Samuel Reed
San Francisco, CA
Updated : 10/23/24
Product & Application Security Professional
Curriculum Vitae Edition ( Download 2 page Resume )
Professional Experience
Staff Security Engineer, Security Team at Pave Inc. (January 2023 - September 2024)
- Joined Pave Inc. as a Staff level Security Engineer, third security hire on the Security team that reported into Engineering. Team operated in a fast paced dynamic start-up environment, customer focused, and light development processes to deliver product.
- Focused on Application Security, picking up responsibilities for a lightweight and dynamic Application Security program. Program focused on dynamic testing (two annual penetration tests, bug bounty program, and DAST scanning) and static analysis (Snyk Code and Semgrep in CI/CD). Program management and logistics for penetration testers and hundreds of bug bounty hunters. Security reviews, light threat modeling, and application security reviews on request through a lightweight RFC process.
- Developed an automated solution for minting penetration testing companies on Airplane before migration to Windmill. Scripts took existing work from our partner Platform team and completed more steps for creating a consistent test environment for testers. Sped up the company creation process from days to less than an hour. Created fake HRIS and matching Captable data to create fake employees with realistic compensation to allow testers to experience all features driven by a rich data set. This provided for a reproducible environment between testers and the security team for testing new features and empirical issue reproduction.
- Managed the penetration testing engagements and bug bounty program: reviewed issues, drove fixes, and handled external communications. Migrated from one bug bounty program vendor to a new vendor during this time.
- Internal penetration testing for product features and package releases, notably the Foundations product release.
- Cross engineering pod interviews to develop an architecture overview for use in security testing, onboarding new employees, and establishing components with security priorities for further review.
- Lightweight vulnerability archeology as needed to collate all historical issues, track their details, and identify the company's own unique issues and company-specific top 10 issues.
- Developed recorded security training on a variety of topics: secure design principles, timing attacks in Node.js, IDOR attacks, semgrep usage, demonstrations of vulnerabilities, and feature setup procedures for configuring pentest companies.
- Developed Security Awareness Month 2023 CTF challenge, consisting of a target server with seven pertinent challenges based on the year's findings and backed by a CTFd administration server.
- Partnered with coworkers to work on shared projects such as shared security severity scales, consistent risk analysis, and supporting customer security questionnaires.
- Various lightweight scripts to support testing efforts, configure test accounts for testers, support testers and bug bounty hunters, and look for specific security issues. Semgrep rule development for specific company issues and analysis of OSS rules for introduction into the CI/CD pipeline in blocking mode.
- Ran the Incident Response Tabletop, based on various company specific issues and introduced variations on scenarios presented to test how incident response would change and discover gaps for the retrospective.
- Developed the initial proposal for Content Security Policy, later assisted with consulting and deployment of a larger minimally permissive CSP policy to meet customer requests.
- Guidance on application security logging through the Pave RFC process, outlining challenges to overcome and proposed solutions. Proposed focusing on adapting logs for customer needs first, with a focus on events interesting for customers' SIEM systems.
- Drove for greater communications across engineering teams and security, leading to the monthly security newsletter highlighting what the security team was doing, vulnerability trends, project initiatives, and industry news like major breaches.
- Established SAST baselines and code review burn down to meet SOC 2 requirements.
- Ran a one-off covert physical security penetration test, supporting an external consultancy in their mission to break into the office and steal assets undetected.
- Experienced the tribulations of writing Github ref history in the context of Github's git implementation and dealing with file system case-insensitivity, corrupted branches, and PR history erasure using git-filter-repo.
- Participated in interview panels for Engineering.
- Technologies in use: GCP, Firebase, Node.js, TypeScript, Express, BurpSuite, Snyk Code, semgrep.
- Programming languages reviewed: Node/TypeScript.
- Programming languages used: Node/TypeScript, light Python, light Semgrep rule development.
Staff Security Engineer, Cloud Security Team at MongoDB Inc. (October 2020 - November 2022)
- Joined MongoDB as a Staff Security Engineer on the Cloud Security team, part of the Cloud Engineering organization. Team went from a sole lead already at the company to a three person team specializing in application security the day of hire, and we began building out the fundamentals of a security team from this starting point. Team was also in charge of basic detection and response engineering for Cloud application security monitoring, developing basic alerting and responding to Cloud product security issues and customer concerns.
- Strategy consulting on topics from application security program design, incident response program design, trust & safety program design, maturity model measurement against BSIMM and OpenSAMM, and a wide range of other areas based on experiences at other companies.
- Architecture/Security reviews of features and products through the Cloud Engineering's Scope/Spec process, influencing design prior to implementation to address security issues.
- Static analysis code reviews to establish baselines with commercial SAST products, and investigations into other open source alternatives gosec, semgrep, and CodeQL for Golang. Review of static analysis rules and informed strategy for static analysis roll outs.
- Penetration testing of authentication systems, and the Atlas, Realm, and Charts products. Triage of issues in our domain of responsibility coming from responsible disclosure and bug bounty sources. Enrichment of third party penetration test results and follow up with engineering to get the best possible fixes in place in accordance with our lower level knowledge of the product.
- Designed and implemented the CSEC vulnerability tracking project to get visibility on trends and patterns. Analyzed all available vulnerability data back to January 2019 to establish origins, status, time to close, and other meta-data about vulnerabilities to inform team strategy and approach going forward. Project design based on previous experiences at Netflix and Credit Karma. Used in-house Charts product to quickly develop a dashboard pulling vulnerability data cross-fed from JIRA through a mongo database. Started the engagement model to reach out to meet with teams and follow up on status in a regular cadence.
- Developed the approach to FedRAMP's Continuous Monitoring (ConMon) requirements for application security concerns, creating a process that was repeatable and documented, providing artifacts for auditors to achieve FedRAMP Ready status in May 2021. Project eventually grew into development of a custom Burp Plugin to navigate custom authentication flows and site navigation to facilitate fully automated scanning.
- Towards the end of tenure, took on Snyk dependency scanning plugin maintenance work and migration of automated security tools into Kanopy, MongoDB's internal tooling deployment system.
- Contributions to the Security Controls project, documenting secure coding practices to eliminate security issues with respect to our own technology stack and custom security libraries.
- Implemented basic Splunk alerts for initial detection and response capabilities based on experiences of a penetration tester. Exercised attack patterns and created the capabilities to capture an attacker performing the same testing of our product.
- Team improvements to process around onboarding, interviewing standards, tracking work on tickets, and more day to day security team tasks.
- Interviewing responsibilities to consider candidates for the team.
- Technologies in use: AWS, MongoDB's cloud products (Atlas, Realm, Charts), BurpSuite, Veracode, Snyk Code, mongodb.
- Programming languages reviewed: Java and Golang.
- Programming languages used: light Java for spot fixes and expanding the in-house encryption libraries, Python.
Director, Security Engineering (Application Security) at Credit Karma Inc. (January 2019 - February 2020)
- Joined Credit Karma as the Director of Application Security. Leader of the team through the launching of the Savings Account product offering, Noddle re-brand, and the UK environment launch.
- Hired the team up to 14 individual contributors (ICs) and 1 manager from a team of 6 ICs. Established AppSec presence in North Carolina and UK offices.
- Process engineering and refinement for various team responsibilities: tracking of vulnerabilities, onboarding, recruiting, and engineering team accountability.
- Established the real-time AppSec Metrics Dashboard Project to unify the results of the team's work and raise visibility engineering vulnerabilities. Dashboard identified teams to target for bug burn downs, third party library vulnerability scanner integration, and training gaps.
- Partnered with Platform Security and Cyber (Network/Cloud) Security teams to form the Security Design Review Group (SDRG), performing panel based architecture reviews of new features and new microservices. Based on office hours, the SDRG reduced meetings of potentially three or more different one-hour meetings with teams down to a single meeting with all representatives in attendance. Refinement further pushed one-hour sessions to 30 minutes.
- Mentoring and establishment of a structured on-boarding process to guide new Application Security hires through the process of becoming proficient in CK's architecture and technologies. Education developed in order to develop AppSec engineers to assume the responsibilities of the Security Design Review Group advisors. Created new title ladders with clear development goals to track AppSec engineer growth and promotion targets.
- Formulated the AppSec Engagement Model to guide AppSec engineers to engage on a regular basis with teams, drive down vulnerability counts through greater transparency, and inform them of new initiatives and solutions for their specific technology stacks.
- Started Project Insight to develop custom static analysis support tooling to perform scanning in a scalable manner across all code bases. Framework supported scripts to hunt CK-specific issues and common misconfigurations, while also running common open source security tools like FindBugs and FindSecBugs.
- Represented Application Security in product security investigations and incidents.
- Management Responsibilities: Hiring, Promotions, 9Box, 1on1s, Monthly Functional Reviews (MFRs), Objectives and Key Results (OKRs), Risk Register updates, procurement, and cross-organization communication.
- Technologies in use: Microservice Architectures, Google Cloud, TypeScript, Scala, Java, PHP, GraphQL, and Thrift.
Founder & Principal Security Consultant at Vallation Security(tm), Inc. (December 2015 - December 2018)
- Founded Vallation Security, Inc., a consultancy that provides application security services such as penetration testing, code review, architecture reviews, and application security program strategy.
- Provided expertise in product and application security as a Principal Security Consultant.
- Designed secure architectures for customers to achieve specialized purposes such as secure storage solutions in the AWS cloud.
- Penetration testing and white paper development to provide a trusted third party perspective on customer's products. Testing included follow-up engagements to assess fixes and track customer investment in product security. Produced white papers for customers of Vallation to have a third party assessment of the customer's security posture.
- Created specialized briefings on security topics for customers covering modern cryptography, secure design principles, and cloud security best practices.
- Navigated the incorporation process to establish an S-Corporation in California.
- Responsibility for corporate compliance with state and federal requirements.
- Management of outsourced services for the purposes of accounting, quarterly/yearly taxes, and legal matters.
- Understanding of contemporary trademark concerns. Experienced the trademark process.
- Developed customer relationships and customized contracting agreements per customer needs.
- Public speaking at OWASP Portland December 2017 on the topic of IaaS cloud security principles.
- Programming Languages Reviewed: Java, PHP, Golang, Ruby, and C.
- Programming Languages Used: Java, Python.
Engineering Manager, Security Intelligence & Response at Netflix, Inc. (November 2014 - August 2015)
- Promoted to Manager to lead the team responsible for security intelligence, investigations, and incident response. Based approach on the gap analysis performed while working in the previous application security role with Netflix.
- Security Intelligence: Initial team investments to identify current and potential attackers using OSINT methods on the dark web. Information collected from investigations and intelligence efforts were enriched by various public and commercial threat feeds. Partnership in the Facebook Threat Exchange for sharing threat intelligence.
- Investigations: Various investigatory services for incidents and partner teams requiring digital forensics, assistance with legal inquiries, and security subject matter expertise.
- Incident Response: Adopted a mixture of industry practices for incident response (NIST 800-61) and practical solutions established by the internal Crisis Management team. Procedures were based on an on-call rotation, incident handlers coordinating war-rooms to guide stakeholders through to recovery, and a post-mortem process to identify lessons learned.
- Standardized company run-books for major security incidents ranging from PCI breaches to customer data exposure. Drove for transparency and familiarity with the procedures by establishing regular cyclical table tops with partner teams.
- Team handled incidents ranging from compromised content producers, vendor breaches that impacted employees, internet-scale vulnerabilities, targeted employee phishing, and customer account takeovers (ATO).
- Management responsibilities within the Netflix culture: heavy recruiting focus, internal team and cross team communication via regular 1 on 1 meetings, and providing context rather than control over team activities.
Senior Application Security Engineer at Netflix, Inc. (December 2012 - October 2014)
- Joined Netflix's Cloud Security team as the first dedicated application security engineer. Responsible for devising approaches to security that aligned with the company's "Freedom & Responsibility" culture, which advocates individual developer freedom over process and ship gates. Higher emphasis on developing automated solutions, monitoring, and Security Operations over traditional SDLC oriented activities.
- Developed tools and capabilities for developers to own the security of their code. Examples include static analysis solutions based on FindBugs and graudit, in addition to driving adoption of OWASP's Encoder and Sanitizer libraries.
- Developed training for developers: using proxies (Burp & ZAP), usage of the OWASP libraries, and secure development practices for Node.js. Managed the engagement between Netflix and a consultancy to provide custom classroom training on Node.js.
- Code reviews and penetration tests of properties involved in the core customer experience, the digital supply chain, and other edge facing properties.
- Initial design and requirements of a cloud based vulnerability scanning framework known as Monterey (Patent 20150040229), prior to its redesign to be AWS focused. Subsequently programmed plugins for this framework, in particular, the output handling pipeline that aggregated results into Threadfix.
- Refined the existing Responsible Disclosure Program and guided it through its growth, in particular the procedures for handling reports, communication strategies, procedures, and updates to the disclosure policy.
- Established the practice of tracking of both internal and external vulnerabilities. Developed and delivered key security metrics: vulnerability types, attack surface, vulnerability owners, mappings to the OWASP Top Ten, remediation times, open bug counts and trends, externally reported vulns Q/Q & Y/Y, and top reporters in the responsible disclosure program.
- Provided secure coding guidelines for PCI compliance and procedures for OSS releases, including methods to prevent the accidental release of sensitive information in Netflix's OSS releases. Implemented an automated scan of Netflix OSS to canary on sensitive data being checked into public repositories.
- Analyzed base AMIs in use and recommended kernel and networking stack hardening changes to influence all of Netflix's deployed instances and drive towards a more secure cloud.
- Developed "Deep Dive" brown bag presentations for internal knowledge transfers on various topics. Organized the company-wide Sixth Annual Security Summit.
- Performed coordination and investigations for various high-impact security incidents, both external (Heartbleed, GMail Breach, Shellshock) and internal (customer and attacker investigations, public API abuse, credential dumps, security mechanism outages). Developed the second incarnation of Netflix's incident response documentation from its original state to satisfy compliance regulations.
- Performed a cross-organization incident response gap analysis to identify what a centralized incident response team would need to cover when established.
- Attended Mandiant's Malware Reverse Analysis course, covering reverse engineering malware with tools such as IDA Pro, OllyDbg, and malware safe handling techniques.
- Programming languages reviewed: Java, Node.js, and light C.
- Programming languages used: Python.
Application Security Architect at Zynga, Inc. (July 2012 - November 2012)
- Promoted to Architect, which involved working on larger cross-business unit initiatives and projects while continuing to perform the duties of a Principal Application Security Engineer.
- Developed a new custom Security Development Life-cycle (SDL) for the Application Security team to address the growing needs of the business and the challenges of becoming a large platform for third party and first party games.
- Drove the initiative to secure the arbitrary image upload architecture by identifying security risks and mitigations. System was based on metadata striping/storage, PhotoDNA integration, image indexing for later deletion, and destructive transcoding to mitigate the risks of privacy leaks, illegal content, and malicious data.
- Received the Zynga Atlas Hero Award for Q3 2012.
Principal Application Security Engineer at Zynga, Inc. (July 2011 - July 2012)
- Performed architecture and security reviews for the key Zynga business initiatives: the Zynga.Com site, the underlying Zynga APIs that extend game features to each first party and third party games, the developer portal for developers on Zynga.Com, various aspects of mobile authentication, payment systems, correct use of cryptography and resilience to cryptanalytic attacks, and the underlying system behind the GameStorage API and its fraud/cheat detection. Responsibilities included embedding in teams, developer assistance, threat modeling, and cross-company team interaction to ensure security is designed into Zynga's products and culture.
- Extensive knowledge behind trends in game fraud and its overlap into payments fraud.
- Code review and penetration tests for various Zynga franchises on Facebook and Mobile platforms.
- Provided expertise in both iOS security and Android security.
- Updated application security and mobile security training decks with the latest developments in the security industry and delivered in-person training to remote and International offices.
- Coded prototype Ruby applications to perform automated vulnerability scanning of source code based on both open source vulnerability lists and a known set of targeted "cut-and-paste"/code-forking vulnerabilities in internally developed core libraries.
- Programming languages reviewed: ActionScript 3.0, Java, PHP, Objective C, and Ruby.
- Programming languages used: Ruby, light Java, and PHP fixes.
Security Consultant at iSEC Partners, Inc. (January 2010 - July 2011)
iSEC was acquired by NCC Group in 2010
- Penetration tests for a diverse set of software products ranging from web applications, online games, payment systems, financial transaction systems, statistics tracking, messaging systems, online marketplaces, content management systems, email integrations, conferencing solutions, HR systems, financial systems, thick clients, cloud-based applications, firewall products, virtualization products, mobile payment applications, etc.
- Lead role in the majority of the reviews performed, responsible for delivering the status reports, the creation and readout of the final deliverable, managing customer expectations, organizing penetration tester logistics, post-engagement Q&A, and any crisis that should arise during the engagement.
- Performed multiple source code reviews to identify vulnerability classes such as, but not limited to, buffer overflows, SQL injection, access-control related vulnerabilities, and business logic flaws.
- Architecture reviews for cutting-edge security mechanisms, secure architecture alterations, non-traditional authentication and password recovery workflows, web application and back end integration, etc. Capable of identifying gradients of solutions to address existing architecture with its own unique set of constraints in addition to guidance on completely new systems.
- Security reviews of payment processing systems and in-application purchases on Facebook and Mobile devices. Reviewed libraries calling out to payment processor APIs, middle-business software between the merchant and processor to deliver financial services, logging and transaction database security, verification of fraud detection capabilities and their resilience against smurfing, credit card and refund abuse such as non-referenced credits, purchasing race conditions, and the secure storage of financial data on mobile devices using platform security mechanisms.
- Mobile application security reviews for Android, iPhone, and iPad devices to identify security issues related to privacy, access control, Android intents, Android activities, and iOS foibles. Experience with both using the Android emulator in addition to remote debugging tools.
- Programming languages reviewed: PHP, Ruby, Java, C, C++, Objective C, ActionScript, and Bash/Shell scripts.
- Programming languages used: light Python scripting to write simple tools for use in penetration testing and to meet a customer request for a tool to improve the quality of Skipfish scans.
Security Researcher at Adobe Systems, Inc. (August 2007 - January 2010)
- Worked on the Adobe Secure Software Engineering Team (ASSET), responsible for providing domain expertise in security and supporting all the product teams throughout Adobe to secure their products.
- Intimate knowledge of security best practices, secure coding, testing methodologies, and the Secure Development Lifecycle (SDL).
- Devised a custom SDL for Adobe based on existing processes, gaps, and risk; developed the process flow based on priority, domain knowledge, feature sets, and the outcome of a self-guided questionnaire for development teams to complete.
- Created threat models for a vast array of shipped Adobe products and technologies, especially as the researcher responsible for Creative Suite 4 Master Collection, by interviewing developers and reviewing design specifications.
- Designed and implemented a general purpose tool in Java to sign arbitrary data which was adopted to sign product updates shipped via the Adobe Update Manager (AUM).
- Responsible as the sole engineer for company wide support of security tools for static analysis, code signing, and web application penetration testing for engineering teams.
- Created recorded modules for company wide security training program on the topics of cryptography, privacy and personally identifiable information (PII), AIR security, and buffer overflow demonstrations using Metasploit 3.0.
- Audited web applications by performing both manual and automated penetration tests to find web vulnerabilities such as cross-site scripting (XSS), cross-site request forgery (CSRF), SQL injection, weak cryptography, poor authentication, etc. Knowledge of network testing methodologies and tools such as AppScan, Nessus, nmap, Charles, Burp Proxy, and WebScarab.
- Programming languages reviewed: C/C++, Java, Javascript, ActionScript 2.0 and ActionScript 3.0.
- Programming languages used: Java and Javascript.
Software Engineer at LynuxWorks, Inc. (September 2005 - June 2007)
LynuxWorks was rebranded Lynx Software Technologies in 2014
- Hired as a software engineer and member of the security program for hardening the in-house real time embedded operating system LynxOS-SE before transitioning to the kernel team to achieve a Common Criteria protection profile.
- Performed static analysis code reviews for security vulnerabilities such as buffer overflows, stack overflows, integer overflows, race conditions in POSIX threads code, path traversal attacks, and format string vulnerabilities.
- Designed subsystems for the in house real-time embedded operating system LynxOS-SE intended to achieve the Common Criteria EAL 4+ Certification, adhering to the Single Level Operating System Protection Profile (SLOPP) requirements for Security Audit, Identification and Authentication, and TOE Access.
- Peer reviewed subsystems designed by coworkers for adherence to Cryptographic Support, User Data Protection, Resource Utilization, and Trusted Path/Channels requirements.
- Validation of Common-off-the-shelf (COTS) software products, ranging from databases to frameworks, on an Abstract Binary Interface (ABI) layer to support *nix applications.
- Kernel Engineering: Ported BSD license libraries/applications to the OS. Expanded kernel capabilities by writing device drivers and system calls. Added security related auditing and PAM modules by pulling from open source and making modifications as needed.
- Programming languages reviewed: C
- Programming languages used: C, Perl, Linux shell scripting, and expect.
Education
B.S., Computer Science, Minor: Mathematics, Graduated May 2005
San Jose State University, San Jose, CA
- Focused on Fundamentals and Software Design, with specializations in Information Security, Networking, and Databases.
- Honors Humanities Course Alumni