Jason Axley

Seattle, WA, USA

Passionate about helping security organizations be effective, not just busy.

I'm a hands-on security engineer with decades of experience in IT across various industries, including telecom, finance, travel, and cloud computing. 

I prefer to work as an engineer where I can make a direct impact, such as when I took initiative to build a microservice that automated code scanning for 14k applications, and when I wrote custom guardrails for cloud security that could detect and auto-remediate misconfigurations. One of these guardrails helped avoid $5 million in live site ou…

Jason Axley

Experience

  • Tardigrade Security

    Tardigrade Security

    Principal Security Consultant

    Apr 2025 - Present

    Tardigrade Security is a boutique consulting firm that provides organizations an antidote to typical "cargo cult" security programs. We help you solve the right problems so that you can build an environment where secure outcomes are **more likely** with less effort.

    • Currently focused on R&D into Model Context Protocol (MCP) AI agent authentication and authorization to identify solutions to achieve fine-grained access control
  • Amazon Web Services (AWS)

    Amazon Web Services (AWS)

    Principal Security Engineer

    Jun 2022 - Apr 2025

    Amazon Web Services (AWS), a subsidiary of Amazon, provides reliable, scalable, and inexpensive cloud computing services.

    • Defined the AWS “security bar” for foundational AWS services built by ~12k developers (AWS IAM, AI/ML products (SageMaker, Bedrock), AWS CloudTrail, AWS Config, AWS Organizations, etc.)
    • Ensured accuracy of AWS AppSec root cause investigations and directed that the right mechanisms were built to scale and improve security outcomes. Wrote and reviewed weekly narratives that were presented to the Amazon S-Team
    • Saved a multi-million dollar AWS contract by defining a custom security plan to enable an AI/ML solution to launch securely, on- time for a large AI/ML customer
    • Developed a knowledge graph POC to automate security validation of cloud configuration, identify gaps through automated reasoning, and simplify security reviews of complex cloud infrastructure.
    • Drove a project that identified high-value persistent credentials across all AWS services to prioritize replacement with dynamic credentials.
    • Drove development of Generative AI (GenAI) security guidance and alignment of security review and testing approaches for GenAI across AWS and Amazon. AWS Bedrock and Titan LLM launched secure product releases with PE security support
    • Championed changes to foundational AWS IAM systems to harden designs and improve security outcomes with minimal developer impact
  • Amazon

    Amazon

    Principal Security Engineer

    May 2021 - Jun 2022

    Amazon’s mission is to make customers lives better and easier every day by relentlessly inventing on their behalf. We work to provide broad selection, value, and convenience across a range of customer experiences, including online shopping, cloud computing, streaming entertainment, consumer electronic devices, advertising, healthcare, AI services, and more.

    • Completed a holistic PKI assessment for Whole Foods Market at Amazon that identified opportunities to improve security and simplify the technology stack and integrate on-premise and cloud systems.
    • H helped build a SOAR architecture and roadmap for Whole Foods Market Security Operations Center (SOC) and oversaw strategic project priorities.
    • Developed an end-to-end appsec strategy for Whole Foods Market using the SABSA enterprise security architecture framework that helped identify priorities to invest in during their cloud migration journey
  • Expedia Group

    Expedia Group

    Principal Security Engineer

    Jan 2020 - May 2021

    Travel is a force for good, and we are a force for travel. At Expedia Group we believe travel can bring good into the world, and so our mission is to power global travel for everyone, everywhere.

    • Championed, designed, and built middleware to automate SAST onboarding, scanning, and notifications in Expedia’s CI/CD pipelines. Scanned every pull request on > 14k applications. Automation saved > 65,000 dev hours each year.
    • Designed and developed an orchestration system to automate and enable decentralized processing of GDPR Right to be Forgotten (RTBF) requests for all Brand Expedia and VRBO applications
    • Collaborated with senior engineers and architects to develop an auth standard to provide requirements engineers needed to build a secure app-to-app auth system for Expedia and VRBO brands that replaced 12 existing identity systems
    • Drove a cloud firewall centralization project that saved $9 million from duplicate cloud infrastructure. Defined the architecture and developed POCs to prove out the design
    • Provided leadership that rebuilt security engineering’s strained relationship with corporate security. Reputation changed from adversarial being seen as a valuable partner and collaborator in security
    • Facilitated security reviews and threat modeling sessions with Brand Expedia web and service developers
  • Expedia, Inc.

    Expedia, Inc.

    Senior Security Engineer

    Jun 2015 - Jan 2020

    • Built a proactive security team that designed and developed 15+ cloud security controls that provide automated remediation of high-risk configuration vulnerabilities
    • Built custom tooling to monitor certificate expirations. Proactive notification to the responsible owners prevented live site outages, saving ~$5 million/year
    • Used application inventory data to influence corporate security to prioritize investment in container security to adapt to the evolving technology landscape in Expedia
    • Trained scores of teams of developers through threat modeling their own products and applications. Ensured that security can happen even when security engineers aren’t in the room
  • JPMorgan Chase

    JPMorgan Chase

    Vice President, Global Technology - Mobile Application Security Engineer

    Mar 2013 - May 2015

    Our J.P. Morgan and Chase brands work to provide the highest quality service to millions of consumers, small businesses and corporate, institutional and government clients in the U.S. and around the world.

    • Built the bank’s mobile application security program from scratch covering all employee, partner, and customer applications. Proactively mitigated mobile risks that enabled the business to innovate and adopt mobile technologies faster
    • Implemented custom static analysis (SAST) rules for mobile applications to detect and prevent novel mobile security issues and reduce noise from false positives.
    • Chaired the mobile application security champions program: mentoring, coaching and engaging the bank’s mobile app developers globally
  • JPMorgan Chase

    JPMorgan Chase

    Application Developer Lead

    Aug 2008 - Mar 2013

    • Designed and built the core web and security framework that powered Chase Online Banking, supporting 25-50 million users; used by ~700 developers bank-wide
    • Integrated security into the front-end and back-end frameworks, via secure-by-default APIs for input validation, output encoding, cookie management, security HTTP module
    • Designed and built replacement CSRF protection capability from scratch for ASP.Net MVC with better security and usability
    • Spearheaded and championed code quality improvement initiatives via custom static analysis security rules, regular security code reviews, coding standards, and security unit testing
    • Optimized client-side JS code that improved performance by 25% release-to-release and reduced page load times by minutes
  • Washington Mutual

    Washington Mutual

    Senior Security Engineer

    May 2005 - Aug 2008

    We did our very best to usher in the 2008 financial crisis. Now, we are no more.

  • Cingular Wireless (Formerly AT&T Wireless)

    Cingular Wireless (Formerly AT&T Wireless)

    Enterprise Security Architect

    May 2002 - Apr 2005

  • AT&T Wireless Services

    AT&T Wireless Services

    UNIX Security Operations Specialist

    Jul 1998 - Jun 2002

  • AT&T Wireless Services

    AT&T Wireless Services

    UNIX Systems Administrator

    May 1996 - Jul 1998

Similar Members

  • Reza Tabibazar profile image
    Reza Tabibazar
    Driving Results
    1. QuadientQuadient
    2. WonoloWonolo
    3. Flexiti FinancialFlexiti Financial
    Transforming Cloud Infrastructure & Security in FinTech 🛠️💡
    Hire Reza Tabibazar