I am a security focused leader with experience that has involved building companies, breaking into companies, building teams, designing products, responding to incidents, and more. Enough to make for some good stories and experiences.

Most recently I was the CSO at Code4rena.

Previously I was at Okta building the Customer Identity Cloud Red Team. This mighty team ran attack simulations and assume breach scenarios, found and exploited product vulnerabilities, built custom tools, and more..

I also served as the VP of security at npm helping secure the most popular registry of open source software, we were acquired by GitHub in 2020 where I was briefly a product manager focused on supply chain security.

Before that I founded ^Lift Security, a successful application security and penetration testing services company and the Node Security Project, an security initiative to make the Node.js ecosystem secure. This project evolved into a SaaS platform that was at the forefront of the DevSecOps supply chain security tooling movement. Both were acquired by npm, inc in early 2018.

Notable accomplishments I’m proud of:

• pioneered the hacking technique BlindXSS (Blind Cross-Site Scripting)
• developed original techniques for pillaging remote git/hg/bzr repositories
• created SECURITY.md, a standard way for open source developers to address vulnerability disclosure in their projects that is still used today.

Career and Mentorship

Read about the start of my career and why I think mentorship is so important. https://medium.com/@adam_baldwin/my-story-about-mentorship-3f793df90db7

Other Fun Facts

• 2x DEFCON Black Badge holder. DC18, DC20 (team psychoholics)
• Won TeleChallenge phreaking contest at DEFCON 28 (team psychoholics)

Certifications

Active:

• Certified Ethical Hacker (CEH) - Mar 2008
• CompTIA Security+ - Feb 2003

Expired:

• Certified Information Systems Security Professional (CISSP) - Aug 2003 - Aug 2009
• Information Systems Security Architecture Professional (ISSAP) - Jan 2005 - Aug 2009
• GIAC Certified Intrusion Analyst (GCIA) - May 2005 - May 2009
• Symantec Certified Security Practitioner - Feb 2004 - Feb 2007
• Cisco Certified Network Association (CCNA) - Jul 2002 - Jun 2005
• ImageStream Certified Network Operator - May 2009 - May 2012

Some papers I’ve had my work mentioned in.

• The impact of regular expression denial of service (ReDoS) in practice: an empirical study at the ecosystem scale
• NodeSentry: least-privilege library integration for server-side JavaScript
• A Server-Side JavaScript Security Architecture for Secure Integration of Third-Party Libraries
• AFFOGATO: runtime detection of injection attacks for Node.js
• Software ecosystem call graph for dependency management
• CAG: compliance adherence and governance in software delivery using blockchain
• The Case of the Poisoned Event Handler: Weaknesses in the Node.js Event-Driven Architecture