications, installing PROMIS and COGNOS Powerhouse.
Maintained MicroVAX 3800 and DECserver 200 machines in production environment.
Independent Security Consultant
Analysed forensic data after a security incident, reconstructing the attack.
Recommending changes in IT, HR, and physical security policies.
Performed data recovery.
KLA Instruments Corporation Sunnyvale, California June 1988 – August 1990
Managed DECnet and Local Area VAXcluster.
Performed backups, tuning, and software updates on MicroVAX, VAXstation, and VAX 11-780 computers.
Evaluated, purchased, and installed hardware and software for engineering environment, including rewiring VAX 11-780 backplane for CPU acceleration.
Developed real-time reminder facility, spelling checker, multi-window character-based system for multitasking, and automated backup script.
General Electric, Nuclear Energy Division San Jose, California January 1986 – May 1988
Senior Systems Operator
Advised programmers on VMS run-time library, RMS, system services and utility usage and optimization.
Performed swing shift operation and management of VAX 8600, VAX 8500, VAX 11/785 and MicroVAXen.
Developed tools using C, DCL, Fortran, Pascal, and VAXTPU.