I have been involved in application security for almost the past 20+ years, but I still consider myself a developer first and an AppSec engineer second. During most of those past 20 years, I have specialized in applied cryptography and web AppSec. Before transitioning to AppSec, I spent 17 years at (now Nokia, then AT&T) Bell Labs doing mostly systems programming. I left Bell Labs as a DMTS in 1996 to become an independent consultant in C++ and Java.

I became involved in the OWASP Enterprise Security API (ESAPI) project in early fall of 2009, and after redesigning and rewriting all the symmetric cryptography related classes, I somehow found myself "elected" as co-project lead of ESAPI in 2011. I also spent from 2000-2007 as an adjunct faculty member on the Franklin University CS staff where I taught Distributed Operating Systems and Computer Security. I recently ended an 8 year stint working on the Wells Fargo Secure Code Review team and have recently left Wells Fargo to join Guaranteed Rate as a Senior Application Security Engineer where I am working on my dream job of working on security libraries in Clojure and teaching developers how to write secure code.

When I am not around code, I wax eloquently on 3-4 page TL;DR discourses that I post on various mailing lists or I hang out with other dinosaur friends at local watering holes discussing AppSec, coding, sports, puns, and quantum physics.