AI is analyzing your overall score…
Identifying your key strengths…
Evaluating your skill match against the job requirements…
Assessing your cultural and operational fit
Principal AppSec Engineer @ Mimecast | Author: Threat Modeling Gameplay with EoP (Packt) | Creator of SBOM-Graph | Creator of CAPEC STRIDE Mappings | OWASP Project Lead | Speaker | CISSP, CSSLP, CCSP
The security industry has a noise problem. SCA tools report 2,500 vulnerabilities and everyone panics, but graph analysis reveals that most of them trace back to a handful of shared components. The real question isn't "how many vulnerabilities do we have?" — it's "where is risk actually concentrated, and what do we do about it?" That's the thread running through everything I do. I build the tools, training, and practices that cut through vulnerability noise and help engineering teams focus on what actually matters. I've been working with graph-based analysis for nearly two decades — from cross-language entity recognition and weighted social networks at the European Commission Joint Research Centre, through to creating sbom-graph, an open-source tool for dependency graph analysis, vulnerability blast radius mapping, and supply chain risk management, now available under the Mimecast GitHub org. As a Principal Application Security Engineer I support over 200 engineers in securing their products. My threat modelling training initiatives have led to significant improvements in design quality and in both security and privacy awareness across the organisation. I implement tooling that enables the optimisation and prioritisation of remediation to reduce friction, and I help define the AppSec strategy at the enterprise level. I'm the author of Threat Modeling Gameplay with EoP (Packt, 2024), the project lead for the OWASP Application Security Awareness Campaigns, and I've presented at the DevSecOps Leadership Forum in London and appeared on the Application Security Podcast. I hold (ISC)² certifications: CISSP, CSSLP, and CCSP, with over 10 years of application security experience and 30 years in software engineering. Key Skills: Secure by Design, Privacy by Design, Threat Modelling (STRIDE, EoP, Privacy, LinddunGO, Plot4AI), Secure Coding, Vulnerability Management, SB
Liverpool John Moores University
B.Sc. 2.2 HONS, Software Engineering
January 1, 1994 – January 1, 1998
Widnes Sixth Form College
Physics, Maths, Computers, Design Technology, General Studies
January 1, 1992 – January 1, 1994
Abbotsholme School
Art, Maths, English, English Literature, Science, Design Technology, Additional Maths
January 1, 1990 – January 1, 1992
OWASP® Foundation
Project Leader
February 1, 2022 – Present
Como, Lombardy, Italy · Remote
Mimecast
Principal Application Security Engineer
March 1, 2019 – Present
London, United Kingdom · Remote
DZone, Inc.
Zone Leader
October 1, 2015 – November 1, 2017
Appway
Lead Integration and Security Engineer
April 1, 2012 – March 1, 2019
Chiasso
Ex Machina
Software Engineer
September 1, 2011 – April 1, 2012
Ticino, Switzerland
European Commission, Joint Research Centre
Scientific Officer / Post Doc Research Grant Holder
January 1, 2008 – September 1, 2011
Ispra, Italy
Correlec S.r.l.
IT Manager / Senior Developer
February 1, 2006 – December 1, 2007
Milan, Lombardy, Italy
Tethys S.r.l.
Software Engineer
March 1, 2002 – January 1, 2006
Milan, Lombardy, Italy
RCMS Limited
Senior Consultant
July 1, 1999 – November 1, 2001
Rickmansworth, London
Royal Philips Electronics
Software Engineer
January 1, 1998 – January 1, 1999
Buntingford, England, United Kingdom
D. Grant Crawley Ltd
Web Developer
July 1, 1997 – June 1, 1998
Microsoft Limited
Webmaster EITG
July 1, 1996 – July 1, 1997
Reporting
August 1, 2017 – December 1, 2017
Reporting of license grants and revocations, as well as KPIs for solutions developed and System Configuration reports
Studio Entitlements
March 1, 2017 – May 1, 2017
Fine grained roles based access control to different areas of the Appway studio development environment.
Package enabling the Appway Script Language
January 1, 2017 – June 1, 2017
Modifying the Appway proprietary script language to support the concept of packages, replaceable business objects and replacement business objects. Including the handling of auto-completion and visibility between packages when dependencies are declared.
Veracode Static Analysis
October 1, 2016 – Present
Binary static analysis of Appway platform to find and fix security flaws in the product
SAML Single Sign-On
January 1, 2016 – Present
Setup of JBoss and Tomcat for SAML Single Sign-On using PicketLink and authenticating with Ping Federate or ADFS. Included development of custom PicketLink assertion handlers for assertion formats not supported out of the box.
SPNego/Kerberos SSO and Service Calls with Impersonation
January 1, 2015 – February 1, 2015
Definition of the process for configuring Appway SSO using Kerberos and implementation of an extension allowing service calls to be made as the end user with token forwarding (impersonation).
Web Services Extension
November 1, 2013 – Present
Lead developer and product manager of the Web Services extension of the Appway platform. This includes an import tool for defining SOAP clients and their relative data model and a similar interface for creating REST client definitions.
SSL Authentication Client
October 1, 2013 – Present
Integration of SSL Client Authentication and Server Authentication into the Appway platform so Appway can behave as a client talking to another host.
Screencast Narration
September 1, 2013 – Present
Narration of instructional screencasts for technical people on the functionality of the Appway platform and promotional material for pre-sales.
Data Store Extension
September 1, 2013 – Present
Lead developer and product manager in charge of maintenance and further development or the DataStore extension. An extension that allows the Appway data model to be persisted to a database (Oracle, MS SQL Server, MySQL and H2)
SEO/Sitemap Editor
July 1, 2013 – September 1, 2013
A tool for modelling the structure of a non process oriented site within Appway, allowing the definition of all meta data in a central location to avoid repetition, permalinking and the incorporation of navigation elements generated from the defined structure at runtime.
Data Migration Extension
April 1, 2013 – June 1, 2013
Data migration tool for importing XML structures from a legacy system into the Appway data model using SAX to process 160,000 complex structures and all their related children and recreate records in the new structure within Appway.
Bootstrap Installation / Auto Deployment
March 1, 2013 – April 1, 2013
A system for bootstrapping a vanilla installation of the Appway platform, whereby after installation, deployment of the repository containing all the business processes and associated object oriented business model can be automated by means of a filesystem listener integration link and subsequently synchronize (create/alter) the persistent datastore to match the model.
Recruitment
January 1, 2013 – Present
Technical phone interviewing and technical practical assessment of software engineering / technical consultant candidates.
Optimised User Portal for Managing their Business Processes
September 1, 2012 – July 1, 2013
For an Appway solution with a particularly large number of processes, we were tasked with optimising the user portal to improve overall performance of their solution and facilitate searching for active processes.
Risk Management Solution
April 1, 2012 – August 1, 2012
A solution for definition of risk and risk management over time for the commodity trade finance sector.
Code Search / Enterprise Governance of Source Code Repositories
December 1, 2011 – March 1, 2012
Development of 4 language parsers for C/C++, JavaScript, PHP and Ruby. The purpose of which were to create meta data maps describing source code files, such as variable declarations, function declarations, object definitions incl. properties, methods (parameter names, types and return types), and their positions (offset and length) within the files being parsed for Indexing. This was developed using ANTLR3 and Java and tested using the TestNG framework against large OpenSource projects and repositories.
EMM
January 1, 2008 – Present
EMM is a Clustered Aggregated Multilingual News Monitoring Engine.
NewsDesk
January 1, 2008 – August 1, 2011
News Desk is a tool for creating News Briefs from breaking news and publish/deliver them via a series of different means (Email, mobile, SMS, web).
OSIntSuite
January 1, 2008 – August 1, 2011
OSInt is a tool for Desktop Text Mining from public (open) sources of information such as the internet designed for use by the law enforcement community.
Certified Secure Software Lifecycle Professional (CSSLP)
ISC2
June 23, 2026 – Present
Certified Cloud Security Professional (CCSP)
ISC2
June 23, 2026 – Present
Certified Information Systems Security Professional (CISSP)
ISC2
June 23, 2026 – Present
Cultural Fit Analysis
The candidate's extensive experience across various companies and roles, including research at the European Commission and open-source contributions (sbom-graph), demonstrates a broad perspective and a commitment to continuous learning and community engagement. The project diversity, from security to data migration and language processing, indicates a versatile individual who can adapt to different technical environments. However, the majority of projects and experience lean heavily towards application security and general software engineering, with NLP being a more specific, albeit significant, part of their past. This might require a cultural shift towards a more research-oriented or data science-focused environment typical of advanced NLP roles.
Soft Skills & Operational Fit
The candidate's experience in project leadership, technical interviewing, and content creation (DZone) suggests strong communication and mentoring skills. Their work on security awareness campaigns indicates a proactive and collaborative approach to problem-solving. The diverse project portfolio also points to adaptability and a willingness to tackle varied technical challenges.