Cameron Ruatta

Contact

Email

[email protected]

LinkedIn

https://www.linkedin.com/in/cruatta/

GitHub

https://github.com/cruatta

Narrative

I'm a builder, a breaker, and a leader. Most of my career as an engineer has centered around architecting and implementing applications used by millions of users, serving thousands or millions of requests per second. Early in my career, I discovered a passion for application security and built a skill set around it. I leverage those skills to find, fix, and prevent security vulnerabilities in software. I seek out work that is creative, focused, and business-critical. As a technical leader, my goals are to be kind and fair to my peers, be pragmatic yet oriented toward the ideal, and to improve every team and organization that I join.

Professional Experience

Dave

Dave is a mobile banking and financial services app that helps Americans avoid overdraft fees and manage money. Dave became a publicly traded company in January 2022

Lead Security Engineer (2024-Present)

As a Lead Security Engineer, I drive end-to-end security strategy, bringing a software engineering perspective to product security.

I prioritize architectural solutions that eliminate entire vulnerability classes, with focus areas spanning supply chain security, identity and access management, and software security controls.

• I created a new CI/CD platform that scans every pull request at Dave, using a custom Python framework for orchestrating and running DevSecOps workflows, to prevent vulnerabilities from being shipped to production.
• I partnered across engineering to increase WAF (Web Application Firewall) coverage from ~40% to ~100%, building automation and Helm chart linting to enable self-service deployments of the WAF and prevent regressions.
• Working closely with all of engineering, I led a project to rollout Workload Identity Federation to our CI/CD platform, replacing static service account keys and creating tools to prevent regressions.
• I introduced KPIs to align the Security team with other Dave engineering efforts.

Core Competencies

• Python, Software Security, DevSecOps, Terraform, Helm, Github Actions, Google Cloud

Lead Software Engineer (2020-2024)

As a Lead Engineer on the Account Management Team, I architected new identity and access management systems to secure member accounts. I worked closely with the product organization and other engineering teams to build user account management and authentication systems, spanning multiple microservices, that support all Dave members.

In this role, I routinely partnered with the Security Team. I regularly engaged in threat modeling and Security Review meetings to give design critique and feedback to other teams.

Notable Achievements

• I led an engineering-wide initiative to replace our monolithic authentication system with a modern microservice-based system using JWT-based authentication. This significantly improved the scalability of the Dave application and enabled the decommissioning of two legacy systems.
• I initiated and led a cross-team project that cut monolith database-related incidents by over 90%. The project also enabled downsizing the database instances for the monolith application, saving the company thousands of dollars a month.
• I performed offensive code reviews and penetration testing, which resulted in critical findings, including discovering and remediating full authentication bypasses in the legacy authentication system and in the legacy account recovery system.

Core Competencies

• Software Engineering, TypeScript, Node.js, Express, MySQL, Google Cloud

Credit Karma

Credit Karma is a free personal-finance platform that provides consumers with credit scores and reports, personalized recommendations for credit cards, loans, insurance, and tax services. Credit Karma was acquired by Intuit for $8.1B in February 2020

Senior Security Software Engineer (2015-2020)

On the Platform Security Team at Credit Karma, I architected and delivered our core IAM platforms - designing OAuth 2.0, SAML, and SSO solutions that support millions of users. I built scalable services to encrypt and anonymize PII at scale and managed a centralized HashiCorp Vault deployment to secure every production secret across the engineering organization.

Notable Achievements

• I led a 4-day, cross-team project to scale our OAuth 2.0 service that more than doubled its capacity and prevented an imminent site-wide outage.
• I designed and piloted a first-of-its-kind internal security training for Software Engineers, focusing on OAuth 2.0 internals and best practices.
• I spearheaded internal penetration testing exercises resulting in multiple critical findings.

Core Competencies

• Software Engineering, Security Architecture, Scala, OAuth 2.0, SSO, MySQL, HashiCorp Vault, Google Cloud

Site Reliability Engineer (2013-2015)

I joined Credit Karma when we were under 100 employees and owned the end-to-end application platform - automating server provisioning, infrastructure management, and deployments - while embedding security and performance best practices to ensure resilient, high-performing services.

Notable Achievements

• I designed an OS patch management system and process for production infrastructure, balancing security and reliability.
• I rearchitected the in-house metrics collection system to collect billions of data points, dramatically increased its stability and reliability, and reduced associated infrastructure costs.

Core Competencies

• Systems Engineering, Python, SaltStack, Linux

Education

University of California, Irvine

Bachelor of Science (B.S.), Informatics (Software Engineering)

Donald Bren School of Computer Science

PDF