Thanks for visiting. I am an Information Security professional (CISSP, CSSLP) with 20 years experience in information technology. That covers a lot of ground — programming, building infrastructure, building and working projects, supporting mergers and acquisitions, working real-time on the front lines of high-traffic Internet-facing application infrastructure, performing risk assessments in Hong Kong, India, Mexico, Chile, and the U.S., and increasingly, threat assessments and abuse cases, creating tools and templates to support others performing risk assessments, writing and presenting content to raise security awareness, supporting management decision-making, and providing information security leadership while enabling business expansion globally, market share growth, increasing revenues & expense control, protecting the brand & share price, managing enterprise risk, and innovating to increase shareholder value and equity. I have had the opportunity to work in a number of different industries, using a range of programming languages, on a broad spectrum of platforms and products, and with a wide range of businesses, customers, and partners. I have been lucky enough to work with some excellent, even brilliant individuals over the years.
I currently work in the financial services sector, engaged in:
- Performing static code security analysis (using HP Fortify, Veracode, & lots of utilities, along with lots of energy & human review — using tools to help identify interesting code);
- Delivering on-demand secure software practices & guidance resources in a range of languages & development environments;
- Integrating secure software processes & tooling into continuous integration & agile environments for both new and in-flight efforts;
- As well as performing abbreviated application vulnerability assessments against deployed applications once in a while;
And over the last decade:
- Direct support of enterprise CISO in a global diversified financial services corporation;
- Technology and infrastructure operations risk assessment and risk management;
- Application security consulting (Java, .NET, C++, C) in traditional app server environments as well as mobile device platforms and cloud hosting;
- Participate in curriculum development to enhance software security;
- Create and present formal courses and one-off presentations on a range of secure application development topics, to various audiences from line-of-business CIOs to hands-on coders;
- Application life-cycle risk management, including on-demand security code review and application vulnerability assessments;
- New business risk assessment support;
- On-demand perimeter and cloud integration risk management problem-solving;
- Off-shore development and operations risk management support;
- On-site and remote subsidiary risk assessments (North America, South Asia, Asia Pacific, and Latin America);
- Shared data center risk management;
The thoughts and opinions expressed in this blog are my own, or are referenced to their source. Nothing I write in this blog represents the views or practices of my employer.
Feel free to send me a note if you wish: mccright at completosec.com.