I am an engineer-turned-product manager.

I'm currently helping People, HR, and Recruiting teams deliver fair and equitable pay at Assemble. If this sounds like it's up your alley, get in touch.

Before Assemble, I started in the security world. I built product and engineering for the StackRox Kubernetes Security Platform. Before that, I learned about scanning the Internet at Qadium (now called Expanse). There, I developed new techniques to identify exposed network perimeter and exposures within it; we built a business out of our research for DARPA.

And before that, I completed a B.S. and M.S. in Computer Science at Stanford, writing an undergraduate thesis about the realities of cyber threat information sharing schemes at the Center for International Security and Cooperation.

When I wasn't studying, I raced bikes and, for two years, I paid the bills for the Stanford Cycling Team. I tutored computer science (algorithms, programming, theory, and web applications) for the Stanford Athletic Department and am proud of all my athletes.

Writing, speaking, & projects

• BSidesSF '20: What should—and shouldn’t—scare you about Kubernetes and containers

  Talk: Kubernetes and containers change a lot of how apps are built, deployed, and secured… or do they? Let’s cut through the hype and see what’s same-old-same-old versus actually new, then talk about the chance we’ve got to do security better together. An opinionated but lingo-free talk for all levels.

• BSidesSF '20: Using Built-in Kubernetes Controls to Secure Your Applications

  Workshop: This hands-on session covers many of the configurations you can use to make a Kubernetes app more secure. We’ll pick apart the security context together and run deployments with read-only root file systems, non-root users, and limited capabilities. Then we’ll dig into features like network policies and admission control, configs like resource limits, and practices like namespacing and consistent metadata. And, of course, we’ll learn how these help you deliver a more reliable and secure app, and will cover basic infrastructure security practices as well.

• Cloud Native Rejekts NA '19: Get Past the Default Configs: Lessons from the k8s Security Audit

  Presented at the "B-sides of KubeCon" on what every Kubernetes user can do to improve their security with the features we already have.

• CNCF Webinar: Kubernetes Security Controls and Enforcement: Applying Lessons from the K8s Security Audit

  Presented on the CNCF Webinar series about the Kubernetes security audit, especially its often-overlooked advice for individual cluster operators and application developers.

• BrightTALK Panel: Delivering DevSecOps and Achieving Resilience (Black Hat USA 2019)

  Don't let the buzzwordy title or email gate scare you away — this was a genuinely fun and wide-ranging discussion with Jay Beale, David Brumley, and Rick Moy at Black Hat. We talked containers, k8s, fuzzing, security workflows, empathy, and more.

• The Kubernetes Security Audit: 3 Key Takeaways

  My take on the Kubernetes security audit is posted on the StackRox blog — 241 page report –> 3k word blog –> 280 char version: if you're a k8s user, read the findings but spend most of your time on the great advice for securing your clusters and workloads.

• CNCF Webinar: Operationalizing Kubernetes Security Best Practices

  Presented on the CNCF Webinar series about how development, operations, and security teams can collaborate using native Kubernetes security features and immutable infrastructure patterns.

• BSides SF: Containers, Your Ally in Improving Security

  Presented with Connor Gorman (StackRox) at BSides SF 2019 on how to generate and optimize security settings, like read-only root file system, Linux capabilities, and others, for Kubernetes workloads.

• GCP Podcast: Kubernetes Security with StackRox

  Appeared on the Google Cloud Platform Podcast to talk about how to use Kubernetes to implement fine-grained security controls, and how we approach security at StackRox.

• CNCF Blog: 9 Kubernetes Security Best Practices Everyone Must Follow

  Explained some of the most important Kubernetes security features you can activate and practices you can adopt to better secure your Kubernetes clusters and workloads. Posted on the Cloud Native Computing Foundation blog.

• Google Next 2018: Kubernetes Security Threats and Solutions

  Spoke at Google Next 2018 about how financial services and retail customers secure their workloads in Google Kubernetes Engine.

• Corporate blogs

  Every so often, I write blogs and technical content for StackRox, focusing on new features and how you can do container and Kubernetes security right.

Ancient history

• Scalable Security: Cyber Threat Information Sharing in the Internet Age

  Introduced the computational policy analysis technique, which applies insights from computer systems design to public policy analysis. Presented a history of cyber threat information sharing mechanisms in the United States and applied the computational policy analysis technique to argue that existing efforts are poorly suited to deal with today's computer and network security threat environment. An undergraduate honors thesis written at the Stanford Center for International Security and Cooperation, advised by Prof. Martin E. Hellman and Dr. Thomas A. Berson.

• Formal Analysis of Mozilla Persona/BrowserID

  Applied formal analysis techniques to verify security properties of the BrowserID federated authentication protocol. Identified several vulnerabilities against strong adversaries and verified one realistic attack in a laboratory test. A CS259 project with Laza Upatising.

• Malbehave: Classifying Malware by Observed Behavior

  Used behavioral analysis of Android malware to determine significant behaviors that can be used to classify unknown programs as malware. A senior project with graduate student Bryce Cronkite-Ratcliff and research associate Jason Franklin.

• Verifying the Opt-Ack TCP Denial of Service Attack

  Reproduced experiment by Sherwood, Bhattacharjee, & Braud, "Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse" (CCS '05) using Mininet. Demonstrated that the attack did not perform as described under test conditions and showed the feasibility of an effective distributed version of the attack. A CS244 project with Kevin Smith.

• Flotsam: Evaluating Implementations of the Raft Consensus Algorithm

  Presented a prototype system, Flotsam, for detecting errors in open-source implementations of the Raft consensus algorithm by testing them against each other. A CS244B project.

• Information Cascades in Email Forwarding Networks

  Hypothesized and empirically verified in small real-world corpora that email forwarding behavior is correlated with graph-theoretic community saturation. A CS224W project with Aliya Deri.

Get in touch

Send an email (c...@cs.stanford.edu), find me on LinkedIn, or follow me on Twitter.