Resume

Resume  /  Experience snapshot  /  San Jose, CA

Experience

Mar 2023 ‐ present

ByteDance

Sr. Security Engineer, TikTok · San Jose, CA

  • Threat modeling and implementation reviews for new features and existing services. Built systemic fixes like log masking to stop classes of issues from coming back.
  • Built a prioritization tool for incoming security review using an LLM and a structured questionnaire. Cut triage volume by about 60%.
Dec 2020 ‐ Mar 2023

Dropbox

Security Engineer, HelloSign · Seattle, WA

  • Rolled out CSP for the HelloWorks webapp: 1M+ reports handled, 500+ refactors to get the policy clean.
  • Designed and shipped a compromised-credentials check that prompted about 5% of users to rotate their passwords.
  • Added and tightened linting and static-analysis tooling in CI/CD.
May 2020 ‐ Nov 2020

Facebook

Security Engineer · Seattle, WA

  • Security reviews for new products and features (FB Shops, internal apps).
Jan 2019 ‐ May 2020

Lyft

Security Engineer · San Francisco, CA

  • Integrated security into the SDLC, including risk ranking for new features via a structured questionnaire.
  • Used SAST tooling to find classes of issues across the codebase.
  • Cut overall Chrome extension risk across the company by about 90%.
Sept 2017 ‐ Jan 2019

Box

Security Engineer · Redwood City, CA

  • Code-level and black-box appsec assessments, design reviews, and threat models for new features and products.
  • Researched and deployed CSP, Referrer-Policy, and other protections in internal environments.
May 2016 ‐ Aug 2016

NCC Group

Security Intern · San Francisco, CA

  • Shadowed consultants on web and mobile penetration tests and external network assessments.
  • Triaged reports for third-party bug-bounty platforms.

Education

Aug 2016 ‐ Jan 2017

University of Alabama, Huntsville

M.S. Cybersecurity · Computer Science concentration

Published research & CVEs

  • CVE-2014-8496. Router firmware backdoor password affecting roughly 500k devices. With the team at Entrust Solutions.
  • CVE-2016-4075. URL spoofing in the Opera browser.
  • CVE-2017-7990. XSRF in OpenMRS, an electronic medical records platform.
  • OAuth 2.0 implementation issues. Published paper and a tool to check common flaws. Oct 2016.

Recognition

  • VRP and CTF acknowledgments from Google, Facebook, Microsoft, Twitter, and others.
  • Covered in Business Insider, VentureBeat, and The Register for findings in widely used software.
  • Spoke at BSides San Francisco 2019 and OWASP Bay Area meetups.

Certifications

OSCP  ·  CKA  ·  CPTE

Tools & languages

LanguagesPython, PHP

ToolsBurp Suite, ZAP, Nessus, Qualys, Metasploit, Wireshark, AppScan

PlatformsLinux, macOS, Windows