Root Cause


I am currently a staff security engineer at Square in NYC where I am building security things for millions of people.

Before joining Square I was Director of Penetration Testing and Red team at Yahoo in NYC. Where I ran a team responsible for performing penetration testing, and vulnerability research in both proprietary and open source software. While at Yahoo I also developed and published the Yahoo security vulnerability disclosure policy and worked closely with industry peers to respond to the Wassenaar Intrusion Software export controls. Part of this response included personally briefing representative Will Hurd and John Ratcliffe on the dangers of these regulations for tech companies and the United States.

I founded Leaf Security Research in 2011, a boutique consulting service backed by custom security research. Our services included source code audits, penetration testing, reverse engineering, and training. We performed security audits for many customers with a real world focus and the goal of helping them improve the security of increasingly complex software. While running Leaf SR I developed a unique training course titled “Advanced C/C++ Source Code Analysis” which I delivered to private customers and multiple sold out Black Hat USA classes. Leaf SR was acquired by Yahoo in 2014.

Prior to founding Leaf SR I was a Principal Security Consultant at Matasano Security in NYC. While at Matasano I had the opportunity to do hands on technical security consulting projects for many different types of businesses.

I started my career in 2003 supporting the US Army CERDEC in the Information Assurance Division.

My technical background centers around vulnerability research and exploit development. My experience includes source code audits, reverse engineering and fuzzing on targets ranging from desktop applications, embedded game consoles, mobile devices to smart meters. My non-technical experience includes people management, principal consultant and mentor, managing customer relationships, launching internal research initiatives, and founder.

I've been a full time developer where I wrote code for intrusion detection and prevention software on the OpenBSD operating system. Part of this work required modifying the kernel pf subsystem to do inline packet hooking from user space long before it was officially supported.

I've been invited to give talks on the topic of software security and past research that I've published. I've guest lectured at NYU Poly in Brooklyn NY and I've been published in IEEE ‘Security and Privacy’ magazine. I also sit on the Black Hat content review board.

Modern Memory Safety in C/C++ - Open Source Training Slides

Published Conference Talks

Effective Memory Safety Mitigations - Qualcomm Mobile Security Summit May 2018
Offense at Scale - BSides NOLA Keynote 2015, Empire Hacking
Google Native Client - Analysis Of A Secure Browser Plugin Sandbox Black Hat USA 2012
Attacking Client Side JIT Compilers Black Hat USA 2011
Ruby For Pentesters Black Hat USA 2009
Reverse Engineering With Leaf (2008 CarolinaCon)

Public Vulnerability Research

Bro IDS Multiple BinPac Out Of Bounds Read CVE-2014-9586
Suricata DCERPC Out Of Bounds Read/Write (2.0.7)
Firefox 3.6/4.0.1 Array.reduceRight Info Leak / Remote Code Execution (mfsa2011-22)

Firefox 3.6.9 Frameset Parsing Heap Overflow (mfsa2010-50)

Internet Explorer 8 HTML Element Memory Corruption (MS10-035)

Internet Explorer 8 Uninitialized Memory Corruption (MS10-035)

Chrome 8, Safari 5 Webkit CSS Font Face Parsing Type Confusion Info Leak (CVE-2010-4577)

Google Native Client Security Contest 2nd Place
Opera 9.5 FTP URI Parsing Heap Overflow (Opera Bug #901)


Council On Foreign Relations with Micah Zenko (link)
BankInfoSecurity with Mathew Schwartz (link) with Patrick Gray (link)