Jeremy "Jet" Anderson
Writer, Speaker, Hacker, Secure Coder, Architect and Evangelist of #DevSecOps. -- CSSLP, GWAPT and @thatsjet on Twitter
Portland

Hi, I'm Jet! My passion is teaching today's software developers to write secure code as part of modern DevOps pipelines, at speed, and at scale, without missing a beat. I know how to build AppSec programs using all of the SAST, DAST, and SCA flavors of the week for finding, exploiting, and fixing bugs in code, especially the OWASP Top 10. I've been a software engineer for over 20 years and believe that fixing security bugs is better than just finding them. I believe that a perfect AppSec program includes first training, then testing. I'm, a creative problem solver with a wealth of experience managing people, processes, and technology. I'm a skilled communicator who deftly translates the verbose into the succinct. I put the needs of the team above my own, finding that when I clearly communicate vision, support my team, and get out of the way the swell of other 's success carries me forward. In my free time I like to ultralight backpack, mix cocktails from homemade extracts, and hack all.the.things.
Nike, Inc.
2018-04-11 - Ongoing
Cyber Security Incident Coordinator
As a member of the Cyber Security Incident Response Team (CSIRT), my role as an Incident Coordinator is to lead the CSIRT team in resolving the incident and act as the primary point of contact for the Cyber Security Incident Management Team (CSIMT). The CSIRT Coordinator’s first and most important task is working with the CSIRT team to triage the incident and determine the category, type, severity and risk impact. Once this has been accomplished, the CSIRT Coordinator’s main responsibility is to facilitate the gathering of additional resources while removing any roadblocks that the CSIRT may experience. This includes establishing meeting bridges and points of contact between members, obtaining resources, and communicating any necessary information to the team or the CSIMT.
  • At current I am unable to disclose any highlights of this role as they are confident/restricted
DevSecOps Community
2017-11-05 - Ongoing
Editor, Host of #DevSecOpsLIFE
The DevSecOps Community is a place where passionate InfoSec minds can collaborate around doing continuous security at DevOps speed.
  • Host of the DevSecOpsLIFE show, published on YouTube at https://www.youtube.com/channel/UCZl_YoLSrB-kwiDHNbq345A
  • Creator of original content and code centered around solving problems related to the security and need for speed of DevOps pipelines.
  • Represent the DevSecOps Community as a speaker featured at RSA Conference 2018, talk titled 'Oh SNAP! There's Crap in Your App!'.
  • Frequent speaker at various OWASP and ISSA chapters across the US.
SourceClear
2017-11-05 - 2018-03-09
Community Leader
SourceClear is a leader in Software Composition Analysis software
  • Engage the InfoSec community through attendance and networking at developer and security meetups.
  • Develop security tooling and engaging content around solving software security problems.
Cambia Health Solutions
2016-05-13 - 2017-11-02
Application Security Architect
Cambia Health Solutions is a group of more than 25 health care companies and includes software and mobile applications, health insurance, non-traditional health care marketplaces and delivery models, pharmacy benefit management, wellness solutions and more. I was brought on to bootstrap an Application Security program, introducing automated analysis built into the software development pipeline, training programs to turn developers into secure code champions, and policies & procedures to tie it all together, all in months rather than years.
  • When I started at Cambia there was no formal AppSec program. In addition to conducting initial assessment using Qualys, BurpSuite and Checkmarx I pioneered the adoption of a more robust automated testing suite utilizing both SourceClear for open source software composition analysis as well as Veracode for both static analysis and dynamic analysis. I engaged dozens of app teams to assess their applications on an ongoing basis including manual testing, and had 88% of teams doing continuous security by the time I left. The average scan frequency across all apps was 7.6 scans per month.
  • Set up the company's first ever Capture the Flag event, demonstrating attack techniques to developer using BurpSuite, Postman, and NMAP to attack the OWASP Juice Shop.
  • Created a Secure Code Champions program to teach software developers, managers, and architects elements of a comprehensive application security program.
  • Spoke at 5 conferences/events since I started on topics from 'AppSec Zero to Hero' - how to create a program, launch it, and keep it running; to 'What's hiding in your app?' - a review of the open source dangers lurking in today's applications
  • Conducted regular penetrations tests of web applications across the enterprise using BurpSuite, Postman, & NMAP scripts to verify mitigation of results from Veracode scans third-party pentests as well as known vulnerabilities from open source findings.
Veracode, Inc.
2015-11-16 - 2016-04-16
Security Solutions Architect
Veracode is a leader in the Gartner Magic Quadrant for Application Security testing. In my time there I have worked with Americas biggest brands identifying risk in the SDLC and helping them design solutions that empower development teams to innovate quickly while identifying vulnerabilities and mitigating risk early.
  • Designed a solution to empower over 100 application teams at Sabre, Inc. to test software at the earliest stages of each Agile sprint, mitigating risk while it's still cost effective to fix it. Closed the largest freshman deal in Veracode history, a multi-year agreement nearly $1M in total revenue.
  • Coached the global Solution Architecture team on ways to engage earlier with software development groups vs. the typical route through information security, creating security champions during the design phase of projects.
Hewlett Packard, Inc.
2014-05-01 - 2015-11-16
Marketing Solutions Architect
HP Software is a leader in the Gartner Magic Quadrant for Enterprise Content Management systems, digital personalization, and media asset management. My role was helping customers understand how to integrate digital solutions to automate their existing workflows, give marketing groups an understanding of customer sentiment, and empower content authors to deliver dynamic and personalized content, to the right person, at the right time.
  • Spearheaded a large-scale integration effort for FOX Entertainment, Inc., bringing together social media sentiment, targeted social media marketing, and media asset management built to scale for all of FOX's movie, television, and archive brands.
  • Successfully designed and kicked off a $7.2M engagement with Hilton Hotels Worldwide, integrating web content personalization, customer relationship management, upsell/cross-sell, and dynamic content.
  • Drove revenue generation to over 110% of plan 2 years in a row.
U.S. Bancorp
2013-05-01 - 2014-04-30
Development & Operations Manager
US Bank is the national leader in wholesale lockbox processing. The platform I oversaw processed over $3.2 Billion per month in check and credit card payments for wholesale customers with 24x7 shift overlay in 9 operations centers across the United States. When I overtook the leadership role of this group they had no disaster recovery, poor cross-functional collaboration, and a reputation within the company of not caring about the customer. I oversaw a successful transformation across all of these areas making the group into a respected and high performing asset to the company.
  • Built DR platforms and recovery strategies from the ground up, successfully demonstrating 100% recovery within 6 months of owning the team
  • Went from unstable platform with no recovery plan to 99.999% (5 nines) availability within the first 6 months
  • Implemented first ever security audit, assuring compliance with PCI, SOX, and all regulatory standards within 9 months
  • Implemented Agile development methodologies, streamlined development processes, and improved time to delivery, code quality, and code reuse. Time to deliver customizations per customer went from 4 months on average to about 2 weeks with 50% fewer defects.
  • Created team training, engagement, and collaboration strategies earning the team respect and trust
U.S. Bancorp
2007-11-17 - 2013-04-30
Enterprise Content Solutions Architect
The Enterprise Content Management group at US Bank maintains a platform and development for over 300 web properties across the banking enterprise. The platform supports the creation and delivery of content for 1000+ users on a 24x7 zero latency delivery schedule allowing the business to drive content marketing change and configuration management at the speed of business. Before I joined the team had developers manually deploying their own code to production, maintaining their own databases, and certifying their own code.
  • Created an administration and recovery team to certify all builds prior to deployment, maintain the platform, and ensure segregation of duties.
  • Built self-serve and automated configuration management processes for developers to implement changes ensuring accuracy and instant automated rollback in case of error.
  • Spearheaded and completed the successful migration off end-of-life software versions running on physical devices to modern versions on scalable virtual machines.
  • Documented all new administration processes, recovery plans, and hired and trained staff to maintain platforms for this newly created team managing administration and training for this enterprise platform
Earthbound Media Group
2006-12-01 - 2007-11-01
VP, Director of Engineering
Prior to when I joined, Earthbound was a boutique marketing and design firm focused largely on one client in the Southern California Higher Education space. I helped transform Earthbound into a digital media solution provider with new business in entertainment, retail, and higher ed.
  • Built a strong team starting with 1 Jr. web designer to over 10 seasoned web, application, and multimedia engineering professionals
  • Drove project execution and business development for engineering engagements bringing in over $1.4 Million dollars in the year I was there
Miletwo, Inc.
2005-01-01 - 2006-12-01
Owner, Principal Solutions Architect
After starting my career in software development I quickly became a highly sought after architect of web content management solutions for some of the worlds biggest brands such as:
  • Qualcomm, Inc. - Converted outdated and home grown legacy content management solution to Interwoven TeamSite, an enterprise solution. Created a team to convert all legacy content onto the new platform and built templating and workflow solutions to allow the team at Qualcomm to maintain going forward.
  • DOW Chemical - Oversaw a complete site conversion of over 5,000 pages of content in under 3 months.
  • Northrop Grumman - Built a new content management system from the ground up, trained a team of content editors, and launched the site for a classified aerospace project near Washington, DC.
Previous Experience
1996-01-01 - 2005-01-01
In the years prior to owning my business I also held the following roles:
  • Sr. Application Engineer, TeamSite - AmerisourceBergen Corporation, 2000-2005
  • Sr. Art Director, Human Factors - US Interactive, 1998-2000
  • User Interface Designer - GDI (Garg Data International), 1996-1998
Coursera
Data Science - Specialization
2015-06-01 - 2015-04-16
Platt College of Art
Graphic Design -
1990-09-01 - 1994-06-01
Writing an OpenSource Usage Policy
2018-02-20
www.sourceclear.com
The first step to defining an OpenSource use policy is to realize that, while we’re setting about to chart a course to DevSecOps, we should expect that the path to maturity may take some time. Defining a timeline for success and creating S.M.A.R.T. goals (specific, measurable, achievable, reasonable, and timely) is critical...

Three Easy Steps to DevSecOps
2018-01-09
www.sourceclear.com
There’s a lot being discussed these days about secure DevOps. What does it mean to do continuous integration and deployment in a secure way? Is it about securing the pipeline itself? Or, is there more to it than that? I have your back. There are just three basic steps to DevSecOps...

What's in your Crypto Currency Wallet?
2017-12-19
www.sourceclear.com
Given all of the hoopla about digital currencies these days, I decided to do a little digging into the relative security of cryptocurrency related open source projects...

3 steps to secure, open source DevOps
2017-05-03
OpenSource.com
In my review of apps, both in my company and others, I've found that more than 90% of the code that makes up an app these days is something we borrowed, not wrote ourselves....

Securing the SDLC
2016-05-16
www.Veracode.com
Our adversaries tirelessly poke, prod, and adapt their tactics, we have to as well. Thinking Agile-like means sharing information, being part of the solution not the problem, and being willing to change...

Oh SNAP! There's Crap In Your App
2018-04-18
RSA Conference, 2018
Today’s developers download awesome libraries for their favorite language to do almost anything. We scan our code for flaws with static analysis tools, but what about all the stuff we didn’t write? Learn how to find and track the crap in your app, and how to avoid getting pwned because you let a nasty in the back door with that library that does the really cool thing you couldn’t live without.
Securing Your Code from Zero to Hero
2017-08-30
Jenkins World, 2017
With a shift to the cloud, our software needed to be bullet-proof against security defects in a fast-paced DevOps model. The problem: how to build in security along the entire pipeline, keep developers focused on writing great code, and do it all with speed and at scale.
Application security: From zero to hero
2017-05-10
O'Reilly Open Source Convention, 2017
Application security is tough. But while the rest of the world tries to solve the problems of insecure software with firewalls and intrusion detection, Jeremy Anderson explains how to solve the problem where it starts: at the code that defines it. Join Jeremy to learn how to fix code security defects when they’re created instead of during production when it’s already too late.
Ultralight backpacking, cooking, cocktail mixology, and hacking all.the.things