Jeremy Buis

A multi-faceted flexible application security engineer.


Skill Keywords
Web Applications JavaScript HTML CSS Java Node.JS Express MithrilJS MongoDB Postgresql
Penetration Testing Burp Suite OWASP Zap nmap Nessus Kali
Security Code Review Brakeman FindSecBugs Semgrep Checkmarx Fortify


Senior Application Security Engineer, Software Secured

2018-03 — Present

Performing web, network, and mobile penetration tests and secure code review for a variety of platforms and applications. Guiding clients in application security tasks like threat modelling, secure design and vulnerability remediation and scoring. Owning team resources like test plans, payload databases, and report QA. Mentoring and assisting team members in their approach to security testing. Delivering quality content for the company blog.

  • Reported multiple CVEs listed below.
  • Delivered high quality reports to clients containing many high severity vulnerabilities for a diverse set of applications and products.
  • Advised client developer teams on threat modeling, secure design/architecture, and risk classification/remediation.
  • Performed quality control on outgoing client reports for the entire team.
Penetration Testing Security Code Review, Threat Modeling, Secure Design/Architecture, Vulnerability Remediation, JavaScript, Python, Java, Burp Suite, OWASP ZAP Microsoft Office,

Application Security Engineer, Software Secured

2014-05 — 2018-03

A broad role covering both software development and application security tasks. Writing code focused around the Node.JS stack. Performing web application penetration tests and secure code review for a variety of platforms and applications. Some example applications include:

  • Performed statis, dynamic and hybrid security tests against a wide variety of web applications. Used a variety of tools including: Burp Suite, OWASP ZAP, nmap, Nessus, Checkmarx, Fortify, Brakeman, Kali Linux
Agile JavaScript Python Java MongoDB Postgresql Github Burp git Linux OSX Express jQuery Mithril Microsoft Office

Web Application Developer, SecDev Cyber

2012-10 — 2014-05

Building internal tools in support of analytics and business requirements. Releasing visualizations for external consumption.

  • Created and launched multiple web visualizations to production.
  • Built to completion, internal statistics tracking web application.
JavaScript jQuery Bootstrap Backbone D3.js Express HTML5 CSS git Linux OSX Python REST

Programmer Analyst, Canadian Medical Protection Association

2012-01 — 2012-06

Building internal tools and production websites using Java and Web Technologies.

  • Performed software development and upgrades for public doctor facing knowledge website.
jQuery JavaScript Java Maven Ant Tomcat HTML5 CSS svn


Offensive Security Certified Professional (OSCP), Offensive Security

2017-05 — 2017-09

Completed the OSCP certification.

Computer Science, Honours, Co-operative Program, University of Waterloo

2006-09 — 2011-12

Completion of a Computer Science focused education.

Software Design and Architectures Distributed Systems Computer Networks Computer Security and Privacy Introduction to Artificial Intelligence Advanced Offerings in Computer Science - Machine Learning


Exploiting Less.js to Achieve RCE, Software Secured Blog


Elementor Page Builder 2.9.8 Stored XSS, Software Secured Blog


Jetbrains TeamCity Reflected XSS, Software Secured Blog


ImageMagick RCE Take 2, Software Secured Blog



CVE-2020-13864, CVE-2020-13865, Elementor


Stored XSS in Elementor

CVE-2020-7015, Kibana


Stored XSS in Kibana TSVB

CVE-2019-15848, JetBrains TeamCity


Reflected XSS in JetBrains Teamcity

CVE-2018-2625, Oracle Weblogic


XXE in Oracle Weblogic