Jason Weitzel
Principal Application Security engineer with a developer-first, platform mindset. I focus on building paved-road guardrails that make the secure path the fast path—threat modeling and design reviews up front, automation, policy-as-code, and ruthless de-noise to keep engineers focused on what matters.
Relevant Technical Skills
- Python
- JavaScript / TypeScript
- NoSQL/SQL
- Terraform
- Shell / Powershell
- SAST / DAST / SCA
- NIST RMF / PCI / HIPAA
- Jenkins
- Robot Framework
- DISA / CIS Benchmarks
- AWS / GCP / Azure
- Kubernetes
- Sourcegraph
- Grafana
- React / Svelte / Vue.js
Experience
H-E-B | San Antonio, TX
Nov 2021 – Present (3 yrs 11 mos)
Principal Application Security Engineer | San Antonio, TX
Jun 2023 – Present
- Drove org-wide adoption of SAST/SCA/Secret scanning from <10% to 100% in GitLab CI while cutting false positives by ~85% and overall noise by ~98% through reachability analysis, automated validation, and EPSS-weighted prioritization.
- Reduced SCA findings time-to-fix from 6+ months to ~1 week by maintaining and recommending Renovate for weekly CVE-driven dependency updates on hundreds of projects.
- Mentored ~2k developers via weekly code jams, office hours, and design consults (authn, secret management, inter-service comms).
- Assisted in company-wide engineering discussions as part of the principal organization, providing technical guidance and leadership.
Lead Application Security Engineer | San Antonio, TX
Nov 2021 – Jun 2023
- Standardized SAST/DAST/SCA pipelines across a portfolio growing from ~11k to ~14k repos spanning hybrid and multi-cloud (AWS, GCP, Azure, on-prem/K8s).
- Engineered a security data lake (data ingestion and storage) integrating GitLab events, security scanner output, cloud artifacts, and multiple SaaS APIs.
- Delivered multiple connected Grafana dashboards that supported all development teams in planning and executive prioritization.
- Implemented automation in Python to accelerate remediation of application security concerns.
Booz Allen Hamilton | Rome, NY | Colorado Springs, CO
Jun 2015 – Nov 2021 (6 yrs 5 mos)
Solutions Architect (DevSecOps) | Rome, NY
Oct 2019 – Nov 2021
- Took a legacy monorepo (~100 components) from near-zero automation to standardized CI/CD (Jenkins) that built and tested the full system. Created software to validate CIS/DISA controls and mission functional tests.
- Ensured 100% of code flowed through CI/CD and code review, raising automated test coverage from manual-only to ~60%. Authored Robot Framework libraries and test cases to speed integration and end-to-end test development.
- Dockerized legacy apps for portable, consistent deployments and produced Windows and Linux (RPM) installers for multi-component rollouts.
- Coordinated with ~50 engineers across multiple contractors on the program.
Cyber Threat Analyst / Software Engineer | Colorado Springs, CO
Jun 2015 – Oct 2019
- Led on-site threat analysis evaluations for Air Force systems using manual techniques and custom scripts to verify contractor-reported security posture against RMF controls.
- Built and scaled a multi-user NW.js/Vue.js/PouchDB assessment application that generated RMF artifacts (reports, charts, diagrams) and was used to train new assessors via an embedded help system. The application was designed to work in stand-alone, network, and peer-to-peer modes.
- Reduced assessment duration from 4-6 weeks to 1-2 weeks across data collection, review, and reporting, enabling concurrent analyst workflows with full traceability to evidence.
- Improved developer delivery by creating repeatable IaC-based environments (Vagrant) and migrating multiple Java codebases from Ant to Gradle.
Lockheed Martin (IS&GS / ISC2) | Colorado Springs, CO
May 2007 – Jun 2015 (8 yrs 1 mo)
Senior Information Assurance Engineer (Tech Lead) | Colorado Springs, CO
Sep 2011 – Jun 2015
- Served as tech lead for a matrixed department scaling to ~30 specialists across ~20 missions, 10+ contracts, and ~6 sites.
- Matured custom hardening solutions across operating systems, networks, vendor/custom applications, databases, and virtualized environments.
- Presented regularly to government stakeholders and oversaw the TCNO applicability and enterprise vulnerability reporting process.
- Led the DIACAP to RMF transition, trained operations and security staff, and deployed and supported IDS/AV/SIEM capabilities in multiple environments.
Information Assurance Engineer | Colorado Springs, CO
May 2008 – Sep 2011
- Took a lead role in conducting recurring security evaluations for ~10 missions across 4 sites. Produced DIACAP POA&Ms and briefed both government and internal leadership regularly.
- Re-engineered hotfix workflows to cut patching time by 50%+ to meet accreditation deadlines and partnered with developers to balance mission availability with security requirements.
- Enhanced the hardening framework with configuration suites (using a layered approach) to raise DISA STIG compliance without blocking mission software. STIG compliance rates were between 90-100% each review cycle.
- Authored SOPs and other training materials to speed onboarding, reduce rework, and standardize evidence capture. Regularly led training sessions for team members and government staff.
Information Assurance Engineer Associate | Colorado Springs, CO
May 2007 – May 2008
- Built a PHP web app with MySQL (later MSSQL) to be used by the team to create POA&Ms, which replaced spreadsheet workflows in Excel and cut writing time by ~75%.
- Re-architected OS hardening from many bespoke scripts to a definition-driven lockdown engine (VBScript/Perl/shell), eliminating duplication and accelerating security baseline creation.
- Supported DITSCAP/DIACAP-based report creation for 5 missions across 3 contracts and 4 sites.
Certs / Education
CISSP: ISC2 • 2014 — Present
Bachelor of Computer Science: CollegeAmerica • 2004 — 2006
High School Diploma: Brush High School • 2002
Social Links
- LinkedIn: https://www.linkedin.com/in/jason-c-weitzel
- Resume: https://jasonweitzel.github.io/resume/