Root Cause


I am currently the Staff Security Engineer at Square in NYC where I work on mobile and embedded security for millions of people.

Before joining Square I was Director of Penetration Testing and Red team at Yahoo in NYC where I ran a team responsible for executing red team exercises, performing penetration testing, and vulnerability research in both proprietary and open source software. While at Yahoo I also developed and published the Yahoo security vulnerability disclosure policy and worked closely with industry peers to respond to the Wassenaar Intrusion Software export controls. Part of this response included personally briefing representative Will Hurd, and John Ratcliffe on the dangers of these regulations for tech companies and the United States.

I founded Leaf Security Research in 2011, a boutique consulting service backed by custom security research. Our services included source code audits, penetration testing, reverse engineering, and training. We performed security audits for many customers with a real world focus and the goal of helping them improve the security of increasingly complex software. While running Leaf SR I developed a unique training course titled “Advanced C/C++ Source Code Analysis” which I delivered to private customers and multiple sold out Black Hat USA classes. Leaf SR was acquired by Yahoo in 2014.

Prior to founding Leaf SR I was a Principal Security Consultant at Matasano Security in NYC. While at Matasano I had the opportunity to perform many challenging hands on technical security consulting projects for many different types of customers.

I started my career in 2003 supporting the US Army CERDEC in the Information Assurance Division.

My technical background centers around software engineering, vulnerability research, and exploit development. My experience includes source code audits, reverse engineering, and fuzzing on targets ranging from desktop applications, embedded game consoles, mobile devices to smart eletric meters. My non-technical experience includes people management, principal consultant and mentor, managing customer relationships, launching internal research initiatives, and founder.

I've been invited to give talks on the topic of software security and research that I've published. I've been invited to give lectures at the National Security Agency, the US Army, NYU Tandon School of Engineering, and Columbia University. I've been published in IEEE ‘Security and Privacy’ magazine. I've sat on the Black Hat content review board since 2012.

Research and Training Slides
Modern Memory Safety in C/C++ - Open Source Training Slides
Effective Memory Safety Mitigations - Qualcomm Mobile Security Summit May 2018
Offense at Scale - BSides NOLA Keynote 2015, Empire Hacking
Google Native Client - Analysis Of A Secure Browser Plugin Sandbox Black Hat USA 2012
Attacking Client Side JIT Compilers Black Hat USA 2011
Ruby For Pentesters Black Hat USA 2009
Reverse Engineering With Leaf (2008 CarolinaCon)
Varioud old research/slides

Old Public Vulnerability Research
Bro IDS Multiple BinPac Out Of Bounds Read CVE-2014-9586
Suricata DCERPC Out Of Bounds Read/Write (2.0.7)
Firefox 3.6/4.0.1 Array.reduceRight Info Leak / Remote Code Execution (mfsa2011-22)
Firefox 3.6.9 Frameset Parsing Heap Overflow (mfsa2010-50)

Internet Explorer 8 HTML Element Memory Corruption (MS10-035)
Internet Explorer 8 Uninitialized Memory Corruption (MS10-035)

Chrome 8, Safari 5 Webkit CSS Font Face Parsing Type Confusion Info Leak (CVE-2010-4577)
Google Native Client Security Contest 2nd Place
Opera 9.5 FTP URI Parsing Heap Overflow (Opera Bug #901)

Council On Foreign Relations with Micah Zenko (link)
BankInfoSecurity with Mathew Schwartz (link)
Risky Business with Patrick Gray (link)