SUMMARY

• Over 20 - year application security architecture and engineering experience. Extensive enterprise security experience in Cryptography, Encryption, Kerberos, BSafe, SSLeay, OpenSSL, JCE, PKI, PKCS, Key Management, NIST SP 800-57, KMIP, HSM, SafeNet, FIPS 140-2, SSL/TLS, S/MIME, XML-Sec; WS-Security, WS-Trust, WS-Federation, SAML, SSO, STS, IAM, OAuth, OpenID Connect, SiteMinder, ADFS, Tivoli; DataPower, Vordel/Axway, API Management, API Security, AWS Security, WAF; Security Requirement Analysis & Modeling, Software Security, Secure Coding, Security Assessment.

TECHNICAL SKILLS

PKI: ASN.1, PKI/X, BASE64, PKCS, SSL, Keon, Entrust, MSCS, CMP, SCEP, OCSP

Protocol: XKMS, S/MIME, PGP/MIME, MDN, SSL2/3, OpenSSL, SSL/TLS, WTLS

API Security: API Firewall, OAuth, OpenID, API Key Management, 2-Way SSL, Cryptography, WS-Security, Vordel/Axway, DataPower

Key Management: KMS, IEEE P1619-3, NIST 800-57, SISWG, NeoScale CryptoStor, RSA Key Manager, SafeNet HSM, nCipher KeyAuthority, IBM Key Manager (IKM), Java Key Tool

Authentication: Kerberos, NTLM, DigitalPersona, SecurID, PassLogix, MFA, OTP, Acoustic, ActivCard, Fingerprint, RADIUS, Microsoft IAS, CA Advanced Authentication

Identity and Access Management (IAM): SSO, OpenSSO, LDAP, Sun One, Active Directory, ADFS, Metadata, SOAP, SAML, XACML, Vordel/Axway, DataPower, eTrust, SiteMinder, Ping, Tivoli, WebSeal, TAM, TIM, TFIM, Kerberos, RADIUS, Federation, IDM, IAM, RBAC, AAA, CA Access Gateway

Cloud Security: AWS, STS, S3, URL Signing, Temporary Credentials, Perfect Forward Secrecy, CloudHSM, Encrypted Data Storage, MFA

Threat Management (TM): XML Firewall, Vordel/Axway, DataPower, SecureSphere, Check Point, Nokia, MS ISA, DMZ, IDS, IPS, penetration testing, security assessment, tcpdump, snort, nmap

SIEM: Security audit logging, Syslog, Splunk, RSA enVision

Compliance Standards: FIPS 140-2, ISO17799, FFIEC, HIPAA, PCI, SOX

API Ecosystem: API Gateway, API Governance, API Portal, API Management, API Catalog, Micro Gateway, Gateware, DataPower, Vordel, Axway, Oracle, Amazon/AWSNumber Theory: divisibility, Euclidean, congruences, finite fields, factorization, prime number

Cryptography: DES, Triple DES, AES, RC4, RC6, IDEA, Kerberos, RSA, DSA, PGP, ElGamal, Diffe-Hellman, Knapsack, Massey-Omura, ECC, ECDH, ECDSA, SSL/TLS, MD5, SHA1, SHA2

Crypto API: JCA/JCE, JSSE, JAAS, IAIK, BouncyCastle, BSAFE, GSS-API, Windows CryptoAPI, CAPICOM, .NET Crypto API

JAVA: Rhino JS, J2SE, J2EE, EJB, Swing, JSP, Servlet, Applet, CORBA, JDBC, JavaMail, JAAS, JCE/JCA, WebSphere, NetBeans, WebLogic

.NET: C#, Framework, Cryptography, WIF, WCF, WSE, WS-Trust, WS-Federation

WEB: HTML, DHTML, XML, XSL, XSLT, SOAP, ASP, JSP, JavaScript, Rhino, VBScript, Shell, Perl

Tools: Visual Studio, Visual .NET, JBuilder, GNU-Make, JAVA-ANT, JUnit, SourceSafe, Visio, Rational Rose, UML, ClearCase, NetBeans, WebSphere, RAD, RSA

PROFESSIONAL EXPERIENCE

Security Solutions Architect

Confidential, Hopewell, NJ

Responsibilities:

• Manage and architect the Gateway Secure Token Service (STS) to achieve SSO and AWS integration across corporate vendors by API Gateway, SAML, OAuth 2.0, OpenID Connect, WS-Trust, WS-Federation, SiteMinder, Kerberos, PKI, AWS APIs, Temp Creds, XSLT.
• Manage and architect the API Security Framework for the BMS web services and partner web services to securely conduct their business-critical transactions using API Gateway, WS-Security, Kerberos, OAuth 2.0, OpenID Connect, SAML, SafeNet, Encryption, SOAP, REST, WSDL, S3 Bucket, Temp-Creds, AWS Security, Mutual SSL/TLS, CA SiteMinder, CA Access Gateway, XSLT, XML-DSIG, XML-Enc, PKI, LDAP.
• Manage and architect the Data Security Service by integrating SafeNet, KeySecure KMS, ProtectApp JCE, KMIP, AWS, S3, PKI, API Gateway, Mutual SSL/TLS, SiteMinder, LDAP.
• Manage and architect the API Firewall Framework as the threat management frontend to the corporate web services by using API Gateway, API Intelligence, D/DoS, Cross-Site Scripting (XSS), SQL/XPath Injection, replay filter, authentication firewall and Threat Monitor.
• Lead and develop the corporate security strategy and requirements on Microservices, API/Micro Gateway, API Governance and API Management. Evaluate the products, POC, manage the infrastructure deployment, develop appropriate and manageable security and API solutions according to the defined strategies, restrictions, requirements and risk factors. Document the executive whitepaper and security architecture for the developed solutions. Advocate the API Ecosystem throughout the organization.
• Develop security guidelines and standards for data privacy, web application security, secure coding and access control. Conduct application security assessment. Organize architecture meetings and formally manage the full life-cycle security architecture review, design and development process.
• Develop the Access Gateway solutions to decouple the access controls from the API Gateway. Develop a hybrid gateway solution by seamlessly integrating the dynamic cloud gateways into the existing on-premise gateways.
• Train the developers and administrators on the security concept, mechanisms, operations, best practices and SDLC.

Security Solutions Architect

Confidential, Franklin Lakes, NJ

Responsibilities:

• Manage, architect and deploy an XML Security Framework for the corporate web services by using DataPower, AAA Policy, XSLT, XML Schema Validation, XDoS, SQL/XPath Injection, replay filter, Regex, PKI and WS-Security.
• Manage, architect and develop a Federated SSO project to achieve SSO across the corporate vendors by DataPower (WS-Proxy, MPGW, XML Firewall, Extension Functions, SSL/TLS, LDAP/AD, Encryption, Kerberos), Federation Services (Ping, OpenSSO, SiteMinder, TFIM, ADFS), SAML, WSDL, SOA, Web Services, WS-Security, WS-Trust, WS-Federation, XSLT, XML-DSIG, XML-Enc, PKI, X.509 certificate.
• Centralize the authentication, authorization and management of the corporate users and applications by using DataPower, SiteMinder, RBAC, XACML, PKI, LDAP, Encryption, Kerberos, SOA, WSDL, Web Services, WS-Security, SSO, WebSphere.
• Develop enterprise security strategy and policies towards the HIPAA compliance. Document the executive whitepaper and security architecture for the corporate web services.
• Develop guidelines and standards for password security, web application security, secure coding and access control. Organize architecture meetings and formally manage the full life-cycle security architecture review, design and development process.
• Mentor the security developers and administrators on the security technology, best practice and SDLC.

Security Solutions Architect

Confidential, White Plains, NY

Responsibilities:

• Architect the enterprise SSO service for data warehouse access using DataPower, Kerberos, AD, RBAC, JAAS, WAS, WebSeal, WS-Security, WS-Trust, WS-Federation, OpenSSO, Ping, ADFS, TFIM and TAM. Design a web portal security service using TAM AznAPI, J2EE, WAS, EJB, SSL/TLS, WebSphere Global Security, JACC, XML-Sec, SOAP-Sec, SAML, XACML, XSL, XSLT, WS-Security, WSS4J, .NET WSS, RBAC, TAI, LTPA, WebSeal, TAM and Rational Software Architect (RSA).
• Architect and develop a credential security framework and key management service by integrating NeoScale CryptoStor, Oracle Advanced Security (OAS) and DataPower. Design and deploy the Application Firewall for database and web services using Imperva SecureSphere and DataPower.
• Provide gap analysis and security modeling for the Enterprise Security Management solutions. Design the enterprise security services in the areas of Identity and Access Management (IAM), Threat Management (TM), Security Information and Event Management (SIEM).
• Analyze enterprise security audit logging requirements. Architect and deploy SIEM for business applications and security services such as LDAP, WebSeal, TAM, DataPower, enVision. Centralize and correlate security events across enterprise applications by using EnVision, DataPower, Active Directory, Syslog and SNMP.
• Mentor the security developers and administrators on the security technology, best practice and SDLC.

Security Analyst

Confidential, Bloomington, IL

Responsibilities:

• Design and implement a WS-Security infrastructure for the insurance agent and vendor secure remote access system using DataPower, SSO, Kerberos, SOAP, WS-Security, WS-Trust, WS-Federation, OpenSSO, SAML, DSML, SPML, XML-Sec, SAAJ, PKI, PKCS, CryptoAPI, JCA/JCE.
• Architect and implement the Multi-Factor Authentication (MFA) and SSO by integrating DigitalPersona, SecurID, PassLogix, Kerberos, TAM, TFIM, SiteMinder, OpenSSO, AD, DataPower, SAML, WS-Security, WS-Federation, JCA/JCE, JNDI, JAAS, J2EE, WebSphere, LTPA, TAI.
• Gap Analysis of the current PKI security service and reusable security components in conjunction with the enterprise security strategies and policies. Architect, design and implement a centralized Key Management Service (KMS) using RSA Key Manager, TPM, HSM, SOA, XKMS, PKI, CMP, OCSP, PKCS, CryptoAPI, SMIME, Java, JCA/JCE, JNDI, JAAS, J2EE, WebSphere.
• Develop security standards for cryptography, authentication and access control. Analyze and develop the corporate data at rest and data in transit solutions by integrating third-party products in the areas of File Encryption, Full Disk Encryption, USB Encryption, FTP/SSL, OpenSSL, OpenPGP/GnuPG etc.
• Research on the FFIEC authentication guidance and design strong authentication solutions for the corporate banking with IVR, RADIUS, SMS, OTP (One-Time Password) token and acoustic card.
• Third and forth level customer support of the application security products and services.

Security Architect

Confidential, Toronto, ON

Responsibilities:

• Responsible for the full lifecycle security architecture design. Defining and modeling the security requirements with Visio, Source Safe, Project, UML, Rational Rose.Design and develop the encryption framework, user provisioning & enrollment, intrusion detection & prevention (IDP), identity management (IDM) and single sign-on (SSO) in J2EE platforms with the integration of Microsoft IAS, MSCS and Sun Identity and Access Manager. Design the client-side provisioning and authentication architecture in J2ME NetBeans MIDP platform.

Security Engineer

Confidential, Toronto, ON

Responsibilities:

• Design and implement CA/RA PKI certificate life-cycle management and certificate subscription and provisioning services on Windows XP and CE using C/C++, PKI, X.509, PKCS, LDAP, AD, OCSP, CMP, CryptoAPI, RSA BSafe, JCA/JCE and RSA KEON APIs, SOAP, XML-Sec, WS-Security. Design and implement a SSL engine provider and BSafe/SSL client and server for the transport layer.
• Manage RSA Keon CA Server and provide PKI services for the corporate and its customers. Responsible for the RSA Keon interoperability testing and the FIPS 140-2 certification process.

Security Engineer

Confidential, Woodbridge, NJ

Responsibilities:

• Define SSO policy and procedures. Develop a SSO system using C, C++, C#, CryptoAPI, Kerberos. Deploy SSO for IAM services using SiteMinder, RADIUS, Apache, IIS, Active Directory and iPlanet.Consult on PKI integration and development using MSCS, SAML, SOAP, WS-Security, LDAP, AD, SiteMinder, OpenSSO, .NET/J2EE, X.509, 3DES, AES, SHA-1, RSA, Kerberos, ASN.1, PKCS, JAAS.