Experienced application, information, and infrastructure security professional last worked for Principal Financial Group focused on secure software. I also performed static code security analysis at scale for a range of Principal companies. CISSP/CSSLP

Principal Financial Group (~19 yrs)
https://www.principal.com, also see brand videos: https://www.youtube.com/user/PrincipalFinancial
Title: IT Cyber Security Engineer; Last Role: Secure Software Consultant, Feb 2015 – April 2022 (~7 yrs)
Mission: Enhance brand trust and manage risks by delivering static code security analysis and open source component risk services as well as application life-cycle software risk management consulting and support.
I supported developers in a wide range of contexts:
During that 7 year period, I was engaged in:

• Assisting individuals and teams performing architecture risk analysis for Principal companies across the globe;
• Assisting in the building and operating an AWS-hosted static code security analysis service for scanning github.com repositories.
• Assisting in the building and operating an Azure-hosted Fortify stack to service Internet-hosted workloads.
  • Assembled & maintain GitHub Actions integration for Java, NodeJS, & Python source code
• Performing static code security analysis
  • SAST:
    • Fortify on-premise and Internet-hosted stacks (SCA, SSC, ScanCentral client and server)
    • Github Advanced Security
    • A spectrum of special purpose utilities
    • Human source code review (on demand and risk-triggered) -- using tools -- to help identify interesting and potentially vulnerable code
  • On-demand SAST and at scale integrated with Github hooks, Github Actions, Jenkins, Azure DevOps, Bamboo, & Gitlab runners.
  • On-demand one-on-one consulting, training, custom scans, etc.
• Performing open source component risk analysis (WhiteSource -- now mend.io -- on-prem and SaaS).
  • On-demand and at scale integrated with Github, Jenkins, Azure DevOps, Bamboo, & Github.
  • On-demand one-on-one consulting, training, custom scans, etc.
• Delivering on-demand secure software practices & guidance resources in a range of languages & development environments
  • Including application security consulting (Java, C# .NET, Python, JavaScript, PHP, Go, PowerShell, C++, and C, along with a microscopic amount of Swift, Objective C, and R in the context of a full range of enterprise frameworks) in traditional app server environments (Websphere, ASP, Weblogic, Tomcat, Drupal) as well as mobile device platforms and cloud hosting; I am a master of none of these languages, but literate-enough to understand logic, code and data flow, to identify vulnerabilities and candidate repairs...
• Delivering open source software risk evaluation services (WhiteSource -- now mend.io -- integrated into Jenkins, Bamboo, AzureDev Ops, and developer endpoint environments -- also supporting Legal & Purchasing teams with license compliance validation and SBoM evidence );
• Working with teams accross the globe to add secure software processes & tooling into continuous integration & agile environments for both new and in-flight efforts;
• Working with others to deliver 'cloud relevant' static code security analysis and open source software risk services in-line for real-time support of piplines hosted in cloud CI/CD services (Fortify & WhiteSource -- now mend.io -- integrated into Azure DevOps, CircleCI, and other cloud pipeline environments);
• Participating in curriculum development to enhance software security;
• Supporting secure software efforts in off-shore and third party development relationships;
• Building out data to support & enhance corporate risk decision-making. This involves material collaboration with others who consume this data in support of organization-specific metrics and planning.
• As well as performing some adhoc application vulnerability assessments against deployed applications.
• Occational on-demand work with enterprise Incident Review, Analysis, and/or Response team members to assist their efforts.

Technical Engineer & Solutions Architect - Information Security
Dates Employed: Jun 2003 – Mar 2015 (~12 yrs)

• Direct support of enterprise CISO in a global diversified financial services corporation;
• Technology and infrastructure operations risk assessment and risk management;
• Application security consulting (Java, .NET, C++, C) in traditional app server environments as well as mobile device platforms and cloud hosting;
• Participate in curriculum development to enhance software security;
• Create and present formal courses and one-off presentations on a range of secure application development topics, to various audiences from line-of-business CIOs to hands-on coders;
• Application life-cycle risk management, including on-demand security code review and application vulnerability assessments;
• New business risk assessment support (formal, on-site work for the enterprise Merger and Acquisition teams);
• Perimeter risk management problem-solving;
• On-demand incident response support;
• Off-shore development and operations risk management support;
• On-site and remote subsidiary risk assessments (North America, South Asia, Asia Pacific, and Latin America);
• Support for business continuation & disaster recovery planning, engineering, budgeting.

Various Roles (infrastructure, app dev, architecture, and security)
Company Name: Norwest, then Wells Fargo after merger
Dates Employed: 1993 – 2003 (~10 yrs)

Infrastructure Engineer
Company Name: EDS
Dates Employed: 1991 – 1993 (2 yrs)
Worked concurrently on EDS accounts: Meredith Publishing, Neodata, and General Foods. Supported infrastructure, database, and security operations, participating in several projects involving high-volume, real-time environments including manufacturing and transport logistics, publishing, and contract call center and fulfillment.

Additional Details: https://www.linkedin.com/in/mattmccright
Some of My Opinions: https://completosec.wordpress.com/
This page: https://mccright.github.io/mccright/