Josh Grossman

Application Security Specialist
As an active security community leader and practitioner, I leverage extensive experience in application security and software development to help organisations build scalable, business-aligned product security programmes that enable engineering velocity rather than hinder it.
(+972) 54-816-5820 joshcgrossman@gmail.com tghosth joshbouncesecurity https://joshcgrossman.com

Experience

CTO and Application Security Specialist, Bounce Security (Israel): Jan 2022 - present

Helping clients improve their application security processes and providing specialist application security advice.
Led Bounce’s response to the rise of AI use in software development including building solutions for our clients and developing a training course on AI accelerated code security scanning.
Designed, built and released the AGHAST open source tool designed to help run targeted code security tests that use either static or AI driven rules or a combination of the two, see: https://www.bouncesecurity.com/aghast
Delivered talks and training both locally and worldwide including privately for clients and publicly for OWASP’s Global AppSec conferences, at NDC Security, and at Black Hat USA. See examples here: https://joshcgrossman.com/events
Examples of projects included:
- Long term project acting as the primary application security expert for a fast moving healthcare startup, including keeping pace with their transition to AI development practices and reducing critical and high bug bounty findings by 80% YoY.
- Built a new SSDLC strategy for a large international technology company with a focus on long term sustainability.
- Assisted a large security tooling company assess and improve the effectiveness of their static code scanner.

Head Of Security Services, AppSec Labs (Kfar Saba, Israel): Jun 2019 - Jan 2022

Led a team of highly skilled consultants as well as delivering application security consulting projects for large and small clients both locally and abroad and in a variety of industries.
As well as delivering mobile and web app pen tests, application architecture/design security reviews and code reviews for many clients, I also worked with clients to run and improve their internal AppSec operations.
Examples of projects included:
- Evaluated the use of Dynamic Application Security Testing tools in CI/CD for a global tech company.
- Compared potential Web Application Firewall options for a large medical product organization.
- Acting as an internal application security expert for a product within a large technology organization.
- Coordinating application pen testing across multiple applications for a large human resources consultancy.

Team Lead and Senior AppSec Consultant, Comsec Global (Petakh Tikva, Israel): Aug 2015 - Jun 2019

Part of the Application Security team, responsible for supervising and developing a team of up to four people.
Led and delivered 30-40 projects per year including mobile and web app pen tests, application architecture/design security reviews and code reviews for clients both locally and abroad and in a variety of industries.
Examples of projects included:
- Led a team security testing ~20 applications in just a few weeks for the UK operations of a large bank.
- Part-time secondment in the internal application security team for a very large gaming company.
- Providing Cloud Security advice and preparing guidance documents for several local financial institutions.
Also responsible for internal quality improvement activities such as coordinating and delivering internal training and driving internal CTF activity for skills improvement.

Senior Information Security Consultant, KPMG (Tel Aviv, Israel): Apr 2013 - Jul 2015

Worked in the Information Security Services department of KPMG Somekh Chaikin.
Projects involved both technical testing and also enquiry and evidence based controls assessment.
Trained new security consultants including delivering a three day web application security testing course.
Example projects:
- Delivered the technical work-stream of an IT Security Review for a global pharmaceutical company’s local subsidiary including config review of security appliances, access reviews, and penetration testing.
- Delivered the Information Security work-stream for a large IT Internal Audit project for an international trading technology company.
- Performed multiple application security assessments in companies in various sectors using various technologies as well as for internally developed applications.

Migration Expert/Project Manager, Gizmox (Kfar Saba, Israel): Feb 2012 - Mar 2013

Used my programming knowledge and management skills to lead a team migrating VB6 applications to .NET.

Freelance Software Developer, Modi’in, Israel: Sep 2011 - Feb 2012

Having moved to Israel, worked as a freelance .NET developer whilst job-hunting and learning Hebrew.

IT Risk and Security Consultant, Deloitte LLP (Manchester, UK): Jul 2006 - Jul 2011

Started as a junior and progressed to work on and manage larger and more complex engagements including IT controls audit, penetration testing, IT forensics and data analytics for organisations in a variety of industries.

Education

ISC2: Certified since Jun 2015

Certified Information Systems Security Professional

Institute of Chartered Accountants in England and Wales: 2006 - 2009 and certified since then

Chartered Accountant (ACA)

University of Manchester, Manchester UK: 2002 - 2006

First Class Bachelors of Science degree in Computation (with Industrial Experience year)

Community work

OWASP Distinguished Lifetime Member

I was awarded Distinguished Lifetime Membership by the OWASP Global Board in 2025, one of only a handful in the world.

OWASP Events committee member: 2024 - present

Overseeing OWASP conference talk selection, keynote selection and improvement activities.

OWASP Israel chapter board: 2018 - present (co-leader since 2021)

Organising meetups as well as AppSec Israel, the largest, single-day application security focused conference in the world.

OWASP Application Security Verification Standard co-leader: 2019 - present

Started as a reviewer of the 4.0 release and was the key driver of the 5.0 release in May 2025.

Skills

Application & Product Security: Product security engineering, secure SDLC, threat modelling, secure architecture reviews, developer enablement, security champions programmes, risk-based security strategy, CI/CD security, cloud and Kubernetes security, security automation, AI-assisted AppSec workflows.

Programming & Engineering: Strong hands-on software development and code review experience across Python, JavaScript/TypeScript, Java, and C#. Experienced working with modern development workflows, CI/CD pipelines, and AI-assisted engineering.

Tools, Frameworks, and Technologies: Claude Code, Burp Suite, OWASP ZAP, Semgrep, Dependency-Track, DefectDojo, GitHub/GitLab (including CI and security configuration), AWS, GCP, Jira, Linear

Languages: English (native), Hebrew (fluent)