
Senior Security Advisor at Ernst & Young, LLP
Greater Chicago Area

Senior Security Advisor at Ernst & Young, LLP
Greater Chicago Area
Self-motivated individual, driven to provide clients with high-quality security assessments. I enjoy researching security related topics and programming tools that allow me to perform my testing more efficiently.
Public Speaking :: DEFCON 15, HITB 2007 Malaysia, ToorCon 9, Black Hat Japan 2007, Black Hat Federal 2008, Black Hat Europe 2008
Certifications :: CISSP, SANS GSEC, SANS GWAS
Languages :: Java, C#, JSF, JSP, ASP.NET, XML, Perl, C/C++, Python.
Databases :: Experience using and attacking a wide variety of DB servers, including MS SQL, MySQL, Oracle, Sybase, etc.
Software :: Visual Studio .NET 2005, Java Sun One Studio, Anjuta, Visual Perl .NET
(Public Company; 501-1000 employees; ZDZ; Online Media industry)
February 2008 — Present (6 months)
I'm one of three bloggers (Larry Dignan and George Ou) that handle the Zero Day Security blog for ZDNet. Here I focus on providing highly technical insight into the latest rumblings in industry and the hacking scene. Originally I was brought on to do guest postings of some of the interesting research I had been involved in and to cover the Black Hat Federal event. After doing a couple of successful stories, former Zero Day blogger Ryan Naraine suggested Larry and George bring me on full time and it's been a lot of fun contributing. The blog gives me a great outlet to talk about my research and all that is new and cool in security, hacking, and technology.
(Partnership; 10,001 or more employees; Computer & Network Security industry)
March 2005 — Present (3 years 5 months)
Served as the engagement manager for the ASC’s largest client. Lead a team of 8-12 people with diverse backgrounds and skill sets to provide the highest quality black box web application assessments. Managed budget, resources, quality, client interaction, and schedule for approximately 200 separate engagements this year alone. Developed the relationship with the client to one of trust, mutual growth, and friendship by consistently going above and beyond the client expectations.
Specialized in web application testing and used my diverse programming background to participate in and lead, several grey box web application assessments. Discovered thousands of security flaws across a broad spectrum of technologies including Java, .NET, ColdFusion, PHP, CGI, Citrix based applications, and thick client applications. Participated in and lead teams that developed several proprietary tools used by the ASC.
(Computer & Network Security industry)
2000 — 2006 (6 years)
(Educational Institution; Myself Only; Computer & Network Security industry)
April 2004 — January 2005 (10 months)
Installed, Secured, and Maintained a network of various operating systems and services. Hands-on work installing, configuring, and securing Solaris 8/9, Fedora 2, Gentoo Linux, Windows XP, and Windows 2000 machines. Setup and configured a postfix mail server
with SpamAssassin. Setup and configured NFS and NIS+ for a network of Solaris 8/9 machines. Setup a ghost server for remote backup and reinstall of Windows XP and Windows 2000 systems. Applied NSA recommended patches for securing Windows XP and Windows 2000. Followed SANS guidelines for hardening Solaris 8/9 and Linux servers. Performed full-scale penetration test of the network. Created policies and guidelines for keeping the network secure, as well as secure computing for users
(Educational Institution; Myself Only; Computer Software industry)
April 2003 — January 2005 (1 year 10 months)
Lead Programmer of the ATE Program Evaluation Project, one part of a larger effort to assess the impact and effectiveness of the NSF's Advanced Technological Education program. As Lead Programmer, was responsible for creating a GUI based system, which creates an XML survey description, and an application that translates the XML into web pages and databases to run the survey. Made several key design decisions, and worked closely with the client in order to ensure conformance to specified requirements.
(Partnership; 1-10 employees; Computer & Network Security industry)
July 2002 — July 2003 (1 year 1 month)
Co-founder of Solstice Network Securities, a company created to serve Western Michigan University (WMU) and the surrounding area with computer security advisory services. Performed vulnerability assessment and penetration testing along with detailed design analysis of client networks and applications. Conducted research into bypassing Intrusion Detection Systems. Helped to create a more security aware community at WMU thru community projects, including an online security guide, for which we received WMU’s James Sleep Award for the most Outstanding Community Project related to Computer Science.
(Non-Profit; 11-50 employees; Computer Software industry)
September 2001 — April 2003 (1 year 8 months)
Worked with a team of goal-oriented programmers focused on establishing an effective web presence for twenty-seven managed departments. Responsible for developing and maintaining dynamic, database-driven web applications using ASP and SQL Server 2000. Designed, developed, and delivered a database for a web application that saved the WMU Bookstore four weeks worth of manpower. Initiated an effort to improve security and prevent attacks against the company’s two web servers and database server. Created and implemented policies to support security requirements.
Masters of Science, Computer Science, Theory and Analysis, 2000 — 2005
A.S., Computer Science, 1998 — 2001
my beautiful girlfriend and her hilarious daughter, blogging, new tech, acoustic guitar, travel, snowboarding, PS3, the beach, great beer
CISSP. SANS GSEC, SANS GWAS, HackInTheBox Malaysia 2007, Black Hat Speakers