Application Security · Toronto

I lead application security for SaaS teams that ship fast.

I own the appsec process for multitenant SaaS platforms on Rails and Node.js. I define what gets reviewed, build the CodeQL and Semgrep pipelines, write the secure coding standards engineering teams adopt, and train developers so security scales without me being a bottleneck. 15+ client organizations, 110+ bug bounty vulnerabilities.

110+
Validated vulnerabilities
15+
SaaS clients secured
5+
Years in application security
4
Conference talks
Conferences & Recognition
SecTor 2025
SecTor 2025, Toronto
DEF CON Vancouver
DEF CON Vancouver
TASK 2025
TASK Toronto 2025
InfoSec Hamilton
InfoSec Hamilton
Ontario Provincial Parliament
Ontario Provincial Parliament Recognition
Canadian Women in Cyber
Canadian Women in Cyber 2024
What I Do

I lead application security engagements for multitenant SaaS platforms. I own the full lifecycle: scoping, threat modeling, security code review, tooling setup, remediation guidance, developer training, and follow-up validation. Most of my work is on Rails monoliths and Node.js services backed by Postgres.

I've reported over 110 validated vulnerabilities to companies like PayPal, Sony, AT&T, Airbnb, and Booking.com through HackerOne. The focus is always web app security: access control, authentication, tenant isolation, input validation, API flaws.

What I bring at the senior level is the ability to make security scale. I define review standards, build CodeQL and Semgrep pipelines that run on every PR, write secure coding guidelines that engineering teams adopt as their own, and mentor junior security consultants. The goal is a codebase that gets permanently better, not a team that depends on me to catch everything.

How I Approach Security
01

Threat model first

Before I touch code, I need to understand how the application works. Data flows, trust boundaries, tenant isolation. The threat model tells me where to look and what to prioritize.

02

Automate what repeats

I write CodeQL and Semgrep rules for patterns I keep seeing. Plug Brakeman, dependency auditing, and custom scanners into CI/CD so the same class of bug gets caught before it ships.

03

Teach, don't just report

I build secure coding patterns engineers can reuse. Run training sessions. Sit in on PRs. The goal is a team that writes secure code by default, not a team that waits for me to find problems.

Where I've Worked
White Tuque, Offensive Security Specialist
Toronto · Oct 2024 to Present
Lead application security across 15+ multitenant SaaS clients. Own the review process end to end: scoping, threat models, code audits, tooling, remediation, validation. Define security review standards used across the consulting team. Built and maintain CodeQL and Semgrep pipelines, wrote secure coding guidelines adopted by multiple engineering organizations. Mentor junior consultants. Work recognized by the Ontario Provincial Parliament for protecting critical digital infrastructure.
ASEC (team joined White Tuque), Penetration Tester
Toronto · May 2024 to Oct 2024
Led appsec assessments for fintech and SaaS clients. Found 150+ vulnerabilities in Rails and Node.js apps. Stood up Brakeman and Nuclei in client CI/CD pipelines. Built Python/Bash automation that cut triage time by 40%. Worked directly with dev teams through remediation.
HackerOne, Security Researcher
Remote · Feb 2022 to Present
110+ validated vulnerabilities across Fortune 500 platforms. PayPal, Sony, AT&T, Airbnb, Booking.com. Focused on broken access control, auth flaws, tenant isolation failures, and API security in web applications.
Projects
Custom CodeQL Query Suite
CodeQL · Ruby · JavaScript
Queries targeting mass assignment, unsafe deserialization, ActiveRecord injection, and tenant isolation flaws in Rails and Node.js applications. Used across client engagements.
Security Scanning Pipeline
Python · CI/CD Integration
Orchestrates Brakeman, Semgrep, npm audit, and Nuclei in CI/CD. Deduplicates findings, scores by severity, routes to the right team. Runs on every commit.
API Authentication Checker
Burp Suite Extension · Open Source
Swaps auth headers to catch privilege escalation and tenant boundary violations at scale. Built it because I was doing the same checks manually on every engagement.
View on GitHub
GraphQL SDL Generator
Python · Open Source
Reconstructs GraphQL schemas from introspection for security analysis. Useful for mapping attack surface before manual testing.
View on GitHub
Speaking & Community
SecTor 2025
Toronto
Presented security research on adversarial techniques and how detection fails in real environments. One of Canada's largest security conferences.
DEF CON Vancouver
Microsoft
Talked about API attack chains and auth exploitation patterns I've found in production web applications.
DEF CON Toronto (DC416)
Co-Organizer
Help run Toronto's DEF CON group. Monthly meetups, workshops, and talks. I like building community as much as I like breaking things.
TASK Toronto
Organizing Committee
On the organizing committee for Toronto's Application Security and Knowledge conference.
Tools & Stack

Security Tools: CodeQL, Semgrep, Brakeman, Burp Suite Pro, OWASP ZAP, Nuclei
Languages: Ruby, Python, JavaScript/TypeScript, Go, Bash, SQL
Web Frameworks: Ruby on Rails, Node.js, React
Infrastructure: AWS (ECS, RDS, IAM, S3), Postgres, Redis, Kafka, Memcached, Docker
Practices: Threat modeling, security code review, secure SDLC, OWASP Top 10, OWASP ASVS

Let's talk.

If you're looking for a senior appsec engineer who owns the process and makes engineering teams permanently better, I'd like to hear about it.

Get in touch HackerOne GitHub