Experienced application, information, and infrastructure security professional last worked for Principal Financial Group focused on secure software. I also performed static code security analysis at scale for a range of Principal companies. CISSP/CSSLP
Principal Financial Group (~19 yrs)
https://www.principal.com, also see brand videos: https://www.youtube.com/user/PrincipalFinancial
Title: IT Cyber Security Engineer; Last Role: Secure Software Consultant, Feb 2015 – April 2022 (~7 yrs)
Mission: Enhance brand trust and manage risks by delivering static code security analysis and open source component risk services as well as application life-cycle software risk management consulting and support.
I supported developers in a wide range of contexts:
During that 7 year period, I was engaged in:
- Assisting individuals and teams performing architecture risk analysis for Principal companies across the globe;
- Assisting in the building and operating an AWS-hosted static code security analysis service for scanning github.com repositories.
- Assisting in the building and operating an Azure-hosted Fortify stack to service Internet-hosted workloads.
- Assembled & maintain GitHub Actions integration for Java, NodeJS, & Python source code
- Performing static code security analysis
- SAST:
- Fortify on-premise and Internet-hosted stacks (SCA, SSC, ScanCentral client and server)
- Github Advanced Security
- A spectrum of special purpose utilities
- Human source code review (on demand and risk-triggered) -- using tools -- to help identify interesting and potentially vulnerable code
- On-demand SAST and at scale integrated with Github hooks, Github Actions, Jenkins, Azure DevOps, Bamboo, & Gitlab runners.
- On-demand one-on-one consulting, training, custom scans, etc.
- SAST:
- Performing open source component risk analysis (WhiteSource -- now mend.io -- on-prem and SaaS).
- On-demand and at scale integrated with Github, Jenkins, Azure DevOps, Bamboo, & Github.
- On-demand one-on-one consulting, training, custom scans, etc.
- Delivering on-demand secure software practices & guidance resources in a range of languages & development environments
- Including application security consulting (Java, C# .NET, Python, JavaScript, PHP, Go, PowerShell, C++, and C, along with a microscopic amount of Swift, Objective C, and R in the context of a full range of enterprise frameworks) in traditional app server environments (Websphere, ASP, Weblogic, Tomcat, Drupal) as well as mobile device platforms and cloud hosting; I am a master of none of these languages, but literate-enough to understand logic, code and data flow, to identify vulnerabilities and candidate repairs...
- Delivering open source software risk evaluation services (WhiteSource -- now mend.io -- integrated into Jenkins, Bamboo, AzureDev Ops, and developer endpoint environments -- also supporting Legal & Purchasing teams with license compliance validation and SBoM evidence );
- Working with teams accross the globe to add secure software processes & tooling into continuous integration & agile environments for both new and in-flight efforts;
- Working with others to deliver 'cloud relevant' static code security analysis and open source software risk services in-line for real-time support of piplines hosted in cloud CI/CD services (Fortify & WhiteSource -- now mend.io -- integrated into Azure DevOps, CircleCI, and other cloud pipeline environments);
- Participating in curriculum development to enhance software security;
- Supporting secure software efforts in off-shore and third party development relationships;
- Building out data to support & enhance corporate risk decision-making. This involves material collaboration with others who consume this data in support of organization-specific metrics and planning.
- As well as performing some adhoc application vulnerability assessments against deployed applications.
- Occational on-demand work with enterprise Incident Review, Analysis, and/or Response team members to assist their efforts.
Technical Engineer & Solutions Architect - Information Security
Dates Employed: Jun 2003 – Mar 2015 (~12 yrs)
- Direct support of enterprise CISO in a global diversified financial services corporation;
- Technology and infrastructure operations risk assessment and risk management;
- Application security consulting (Java, .NET, C++, C) in traditional app server environments as well as mobile device platforms and cloud hosting;
- Participate in curriculum development to enhance software security;
- Create and present formal courses and one-off presentations on a range of secure application development topics, to various audiences from line-of-business CIOs to hands-on coders;
- Application life-cycle risk management, including on-demand security code review and application vulnerability assessments;
- New business risk assessment support (formal, on-site work for the enterprise Merger and Acquisition teams);
- Perimeter risk management problem-solving;
- On-demand incident response support;
- Off-shore development and operations risk management support;
- On-site and remote subsidiary risk assessments (North America, South Asia, Asia Pacific, and Latin America);
- Support for business continuation & disaster recovery planning, engineering, budgeting.
Various Roles (infrastructure, app dev, architecture, and security)
Company Name: Norwest, then Wells Fargo after merger
Dates Employed: 1993 – 2003 (~10 yrs)
Infrastructure Engineer
Company Name: EDS
Dates Employed: 1991 – 1993 (2 yrs)
Worked concurrently on EDS accounts: Meredith Publishing, Neodata, and General Foods. Supported infrastructure, database, and security operations, participating in several projects involving high-volume, real-time environments including manufacturing and transport logistics, publishing, and contract call center and fulfillment.
Additional Details: https://www.linkedin.com/in/mattmccright
Some of My Opinions: https://completosec.wordpress.com/
This page: https://mccright.github.io/mccright/