Mark E. Haase
Washington DC

Software Engineer & Cybersecurity Researcher

A detail-oriented problem solver with a passion for security and engineering that goes beyond just a career. Adept at communicating technical subjects to non-technical audiences. Ardent advocate for ethics and social good in technology.

Experience

Microsoft, Reston, VA 2020 – Present

Site Reliability Engineer 2

  • Reliability engineering for M365 cloud.
  • Lead developer for log scrubbing system to implement data handling standard.

Hyperion Gray LLC, Remote Contractor 2015 – 2020

A small business that works on DARPA R&D contracts and penetration testing.

Sr. Software Engineer

  • Lead engineer on crawling & scraping application built in Dart, Angular, and Python. Wireframed in 8 weeks and delivered prototype in 24 weeks. Deployed pilots to government partners and production-ready within 1 year.
  • Lead engineer on headless browsing system with a de novo Python implementation of Chrome DevTools Protocol (CDP). Production-ready within 6 months.
  • Published Dark Web Map, an interactive visualization of the dark web that received 100k hits and was featured on forbes.com, vice.com, and cnbc.com.
  • Developed CAPTCHA solving library that uses OpenCV and Keras to build convolutional neural networks (CNNs) that can solve CAPTCHA tests for some popular software such as WordPress and phpBB. Deployed using TensorFlow Lite models inside AWS Lambda with API Gateway.

Penetration Tester

  • Senior penetration tester on multinational law firm engagement and several tech startups for web application and network pen tests.
  • Discovered 0-day local privilege escalation (LPE) in Liquidware Labs ProfileUnity and wrote a working proof-of-concept.
  • Published proof-of-concept exploits for several vulnerabilities such as CVE-2019-6111/CVE-2019-6110 and CVE-2018-11235.

Lunarline Inc., Arlington, VA 2012 – 2014

A cybersecurity consulting, training, and products company.

Director of Product Development

  • Launched a new product for Lunarline in the first 3 months of employment.
  • Overhauled the software development process, including tools, documentation, mandatory code review, and continuous integration.
  • Oversaw project management, engineering, and quality control for 5 proprietary products as well as the corporate website.
  • Participated in several penetration tests, including a medical records company and a UAV company. Discovered an exploitable shell injection vulnerability in the UAV software.
  • Participated in secure code review for a client, including multiple static analyzers (FindBugs, RATS, and Klocwork) and manual code review.
  • Used Peach fuzzer to analyze proprietary routing protocol for a client.

Hidden Layer LLC, Washington, DC 2012 - 2012

A small business formed to perform advanced research in the field of software verification.

Co-founder

  • Principal author and editor of a DARPA research proposal.
  • Wrote a prototype static analyzer using a Naïve Bayes bag-of-words classifier and various n-grams and smoothing techniques, achieving recall rates over 80%.
  • Administrative POC, project manager, and technical writer for the 4-month research project, meeting all milestones in the statement of work and receiving positive reviews from our DARPA sponsor.

Endeavor Systems Inc., McLean, VA 2008 - 2012

A boutique consulting firm specializing in federal government cybersecurity and compliance.

Software Team Lead

  • Grew revenues from $50k to $500k on flagship product over 3 years.
  • Overhauled the software development process, including tools, documentation, mandatory code review, and continuous integration.
  • Created a comprehensive hiring process for screening and interviewing software engineers.

Hewlett-Packard Company, Herndon, VA 2006 - 2008

Business Intelligence Consultant

  • Designed and implemented extract-transform-load (ETL) applications for interfacing modern platforms to legacy systems at Fannie Mae using Ab Initio and Oracle PL/SQL.

Public Speaking & Training

Dark Web Investigations 2017, 2018

NW Regional ICAC Conference, and National LE Training on Child Exploitation.

  • A 90-minute dark web primer for law enforcement professionals who specialize in counter-child-exploitation.
  • Discussion of dark web technologies Freenet, I2P, and Tor, and the ramifications for traditional digital crime investigative techniques.
  • Hands-on labs for officers to gain first-hand experience with dark web tools and OSINT methods.

Securing Web Applications 2014, 2015

Peterson AFB, Scott AFB, Dept. of Transportation

  • Developed and presented this class in both 1-day and 4-day formats covering web application vulnerabilities and exploitation, including lecture, slides, hands-on labs, and assessment.

Web Technologies & Security 2014

NASA Goddard Space Flight Center

  • Developed and presented this 1-day course covering basic web technologies, the OWASP Top 10, and how to mitigate security vulnerabilities through the software development lifecycle.

A Machine Learning Approach to Software Vulnerability Detection 2013

NYU-Poly THREADS Conference

  • Presented details of DARPA research, including background and overview of natural language processing (NLP) and machine learning (ML) classifiers used.
  • Presented quantitative results of our research including explanation of the metric used including precision, recall, and F-score.

Reverse Engineering “Secure” SSL APIs 2012

AppSec USA Austin, TX

  • Conducted an educational overview of SSL/TLS and how it should be used when building a web API.
  • Constructed proof-of-concept iOS game and “secure” high score server to demonstrate weaknesses and possible mitigations.

Education

University of Pennsylvania 2001-2005

B.A. with Distinction in Philosophy, Politics & Economics.

  • Minor in Computer Science & Engineering (30 hours in computer science, math, and statistics).
  • Honors Thesis titled, “A Survey In Network Economics.”

Certifications

Offensive Security Certified Professional (OSCP) 2016

Over 200 hundred hours of lab work exploiting 46 machines in the OSCP training environment. The final exam is a hands-on penetration test with 5 targets and a 24-hour time limit.

Certified Ethical Hacker (CEH) – Lapsed 2013

Certified Information Systems Security Professional (CISSP) – Lapsed 2012

Other

  • Volunteer teacher with TEALS 2011-2015.
  • Created 10 reverse engineering challenge problems for PicoCTF 2019.
  • Author of Python Enhancement Proposal PEP-505.
  • 21k reputation on Stack Overflow.
  • Multiple 0-day discovered, including CVE-2019-2413.
  • Published multiple open source projects.