Lead Cloud Security Engineer


May 2019 – Present Herndon, Virginia

Projects include:

  • AWS IAM Automation:
    1. Develop python package to automate the creation of AWS IAM policies by specifying access levels and ARNs in a YML file.
    2. Ensure that this automation sufficiently abstracts the complexity of creating least-privilege IAM policies.
  • Open Policy Agent Framework for AWS:
    1. Develop Open Policy Agent standard library to evaluate Terraform plans
    2. Work with teams to ensure that this framework is executed on developer machines as a pre-commit script, at Git PR time, at Jenkins CI testing time, and Spinnaker deploy time.
  • Golden Image reference architecture: Work with compliance, Operations, and Threat/Vuln Mgmt teams to:
    1. Evaluate current compliance status of CentOS and Amazon Linux 2 Golden Images,
    2. Implement or enhance security hardening controls to uplift Golden Images to compliance expectations,
    3. Build a Jenkins Shared Library for OS Image testing,
    4. Work with TVM to identify exclusion profiles across Dev/UAT/Prod, and
    5. Improve automation and verification performance levels to confidently enforce these standards as a security gate before deployment to production.

Responsibilities include:

  • Security Automation

    • Discover, define, and drive security automation projects
    • Develop working technical proof of concepts to help teams envision end-state integration
    • Evangelize security automation initiatives
  • Security Architecture:

    • Perform security architecture, design, and component reviews for Salesforce infrastructure
    • Provide security guidance and oversight to engineering and operational teams by participating in design reviews and threat modeling
  • Security Research:

    • Research new security technologies and build new tools to make everyone's lives easier
  • Document and communicate discovered issues; work with teams to resolve them in a manner which improves security and encourages agility


  • Terraform, Packer
  • Python
  • Open Policy Agent
  • Golang
  • Spinnaker
  • Jenkins

Interim Cloud Security Practice Lead

Synopsys Software Integrity Group

Aug 2018 – May 2019 Dulles, Virginia

After previous practice lead left the company, served as Interim Practice Lead from August 2018 to May 2019. Leadership accomplishments as interim practice lead include:

  • Drove internal training efforts to increase team from 7 consultants to 22.
  • Delivered presentations to small groups of executive decision makers as well as 100+ client managers on several occasions to drive team goals.
  • Attained approval from internal decision makers for 3-month Infrastructure as Code development project, Cloud Maturity Action Plan efforts, and improvements to internal training agenda.
  • Trained 22 consultants in AWS Landing Zone in preparation for customizing client Landing Zones.
  • Increased revenue from $1 million in 2017 to $3 million during first quarter of leadership (Q4 2018).

Top Project: Automating Continuous Security Testing

Developed Infrastructure-as-Code blueprint that provides clients with code to repeatably deploy testing infrastructure for individual teams. Allows clients to start automating their continuous security testing within 30 days. Deliverables included:

  • Automated Application Security Testing Library: Carefully engineered Jenkins Shared Library that performs various AppSec activities (DAST, SAST, SCA, report delivery, automated issue tracking, metrics aggregation).
  • Built-in tool integrations: Supports BlackDuck, Coverity, Checkmarx, Seeker, Contrast, Fortify, and open source tools out of the box.
  • Reusable infrastructure stack: deploy Jenkins CI Server and supporting infrastructure, so clients can redeploy this blueprint as often as they want.
  • Automated Reporting and Issue Tracking: JIRA and SonarQube Integration
  • Documentation and Training: materials to support client adoption of the blueprint and train consultants in delivery

Senior Security Consultant

Synopsys Software Integrity Group

Nov 2017 – May 2019 Dulles, Virginia

Responsibilities include:

  • Co-Lead of Cloud Security Consulting Practice
  • Developing Secure Infrastructure as Code for clients
  • Deploying CI/CD Pipelines in AWS for Secure Image builds and AppSec testing (SAST, DAST, IAST, etc.)

Developed expertise in the following technologies:

  • Terraform
  • Packer
  • Ansible
  • HashiCorp Vault
  • AWS, Azure

Other activities:


Security Consultant

Synopsys Software Integrity Group

Sep 2015 – Oct 2017 Dulles, Virginia
Responsibilities include:

  • Manual Web Application Security Testing
  • Threat Modeling
  • Architecture Risk Analysis
  • Team lead for Microsoft Azure Security consulting team

Security Consultant

Sirius Business Systems

Sep 2014 – Sep 2015 McLean, Virginia
Responsibilities include:

  • Worked with small business clients to write and implement new security policies.
  • Performed security audits and penetration testing to evaluate initial security stature.