Application Security Engineer & Security Developer
With a background spanning software development, application security, and cybersecurity, I embed security into the SDLC — from vulnerability discovery and code reviews to developing fixes and safe production releases.
Snyk SCA was generating high volumes of low-signal findings. I extended Eclipse Steady with support for modern Java versions and built Python automation that performs precise call-graph analysis and auto-generates high-confidence pull requests.
Dramatically improved signal-to-noise and reduced manual triage workload for both security and engineering teams.
Built a Java static analysis tool using the Abstract Syntax Tree (AST) to automatically detect the "destructive wrapping" anti-pattern in exception handling — an issue that silently destroys stack traces critical for debugging and security investigations.
Published open-source tool that helps teams maintain proper audit trails and improve code reliability at scale.
Designed and shipped a web-based IP and hash reputation lookup service plus supporting automation. Previously, threat investigations took over eight hours of manual effort.
Reduced average investigation time from 8+ hours to real-time, enabling the SOC to scale without adding headcount.
Led a global team supporting mission-critical airport systems. Owned security, performance, and 24/7 availability for 10+ core aviation platforms serving international stakeholders.
Provided 24/7 production support for critical business systems while managing endpoint security, system administration, and access controls across the organization.
Designed and built a Java-based information system that automated mobile billing for 2,000+ employees, reducing processing time from several weeks to real-time.
Performed network testing, troubleshooting, and maintenance while maintaining detailed documentation and network diagrams for compliance and operational reliability.
Security only works when it enables teams instead of blocking them. My focus is always on high-signal automation and clear communication.
Threat modeling, manual penetration testing (Burp Suite), secure code review, and OWASP Web Security Testing Guide application.
Building internal tools that eliminate repetitive work — reachability analysis, reputation services, and custom static analyzers.
Embedding SAST/DAST/SCA into CI/CD with meaningful gates, WAF management, and infrastructure-as-code security reviews.
Securing Kubernetes workloads, container image scanning, and applying security-as-code principles across AWS and GCP environments.
Prioritizing findings with reachability and context, driving remediation, and producing clear risk narratives for engineering and leadership.
Mentoring engineers, creating secure coding standards, and building a culture where security is a shared responsibility rather than a gate.
A focused set of technical skills drawn from hands-on work across software development, application security, and cybersecurity operations.
I occasionally write about real-world AppSec challenges, building effective security automation, and what actually works when embedding security into fast-moving teams.
More long-form writing coming soon.
I prepare a focused resume and talking points for each opportunity. If you're building a security team or looking for someone who can both find problems and help fix them at scale, I'd love to hear from you.