Experience Highlights
With the new Model Context Protocol creating significant buzz in the AI space, our leadership wanted to innovate quickly but responsibly.
The challenge was balancing this desire with our core commitment to security and customer privacy. I stepped in to bridge that gap. I analyzed the protocol's early real-world vulnerabilities against the latest academic research. From this, I developed a practical security guide that gave our product and engineering teams the clear best practices they needed to build new products confidently and securely.
When product security raised concerns about our core IAM product, I was brought in as the senior technical resource to join the threat modeling process.
My strong software and cloud background was needed to validate the concerns and find an efficient path forward. The challenge quickly grew: the IAM product was brought into scope for ISO 27001 certification just as we also needed to enable 3rd-party identity federation (SSO) to support sales. I served as the central technical expert for my BISO team within this complex, multi-stakeholder effort. This required a rapid, deep dive into OIDC, SAML, and OAuth 2.0, working closely with external consultants to perform in-depth control reviews. I helped navigate the competing priorities of compliance, security, and business needs, ensuring we delivered the critical SSO capabilities that allowed sales to onboard large clients while successfully moving toward our certification.
Serving in key partnership roles like Product Line Anchor for Ford Pro's cybersecurity (akin to a Deputy BISO) and Product Anchor for a technical product group, I support two major business units (Ford Pro and FCSD).
Our large team operates globally from the US and Asia Pacific on a "sun never sets" model. This role extends beyond typical AppSec; we educate, advise, and partner with teams to drive key DevSecOps initiatives. This includes helping teams prioritize SCA findings to achieve automated dependency updates, partnering on JFrog Curation and container scanning rollouts, integrating DAST, reducing SAST false positives, and remediating code secrets. My teams also solve complex cloud security problems related to WAFs, load balancers, and proxies, acting as problem-solvers who partner with SMEs across the business.
Projects & Demonstrations
A hands-on walk-through of identifying security threats on a sample E-Commerce API using the STRIDE framework.
View the Case StudyA tool to generate tailored security checklists for various project types and technologies, helping to standardize security posture.
Use the GeneratorAn interactive tool to decode and verify JSON Web Tokens (JWTs) securely in your browser.
Try the JWT DecoderA hands-on demonstration of browser fingerprinting techniques, explaining how they are used for fraud and bot detection.
View the DemoAn interactive tool to compare CVSS severity with EPSS exploitability, helping prioritize vulnerabilities.
Try the ComparatorA tool for decoding the complex model codes (MODCATs) used by Paul Reed Smith Guitars.
Try the DecoderA live dashboard that pulls the latest CVEs from the NVD API to visualize the current threat landscape.
View DashboardA practical guide on investigating SAST findings, using statistical analysis and file path context to triage alerts at scale.
Read the GuideA hands-on guide to common cloud security pitfalls. Click a component in the diagram to analyze a potential misconfiguration.
Explore the Diagram