Josh Grossman

Application Security Specialist
As an active security community leader and practitioner, I leverage extensive experience in application security and software development to help organisations build scalable, business-aligned product security programmes that enable engineering velocity rather than hinder it.
(+972) 54-816-5820 joshcgrossman@gmail.com tghosth joshbouncesecurity https://joshcgrossman.com

Experience

CTO and Application Security Specialist, Bounce Security (Israel)
Jan 2022 - present

  • Working directly with engineering leadership and security teams across healthcare, technology, and financial services to design and embed scalable product security programmes.

  • Led Bounce’s response to the rise of AI use in software development including building solutions for our clients and developing a training course on AI accelerated code security scanning.

  • Designed, built and released the AGHAST open source tool designed to help run targeted code security tests that use either static or AI driven rules or a combination of the two, see: https://www.bouncesecurity.com/aghast

  • Delivered talks and training both locally and worldwide including privately for clients and publicly for OWASP’s Global AppSec conferences, at NDC Security, and at Black Hat USA. See examples here: https://joshcgrossman.com/events

  • Examples of projects included:

    • Long term project acting as the primary application security expert for a fast moving healthcare startup, including keeping pace with their transition to AI development practices and reducing critical and high bug bounty findings by 80% YoY.
    • Built a new SSDLC strategy for a large international technology company with a focus on long term sustainability including an effective, developer led threat modeling programme.
    • Assisted a large security tooling company assess and improve the effectiveness of their static code scanner.


Head Of Security Services, AppSec Labs (Kfar Saba, Israel)
Jun 2019 - Jan 2022

  • Led a team of highly skilled consultants as well as delivering application security consulting projects for large and small clients both locally and abroad and in a variety of industries.

  • As well as delivering mobile and web app pen tests, application architecture/design security reviews and code reviews for many clients, I also worked with clients to run and improve their internal AppSec operations.

  • Examples of projects included:

    • Evaluated the use of Dynamic Application Security Testing tools in CI/CD for a global tech company.
    • Compared potential Web Application Firewall options for a large medical product organization.
    • Acting as an internal application security expert for a product within a large technology organization.
    • Coordinating application pen testing across multiple applications for a large human resources consultancy.


Team Lead and Senior AppSec Consultant, Comsec Global (Petakh Tikva, Israel)
Aug 2015 - Jun 2019

  • Part of the Application Security team, responsible for supervising and developing a team of up to four people.

  • Led and delivered 30-40 projects per year including mobile and web app pen tests, application architecture/design security reviews and code reviews for clients both locally and abroad and in a variety of industries.

  • Examples of projects included:
    • Led a team security testing ~20 applications in just a few weeks for the UK operations of a large bank.
    • Part-time secondment in the internal application security team for a very large gaming company.
    • Providing Cloud Security advice and preparing guidance documents for several local financial institutions.
  • Also responsible for internal quality improvement activities such as coordinating and delivering internal training and driving internal CTF activity for skills improvement.


Senior Information Security Consultant, KPMG (Tel Aviv, Israel)
Apr 2013 - Jul 2015

  • Worked in the Information Security Services department of KPMG Somekh Chaikin.

  • Projects involved both technical testing and also enquiry and evidence based controls assessment.

  • Trained new security consultants including delivering a three day web application security testing course.

  • Example projects:

    • Delivered the technical work-stream of an IT Security Review for a global pharmaceutical company’s local subsidiary including config review of security appliances, access reviews, and penetration testing.
    • Delivered the Information Security work-stream for a large IT Internal Audit project for an international trading technology company.
    • Performed multiple application security assessments in companies in various sectors using various technologies as well as for internally developed applications.
Migration Expert/Project Manager, Gizmox (Kfar Saba, Israel)
Feb 2012 - Mar 2013
  • Used my programming knowledge and management skills to lead a team migrating VB6 applications to .NET.
Freelance Software Developer, Modi’in, Israel
Sep 2011 - Feb 2012
  • Having moved to Israel, worked as a freelance .NET developer whilst job-hunting and learning Hebrew.
IT Risk and Security Consultant, Deloitte LLP (Manchester, UK)
Jul 2006 - Jul 2011
  • Started as a junior and progressed to work on and manage larger and more complex engagements including IT controls audit, penetration testing, IT forensics and data analytics for organisations in a variety of industries.

Education

ISC2
Certified since Jun 2015

Certified Information Systems Security Professional

Institute of Chartered Accountants in England and Wales
2006 - 2009 and certified since then

Chartered Accountant (ACA)

University of Manchester, Manchester UK
2002 - 2006

First Class Bachelors of Science degree in Computation (with Industrial Experience year)

Community work

OWASP Distinguished Lifetime Member
Awarded May 2025

I was awarded Distinguished Lifetime Membership by the OWASP Global Board in 2025, one of only a handful in the world.

OWASP Events committee member
2024 - present

Overseeing OWASP conference talk selection, keynote selection and improvement activities.

OWASP Israel chapter board
2018 - present (co-leader since 2021)

Organising meetups as well as AppSec Israel, the largest, single-day application security focused conference in the world.

OWASP Application Security Verification Standard co-leader
2019 - present

Co-leading ASVS, the leading open standard for application security verification, with global adoption across organisations and enterprises worldwide. Started as a reviewer of the 4.0 release and was the key driver of the 5.0 release in May 2025.

Skills

Application & Product Security: Product security engineering, threat modelling, secure architecture reviews, secure SDLC design, SBOM and software supply chain security, security champions programmes, vulnerability management, CI/CD security, cloud and Kubernetes security, container security, IAM and secrets management, security automation.

Governance & Compliance: Experience with SOC2, ISO 27001, GDPR, HIPAA, FedRAMP at various different clients.

Programming & Engineering: Strong hands-on software development and code review experience across Python, JavaScript/TypeScript, Java, and C#. Experienced working with modern development workflows, CI/CD pipelines, and AI-assisted engineering.

Tools, Frameworks, and Technologies: Claude Code, Burp Suite, OWASP ZAP, Semgrep, Dependency-Track, DefectDojo, GitHub/GitLab (including CI and security configuration), AWS, GCP, Jira, Linear

Languages: English (native), Hebrew (fluent)