I am Andrew Bell!

Be an application security expert and assist customers in understanding how to properly fix and address security flaws Veracode finds in their software. Educate dev teams on the importance and significance of issues Veracode reports on. Assist teams with properly preparing their application for a Veracode static scan to get optimal. actionable scan results. Partner with security teams at various public + private organizations to help them improve their SAST security programs.

Developed new security detections for a centralized scanning framework which audit internal source code and application runtimes for identifiable, high-confidence security issues patterns and signatures. Ensured scan results stated the risk and issue in a consumable, flexible and simple format for development teams to review, triage and prioritize as part of their SDLC CI/CD pipelines. Static Analysis Detections were developed using Java language and regex pattern matchers. Ensured high fidelity rate of rules I developed (low false positive and low false negative rates) — where needed I have identified and proposed improvements to scanning strategy that can help make detections more accurate. Additionally, contributed dynamic application security checks for Amazon managed sites which reported on XSS, CSRF, and CSP misconfigurations. Dynamic Analysis Detections were developed using Python and Chrome webdriver. I helped contribute and influence development of internal and customer-facing rules and patterns to the AWS CodeGuru product, particularly rules which attempt to identify various instances and classes of credentials hardcoded into source code packages. Finally, I served as part of a general AppSec team rotation to field and address security review and design questions/concerns from our internal software development teams, making updates and additions to our security guidance and FAQs where appropriate. 

Internal application security design reviewer and adviser for AWS service teams. Perform Threat Model reviews of services and hold consultations to answer and give guidance to security focused design questions and patterns. Provide education and documentation of any commonly observed and well established security design patterns. Partnered with various AWS teams in order to encourage adoption of security mindset and identify developers who could best evangelize security practices for their team. Participate in on-call rotation to serve entry point consultation of any new incoming security questions and review requests.

As part of the internal IT security team, I performed white-hat security audits and penetrations testing for several internal applications, services, programs and systems. In addition, I contributed to the development and maintenance of plenty of internal team tools, frameworks, and workflows using the Python language. I’ve worked with a few vendor solutions such as the F5 Web Application Firewall/Load Balancer, Mavituna Netsparker/Rapid7 AppSpider Web Security Scanners, and Tenable Nessus system scanners.

Worked with manager and senior engineers to PoC Riverbed WAN solutions to optimize laboratory WAN connections to various long-distance sites and cut negative factors such as latency and jitter. PoC’d the open source Snort IDS and documented findings as a suitable solution for the lab to use in monitoring network activity. Assisted senior engineers with cataloguing laboratory IT systems and servers using internal tracking tools.

Performed computer maintenance and served as support for the sales employees. Worked together with the manager in getting a functional network file share setup in a Windows environment.