Brad Wolfe

Interested in collaborating, or discussing how I can contribute to your team? Reach out to me on LinkedIn or via email. I'd love to discuss how we can work together to build something great!

Brad Wolfe

Thomas Bradley Wolfe

[email protected] | Munich Area, Germany

Work Experience

Tesla, Inc.

Nov 2023 - May 2024

Staff Application Security Engineer

Munich, Germany

Conducted Application Security reviews and threat modeling for Tesla applications, collaborating with development teams to identify and address security vulnerabilities effectively.
Developed and maintained an internal tool in Flask and Node.js to assist with rapid review and validation of AppSec compliance data and discovered issues from various internal tools.
Developed Python scripts for Extract, Transform, Load (ETL) processes and data analysis from Tesla systems.
Established a standardized testing methodology for AppSec reviews, ensuring consistency in checks, tools usage, and results across applications and reducing turnaround time.
Position ended due to company-wide layoffs.

Apple, Inc.

Oct 2020 - Oct 2023

Business Intelligence Engineer - Information Security

Munich, Germany

Design, develop, and maintain an internal tool for AIS metrics based on Next.js, MongoDB, and D3.js to communicate the status, progress over time, and health of all in-flight projects and programs in the AIS Organization.
Aggregate and transform data into custom MongoDB views for efficient use in both visual and non-visual content.
Analyze data and create visualizations for communicating the state and efficacy of programs and projects across Apple Information Security for use by both technical and non-technical personnel.

Checkmarx, Inc.

Oct 2019 - Oct 2020

Sales Engineering Manager - DACH and CEE

Munich, Germany

Managed a team of pre-sales engineers covering DACH and Central and Eastern Europe (CEE) regions
Served as a trusted technical advisor to customers, positioning Checkmarx application security products to meet customer security and compliance needs.
Advised customers on vulnerability remediation, AppSec tool integrations, security best practices, API consumption, and security program management.
Communicated technical information, application security concepts, and best practices to a broad audience, including non-technical personnel
Product evangelist/advisor on in-development SaaS offering, including internal and partner technical product training, documentation, and process definition

HP / HPE / Micro Focus (Fortify)

Nov 2013 - Sep 2019

Global Delivery Manager - SAST

03/2016 - 09/2019

Remote, United States / Munich, Germany

Directed activities for a global application security team focused on delivering Static Application Security Testing assessments for practice engagements.
Responsible for personnel and business management of the global Fortify on Demand Static Team, including accountability for team effectiveness and people development.
Developed Fortify on Demand SAST offerings, balancing client needs and global solution focus areas
Identified opportunities for improvement in the FoD SAST scanning process and made technical and design recommendations to proactively improve product quality and scalability in an enterprise SaaS platform.
Assisted customers in understanding vulnerability reports and worked collaboratively with security teams to investigate concerns regarding assessment results.

Security Research & Tools Development

11/2013 - 03/2016

Remote - United States

Developed and maintained an internal mobile application security testing framework for iOS and Android to perform binary analysis, real-time traffic analysis, and vulnerability detection across OWASP’s Mobile top 10 categories and mapping of results to 7PK framework for reporting consistency
Performed research into mobile application security vulnerabilities and methods of detection
Developed tools for intelligence gathering (OSINT) and asset monitoring of client properties to ensure that resources were consistently monitored and reviewed for vulnerabilities.
Designed and implemented a framework to incorporate all tools from our intelligence gathering and asset monitoring activities into a single unified toolset to consolidate storage and reporting of results.
Performed vulnerability assessments on mobile and web applications for global customers

University of Georgia

May 2006 - Nov 2013

Application Analyst Principal

12/2010 - 11/2013

Athens, GA, Unites States

Managed a team of software developers, DBAs, and system administrators in planning and developing applications and systems in a time-critical work environment.
Performed critical roles in implementing and maintaining a large facilities inventory and management system by scripting Python, Perl, and PL/SQL solutions in a Red Hat Enterprise Linux environment.
Developed and maintained Business Continuity and Disaster Recovery Plans for the division's IT resources, encompassing hardware, software systems, personnel, and infrastructure requirements.
Worked with senior administration to plan software and hardware solutions and drive purchasing decisions for a large research university.

Application Analyst Specialist

05/2006 - 12/2010

Athens, GA, United States

Served as Software Development lead on projects within my division.
Assisted in the planning and rollout of a large facilities inventory and management system
Developed web applications, web services, and Microsoft Windows applications using C#, ASP.Net, and SQL to assist with accounting and facilities management functions within the organization
Developed solutions for automating billing and financial processes in an audit-safe way.

Education

University of Georgia - Athens, Georgia, United States

12/2009

Master's Degree - Management Information Systems

Georgia Southwestern State University - Americus, Georgia, United States

05/2005

Bachelor of Science - Computer Science

Skills & Competencies

Technical Skills

Programming Languages: Python, Javascript (incl. Node.js, Next.js, and various application frameworks), Ruby, C#, Perl, Bash
Datbases: RDBMS (Oracle, SQL Server), NoSQL (MongoDB)
Data Visualization: D3.js, Tableau
Other: Other: Git, Docker, JIRA, REST APIs, Trello, Fortify Suite, Checkmarx SAST, Metasploit, Burp Suite, Semgrep
Linux / Unix: RHEL, Ubuntu, Debian, Kali

Soft Skills

Communication: Excellent verbal and written communication skills
Team Collaboration: Proven ability to work effectively with a remote / distributed team
Problem Solving: Proven track record of working with internal stakeholders to identify issues and implement effective solutions

Languages

English: Native
German: B1 Level

I've worked in the tech industry for over 15 years, and have experience both as an individual contributor and in leadership roles in a variety of domains – Software Development, Application Security Engineering, Business Intelligence Engineering and even Server and Database Administration. One common thread across all of these experiences is that I have taken every opportunity to build tools and processes that:

Automate repetitive tasks
Make processes more efficient, reliable, and repeatable
Allow for well informed and data-driven decisions to be made

I believe in usability, and that the best and most elegant solutions are often the simplest. Good design and functionality shouldn't have to be explained, and should blend into the background for the user. I'm passionate about creating tools and processes that make teams more effective and efficient. Whether it's a CLI tool used for automating a manual process, or a dashboard that provides real-time insights into a program's efficacy, I believe that teams work best when they have the right tools at their disposal.

I’m also interested in Open Source. Here are a few contributions that I have made:

I'm always looking for new opportunities to learn and grow, so reach out and let’s see what we can build together!

Brad Wolfe

Below is an overview of a few of the projects that I have worked on in previous roles. I've selected a few projects that use different tech stacks, and that are fairly representative of work that I have done. If you have any questions about anything listed here, or would like more information about other projects, just reach out to me via email or LinkedIn!

Mobile Testing Framework

Linux Python Ruby Bash Java Theos/Logos SQLite CLI

This project was a Mobile Application Security Testing (MAST) framework that provided coverage for vulnerabilities spanning the entire OWASP Mobile Top 10, and supported both Android and iOS Application Security Testing. Application assessments could be run against mobile applications and perform a number of automated vulnerability checks. In addition, there were tools built in to the framework that a security analyst could run as-needed to assist with the testing process. These are tools like the FileDP replacement, which is described above.

Finally, the testing framework allowed for custom reporting, and for assessment results to be uploaded to a customer portal for delivery. This allowed for Mobile AST results to reside in the same portal (and with the same format) as testing results from other Application Security tools.

This tool was developed in direct response to a number of challenges that are common in MAST testing practices:

Mobile Testing is a highly manual process, and therefore both very expensive and subject to inconsistency when subsequent tests were performed by different security experts.
There was often a very large amount of data to traverse, which is best performed programmatically
There was no standardised vulnerability enumeration or reporting

This tool was written in several languages, with primary development done in Ruby, Bash, C, and Java. There were also components (primarily application hooking) written using Theos/Logos. It was delivered initially as an iOS-specific testing tool and, after success with iOS testing, an Android version was created. Due to the differences between iOS and Android, the tests performed had completely different implementations on each platform, and in several cases, there were OS-specific tests performed. These would be things like Android manifest checks, or jailbreak detection bypass in iOS.

Information Security Issue Validation Platform

Python Flask Docker / docker-compose Web MySQL Javascript Javascript REST API

This project was a web application to consolidate information about observed security risks and issues from multiple sources into a single platform that allowed the Application Security team to perform further testing and analysis quickly and open Jira issues directly from the application interface when necessary. Additionally, a Chrome extension was developed to further assist Application Security Engineers with credential testing during Threat Modelling Exercises.

Business Intelligence Platform

Web Next.JS Node.js D3.js MongoDB Python REST API

This project was a business analytics platform that ingested data from sources across an enterprise Information Security organization and used it to communicate the status of InfoSec Programs, Projects, and Portfolios in a Single Pane of Glass (SPOG) web application. This information combined high-level project information (status, timeline, milestones), finance information (budget, spend, utilisation), and project-specific information (issue discovery, resolution, state, status distribution) to present information that empowered leadership to make decisions on budget allocation, project efficacy, and progress toward stated project goals.

FileDP Replacement

C Linux

Internal replacement of FileDP, a tool for data protection class validation on iOS. This tool allowed for easy tracking and parsing of application data privileges on a device. This was a standalone component that could be used by itself, or integrated into the Mobile Testing Framework project.

This tool was developed to address challenges with FileDP that prevented use in an automated framework. The primary changes were to:

Output information as text instead of NSLog, which allows results to be easily grep-able
Optionally allow for XML->plist output, which allowed for seamless use of results in internal framework, and importing into another application