
Advanced Security Center Manager at Ernst & Young, LLP
Greater Chicago Area

Advanced Security Center Manager at Ernst & Young, LLP
Greater Chicago Area
Self-motivated individual, driven to provide clients with high-quality security assessments. I enjoy researching security related topics and programming tools that allow me to perform my testing more efficiently.
Speaking :: DEFCON 15, HITB 2007 Malaysia, ToorCon 9/Seattle 2007, Black Hat Vegas (2008), Japan (2007/2008), Federal (2008), & Europe (2008), Microsoft BlueHat v7/v8, Chicago OWASP 2008, & Mac C4 2008
Advisories :: SA32177, CVE-2008-3961, CVE-2008-0043, CVE-2007-3896, CVE-2007-4041, CVE-2007-5020, CVE-2007-3924, CVE-2007-3832, CVE-2007-3833, CVE-2007-3670, and Adobe Security Bulletin APSB08-11
Certifications :: CISSP, SANS GSEC, SANS GWAS
(Partnership; 10,001 or more employees; Accounting industry)
March 2005 — Present (4 years 9 months)
Serves in an evangelist role for the Advanced Security Center. Regularly speaks at prestigious conferences on emerging threats discovered through his research. Frequently speaks with clients and advises on security concerns for Fortune 500 clients.
Served as the engagement manager for the ASC’s largest client. Lead a team of 8-12 people with diverse backgrounds and skill sets to provide the highest quality black box web application assessments. Managed budget, resources, quality, client interaction, and schedule for approximately 200 separate engagements. Developed the relationship with the client to one of trust, mutual growth, and friendship by consistently going above and beyond the client expectations.
Specializes in web application and product testing and used diverse programming background to lead several engagements. Discovered thousands of security flaws across a broad spectrum of technologies.
(Public Company; ZDZ; Online Media industry)
February 2008 — December 2008 (11 months)
I'm one of three bloggers (Ryan Naraine and Danho Danchev) that handle the Zero Day Security blog for ZDNet. Here I focus on providing highly technical insight into the latest rumblings in industry and the hacking scene. Originally I was brought on to do guest postings of some of the interesting research I had been involved in and to cover the Black Hat Federal event. After doing a couple of successful stories, Ryan Naraine suggested Larry and George bring me on full time and it's been a lot of fun contributing. The blog gives me a great outlet to talk about my research and all that is new and cool in security, hacking, and technology.
(Computer & Network Security industry)
2000 — 2006 (6 years )
(Educational Institution; Myself Only; Computer & Network Security industry)
April 2004 — January 2005 (10 months)
Installed, Secured, and Maintained a network of various operating systems and services. Hands-on work installing, configuring, and securing Solaris 8/9, Fedora 2, Gentoo Linux, Windows XP, and Windows 2000 machines. Setup and configured a postfix mail server
with SpamAssassin. Setup and configured NFS and NIS+ for a network of Solaris 8/9 machines. Setup a ghost server for remote backup and reinstall of Windows XP and Windows 2000 systems. Applied NSA recommended patches for securing Windows XP and Windows 2000. Followed SANS guidelines for hardening Solaris 8/9 and Linux servers. Performed full-scale penetration test of the network. Created policies and guidelines for keeping the network secure, as well as secure computing for users
(Educational Institution; Myself Only; Computer Software industry)
April 2003 — January 2005 (1 year 10 months)
Lead Programmer of the ATE Program Evaluation Project, one part of a larger effort to assess the impact and effectiveness of the NSF's Advanced Technological Education program. As Lead Programmer, was responsible for creating a GUI based system, which creates an XML survey description, and an application that translates the XML into web pages and databases to run the survey. Made several key design decisions, and worked closely with the client in order to ensure conformance to specified requirements.
(Partnership; 1-10 employees; Computer & Network Security industry)
July 2002 — July 2003 (1 year 1 month)
Co-founder of Solstice Network Securities, a company created to serve Western Michigan University (WMU) and the surrounding area with computer security advisory services. Performed vulnerability assessment and penetration testing along with detailed design analysis of client networks and applications. Conducted research into bypassing Intrusion Detection Systems. Helped to create a more security aware community at WMU thru community projects, including an online security guide, for which we received WMU’s James Sleep Award for the most Outstanding Community Project related to Computer Science.
(Non-Profit; 11-50 employees; Computer Software industry)
September 2001 — April 2003 (1 year 8 months)
Worked with a team of goal-oriented programmers focused on establishing an effective web presence for twenty-seven managed departments. Responsible for developing and maintaining dynamic, database-driven web applications using ASP and SQL Server 2000. Designed, developed, and delivered a database for a web application that saved the WMU Bookstore four weeks worth of manpower. Initiated an effort to improve security and prevent attacks against the company’s two web servers and database server. Created and implemented policies to support security requirements.
Masters of Science , Computer Science, Theory and Analysis , 2000 — 2005
A.S. , Computer Science , 1998 — 2001
my beautiful fiance and our hilarious daughter, blogging, new tech, acoustic guitar, my new Fender Strat, travel, snowboarding, PS3, the beach, great beer
CISSP. SANS GSEC, SANS GWAS, HackInTheBox Malaysia 2007, Black Hat Speakers