I started off as a client-server and web application developer and moved into security when the first opportunity presented itself. Since 2001, I have done consulting engagements that included threat modeling, penetration testing and vulnerability assessments, rolling out security programs, PCI DSS and PA DSS assessments, Policies and Standards, etc.
During that time, I also had the chance to start the application security consulting practices at two organizations, one of which I co-founded.
One of the characteristics that defines me is that I do not get restricted to the role that I am officially in . In every one of my positions, I have taken on more responsibility than was assigned to my role and delivered. I love coming up with solutions for problems.
My experience includes developing security policies, procedures and processes, performing penetration tests and vulnerability assessments, developing secure coding guidelines and delivering security training in addition to performing PCI-DSS and PA-DSS assessments. I have developed and delivered training courses on finding web application vulnerabilities and building secure web applications. These courses are also delivered online, using software that I designed and built.
I am a Certified Information Systems Auditor (CISA), ex-PCI Qualified Security Assessor (PCI-QSA), ex-Payment Application QSA (PA-QSA) and an IBM Certified Specialist (IBM Rational AppScan).