SUMMARY:

• Creative senior - level software and systems security engineer with proven leadership and value delivery in all phases of the system/security/product development lifecycle.
• Background in applied cryptography, secure network protocols, distributed and embedded systems.
• Excellent verbal communication proficiency conveying concepts and technical detail to broad audiences.
• Multi-disciplinary technologist demonstrably successful developing and deploying leading-edge products.

TECHNICAL SKILLS:

Collaboration: Sharepoint, OneNote, MS-Office, Outlook, Word, PowerPoint, Excel, Visio and Project

Languages: C/C++, Assembler, make files, Perl, Tcl/Tk, Expect, Python, bash and DOS shell scripting

Operating Sys: Linux, Cygwin, VxWorks, Windows, DOS, VRTX and embedded RTOS

Networking: TCP/IP UDP, DHCP, DNS, NAT, Confidential, IKE, GRE, TLS, EAP, 802.1/802.3 , SNMP and SSH

Security: PKCS/PKI, DH/ECDH, RSA Secure ID, AES/3DES, AWS IAM, KMS, CloudHSM.

Compliance: FIPS 140-2, STIGs for Switch/Router/Linux host, DIACAP and NIST 800SP

Methodologies: Agile Scrum, DevSecOps, Waterfall, OOD/OOP, STL and Design patterns

DevTools: gcc, CVS, Clearcase, Visual Studio, Bamboo, Crucible, SVN, Git, JIRA, Rally and VersionOne

Debugging: gdb, windbg, objdump, Ping, IXIA, Qualys, IxChariot, tcpdump and Wireshark

PROFESSIONAL EXPERIENCE:

Senior Security Engineer

Confidential, Bedford, MA

Responsibilities:

• Devised certification and accreditation system test procedures and remotely supervised their execution. All testing completed in time to use system for final 2 pre-production runs despite shipping and other delays.
• Generated asymmetric keys and certificates on offline root HSM and replicated across all devices in the redundant online system. Created/archived paper and electronic forms of backups for all crypto objects.
• Developed and documented formal robot embedded firmware signing policies, standards and procedures, with controls for safeguarding unsigned code.
• Trained staff on HSM operation, client configuration and use of FW and certificate signing procedures.
• As member of cross-functional team faced with a manufacturing bug, offered a solution to make production certs available at remanufacturers enabling repair of first 25k robots in time to meet quarterly demand.
• Developed PKI security controls automation for ISO 27001 compliance effort using Python scripts.

Confidential

Security Director

Responsibilities:

• With internal audit staff perform site tour of local IoT cloud provider to observe physical environment, and first-hand knowledge of administrative and logical controls for staff, servers, applications and networks.
• Monitored issue mitigation processes over multiple internal vendor releases finalized before launch.
• Managed third-party pen testing robot hardware, mobile apps and cloud IoT ecosystem.
• Defined requirements from robot HW&FW threat vectors, high-level recommendations from OWASP top 10 for Wi-Fi and Bluetooth connected back-ends and mobile application vulnerabilities for iOS/Android.
• Performed triage on initial reports with pen testers and lead finding review meetings with Engineering capturing results as defects, user stories or new features in Rally.
• Pursued a Red Team engagement as alternative to individual pen testing engagements for follow-ons.
• Trade study to select bug bounty service as alternative to Red Team, evaluating processes, support for CVSSv3 on website, security policies, and sampled researcher personalities/relationships and costs.
• Implemented JIRA workflows to integrate/automate vulnerability resolution lifecycle across all tools.
• Confidential on automated code analysis tool Confidential to extend languages supported by Coverity, configured and administered test server to run on VmWare under control of Jenkins for automated CI/CD process.

Confidential

IoT cloud provider

Responsibilities:

• Collaborated with AWS security team to develop “bring-your-own-certificate” authentication alternative API to the AWS IoT MQTT service, obviating cost to remanufacture 50K+ fielded robots.
• Worked with cloud security consultant and AWS to develop operational security processes for AWS IAM, VPC, security groups for e.g., S3, DynamoDB, KMS and CloudHSM services.
• Participated on Confidential IT committee to select a consulting firm to help kick off internal DevOps program.
• Performed live Confidential with 4 MSSPs for continuous monitoring/correlation of CloudWatch/CloudTrail logs.

Confidential

TPM expert consultants

Responsibilities:

• Enumerate security enhancement goals and means in multi-phase implementation proposal.
• Evaluate standalone chip vs. processor-based option, and partners for trusted execution environment monitor and programming environment.

Member, Technical Staff

Confidential, Marlboro, MA

Responsibilities:

• Analyzed cyber sensors derived from the SANS top 20 security controls to identify gaps in Confidential compliance and expand machine awareness for better intrusion detection and mitigation policy expression.
• Researched event handling methods, techniques and engines.
• Studied Open Source SIEM systems e.g. Alien Vault, comparing available rule sets/definition tools, interaction w/Splunk/ArcSight/Industrial Defender.
• Investigated host and network-based intrusion detection systems, evaluating sensor support, centralized vs. distributed architectures, interchange formats, e.g. JSON, suitability in Windows and Linux virtual platforms.

Consulting Software Engineer

Confidential, Billerica, MA

Responsibilities:

• Defined multiple-release feature roadmap with product manager, starting with switch-to-switch topology to secure leased fiber between data centers, through end-to-end layer 2 secure infrastructure with 802.1x-2010 compliant network access control with x.509 certificate authentication.
• Performed build vs. buy trade studies of MacSec key agreement software. Led functional discovery reviews of 3rd party offerings with stakeholders and product owner, concluding to build the code for .net saving $18K.
• Identified software requirements, led software estimation effort and generated development schedules.
• Designed, coded and tested proprietary keying algorithms in C++ based on key derivation functions specified in the 2010 standard, leveraging OpenSSL primitives available in the CentOS 6.2 distribution.
• Performed architectural decomposition for distributed control plane, refactoring time-constrained functions (e.g. fault handling and rekeying) to reside on IO module CPU, relieving tight 40 and 100Gbps tolerances.

Confidential

Contributor

Responsibilities:

• Coordinated plan for static and dynamic application security scanning of ERS 8600 product.
• Developed plans to in corporate Suite-B cryptography and anticipated Confidential regulatory mandates.

Confidential

Responsibilities:

• Wrote bash script generator for CentOS 6.2 Linux system control of Confidential virtual machines, internal connections, iptables and iproute2 packet controls and per-chassis OpenvSwitch configuration.
• Implemented enhancements to expose internal switch APIs, to allow interaction with standard network debug tools e.g. Wireshark and SNMP agents, enhancing training scenario capabilities.
• Implemented XML run-time configuration parser to support hardware, IO types and extensible features.

Confidential

Security architect/technical lead

Responsibilities:

• Performed comprehensive analysis of Confidential 2003 r3 compliance requirements, including by reference FIPS 140-2, NIST 800SPs, IEEE 802.1/.3 standards, IETF RFCs and Linux host, Ethernet switch/IP router STIGs.
• Investigated Confidential card requirements for administrator authentication and authorization via Federal bridge cross-certification authority ( Confidential ).
• Identified mitigation strategy to relax requirements for x.509v3 certificate support and numerous tactical mitigations that resulted in a net savings of 10% in development schedule.
• Designed syslog-over-SSH to resolve test finding (missing strong authentication) without adding PKI.
• Wrote and/or reviewed functional/design specs for enhancements and DIACAP process documents.
• Defined secure external management API specifications and internal data structures, integrating MIBs for SNMPv3, console commands secured by SSH and web configuration via HTTPS/TLS.
• Specified security policy configuration API for Confidential over IPv6 and specified IPv6 Confidential functionality.
• Performed reviews and inspections of application code produced by team of 20 off-shore developers.
• Wrote, edited and/or reviewed all customer documentation including user guide updates, conditions of fielding. Participated in all approval meetings with JITC test officials.
• Performed oversight consultation to third-party lab FIPS 140-2 level 2 (CAVP) validation.
• Coordinated 24-hour bug fix process, resulting in on-time entry/exit of lab test windows, saving late fees.
• The certification testing included the first Federal validation of Confidential 's SPB technology as an alternative to MPLS, and lead up to its inclusion and huge commercial success at the 2014 Winter Olympics at Sochi.
• Switch/router was added to APL 12/2011 with only 2 issues requiring follow-on development and retest.

Principal Engineer

Confidential, Billerica, MA

Responsibilities:

• Presented technical training for Confidential VPNs, RSA SecurID and x509v3 certificates.
• Defined all VPN UI, HA, interoperability, configuration and boot requirements.
• Worked with product owner to define and capture requirements in DOORS, then worked with team to translate to story backlog in VersionOne, meeting original development estimate using Agile methodology.
• Identified interoperability targets (to include all Nortel VPN gateways, Cisco ASA family, Juniper router and Checkpoint firewall and defined user-selectable operational variants and modes for each gateway type.
• Identified gaps in Confidential VPN client functionality in Mocana NanoSec library and proposed enhancements that were later adopted by Mocana as standard offerings in their NanoSec library.
• Identified and proposed fix for bug in Mocana’s BIGNUM library specific to big-endian, 32-bit platform.
• Designed and developed OO C++ code for VxWorks stack shim, phone UI, Confidential policy, and embedded firewall handling RTP and RTSP audio for bump-in-the-stack implementation.
• Coordinated sprint activities among all developers to optimize sprint efficiency and hit target stride.

Confidential

SME

Responsibilities:

• Designed and developed OO C++ unified control plane objects for Confidential and Confidential VPN technologies.
• Integrated legacy Confidential components to use unified control and run as Windows service component.
• Developed C++ RPC interface API data structures and processing for exchanges between user-space GUI and kernel-space control/forwarding engine implemented as a Windows service.