Staff Information Security Engineer
Illumina, Inc.
San Diego, CA
Apr 2016 - Present
Leading Illumina's Product and Application Security efforts within the Cyber Security team.
- Performing risk assessments on Illumina’s cloud services via design reviews, architecture reviews and custom security questionnaires, involving ~100 developers across multiple development teams.
- Performing manual web application penetration tests against Illumina's cloud services. Identified and helped fix several critical bugs in public facing cloud infrastructure and applications.
- Helping developers fix security issues discovered via manual security code reviews and static source code analysis.
- Promoting policies and processes around secure coding, static source code analysis and dynamic application security testing across instrument and cloud product teams.
- Promoting security best practices and providing direction for compliance with standards and regulations like OWASP, NIST, HIPAA and FDA guidelines to cross-functional teams consisting of members from engineering through customer support.
- Designing, developing and maintaining infrastructure for code signing. Developed and maintain an internal online code signing system that integrates with Illumina's CI/CD pipelines for instrument software and allows build agents to sign installers and executables via an authenticated REST API. The system supports signing EXE, MSI, JAR, APK and RPM files and signs 50-100 executables per day.
- Managing Illumina's PKI and HSMs. Maintaining internal and product Root CAs, intermediate CAs, certificate templates and instrument platform keys/certificates used for code signing and ensuring installers/executables are authenticated on instruments.
- Determining and enforcing core OS security requirements for Windows and Linux based instruments and application servers, which includes everything ranging from simple password policies to complex Windows SRP or SELinux configuration.
- Developing scripts and automation for the Cyber Security team’s orchestration efforts.
- Performing 3rd party vendor security assessments.