Security Engineer Resume
Minneapolis, MN
SUMMARY:
- Creative senior - level software and systems security engineer with proven leadership delivering successful new products and technologies to market seeks product or secops/devops development role.
- Expert contributor in IAM, applied cryptography, secure network protocols, distributed and embedded platforms.
- Excellent verbal communication proficiency conveying concepts and technical detail to broad audiences.
SKILLS:
Collaborate: Skype, Teams, Hipchat, Wiki, Sharepoint, OneNote, Acrobat, Outlook, Word, PPoint, Excel, Visio, Project
Languages: C/C++, Assembler, make files, Perl, Expect-Tcl/Tk, Python, VBA, POSTMAN, bash, DOS and Power Shell
Data formats: UTF8, ASCII, UNICODE, SNMP, syslog-ng, HTML, SQL, ASN.1, XML/XSLT and JSON
OS: Linux Ubuntu/CentOS, Cygwin, VxWorks, Windows XP/Vista/10, Server 2012r2, IIS, DOS, VRTX and embedded RTOS
Networking: TCP/IP UDP, DHCP, DNS, NAT, IPSec, IKE, MacSec, GRE, TLS, EAP, 802.1/802.3 , SNMP, SCP and SSH
Security: NIST RNG, PKCS/x.509v3 PKI, DH/ECDH, RSA Secure ID, AES/3DES, AWS IAM, KMS, CloudHSM.
Compliance: FIPS 140-2 L2, STIGs for Switch/Router/Linux host, DIACAP and NIST 800SP, PCI DSSv3.2
Methodologies: OOA/OOD/OOP, Agile Scrum, SecDevOps, Waterfall, STL and Design patterns
Tools: vi, emacs, Notepad++, CCase, Perforce, VS2008, Bamboo, VersionOne, Crucible, SVN, Git, JIRA, Kanban and Rally
Debug: gdb, windbg, objdump, Ping, IXIA, Qualys, Sysstat, IxChariot, tcpdump, protocol analyzers and Wireshark
WORK EXPERIENCE:
Security Engineer
Confidential, Minneapolis, MN
Responsibilities:
- Stage LDAP group creation and sync SD Elements users to WF Channel Secure standard directory services facility.
- Perform gap analysis of SD Elements4.12 PCI DSS v3.2 support to characterize deployment/audit phase task content.
- Develop proposal to in corporate new SD Elements Risk Policy feature into manual and automated SDLC workflows.
- Build VBA 2016 and Python 2.7/DJango 1.9 automation to verify cloud security and PCIv3.2 task database updates.
SecDevOps Engineer
Confidential, Andover, MA
Responsibilities:
- Security operations center administrator and automation development engineer
- Responsible for operational health, incident response, change management and continuous improvement projects on globally distributed Carbon Black/Splunk/RSA Archer GRC enterprise security SOC production environment.
- Implement Splunk searches, alerts and dashboards on data ingested from CB, email inboxes, and threat feeds.
- Prototype Java 1.8 install on Intel NUC Ubuntu 16.04 Linux for testing x.509 certificate administration with Java, IIS, MMC, and Linux key management tools on Splunk, UCF, Archer and SQL Servers to dry run prior to production go-live.
- Restful API integration/hardening RSA Archer V6.2 SecOps and Splunk V6.5.3.1 for automated ticket generation.
Senior Security Engineer
Confidential, Bedford, MA
Responsibilities:
- Designed, deployed and tested fault tolerant PKI for overseas robot manufacturing of per-device identity certificates and keys, all completed in under 2 months, in time for system to be used at factory during final pre-production tests.
- Wrote PKI system manual certification and accreditation test procedures and remotely supervised their execution.
- Defined emergency PKI recovery procedures integrated with Confidential disaster recovery plan to minimize factory WRT.
- As member of cross-functional team tasked with fixing a certificate private key storage bug, offered the solution chosen by management to remanufacture 25k+ robots to meet Q12016 North America sales goals.
- Automated PKI system security controls tests using Python 3 for ISO 27001 continuous improvement compliance.
Confidential
Senior Security EngineerResponsibilities:
- Managed third-party pen tests for robot embedded HW&FW, OWASP top 10 for web, Wi-Fi and Bluetooth threat vectors for iOS and Android.
- Triaged reports, lead “findings” Engineering reviews and monitored security backlogs.
- POC on static code analysis tool Checkmarx for C++, Objective-C, Java, Node.js, Python, and C#, evaluating per-language analyzer performance in Dev instances of Jenkins CI/CD build pipelines.
Confidential
Senior Security EngineerResponsibilities:
- As IT security representative on cross-functional task force evaluated global-scale cloud services, cloud DevOps consultants and MSSPs, selecting AWS, AWS Pro Services, 2nd Watch and Sumo Logic to replace turn-key solution.
- Collaborated with AWS security team to develop “bring-your-own-certificate” device authentication alternative API for AWS IoT MQTT service, saving Confidential costs to install new certificates on 60,000+ robots during transition to AWS.
- Defined cloud account policies, created user and developer accounts secured by 2FA, and implemented IAM roles.
- Identified and implemented infrastructure VPCs, S3 security groups, DynamoDB, security controls KMS and Cloud HSM for Lambda micro-service flows, mobile app via API Gateway continuous monitoring CloudWatch/CloudTrail.
Confidential
Senior Security Engineer
Responsibilities:
- Developed plans to in corporate hardware-based security controls on next-gen future IoT robots
- Identified robot device security vulnerabilities in new platforms and proposed hardware-based mitigations roadmap.
- Executed Trade Study and presented results to engineering selecting ARM processor-based TEE over standalone TPM.
- Evaluated partners for Trust Zone “secure world” OS code to support Linux running in “normal world”.
- Proposed asymmetric key-based hardware identity module security controls to prevent robot battery counterfeiting.
Member of Technical Staff
Confidential, Marlboro, MA
Responsibilities:
- Investigated application of cyber sensors derived from the SANS top 20 as NERC CIP-compliant security controls.
- Development of prototype policy expression language for integrating intrusion detection with mitigation.
- Application of event-handling methods, techniques and Open Source and commercial and engines.
- Prototype of Open Source endpoint security from OSSEC and Alien Vault to act as field sensor and local event correlator delivering alerts via message broker to log aggregator Splunk, ArcSight and Industrial Defender.
- Investigated host intrusion detection OSSEC and network intrusion detection Snort as field agents, evaluating data interchange formats, e.g. JSON, XML and implementation complexity using AMQP and MQTT message brokers.
- Protoyped OSSEC AV detection on Raspberry Pi, integrating as source of remote security attestation.
Sr. Principal Software Engineer
Confidential, Billerica, MA
Responsibilities:
- Defined multiple-release feature roadmap with product manager, starting with switch-to-switch topology to secure leased fiber between data centers, through end-to-end layer 2 secure infrastructure with 802.1x-2010 compliant network access control authenticated using EAP-Pre-shared, with x.509 certificates future support using EAP-TLS.
- Performed build vs. buy trade studies of MacSec key agreement software. Led functional discovery reviews of 3rd party offerings with stakeholders and product owner, concluding to build the code for .net saving $18K.
- Identified software requirements, led software estimation effort and generated development schedules.
- Designed, coded and tested proprietary keying algorithms in C++ and fast auto-rekey based on key derivation functions specified in the 2010 standard, leveraging OpenSSL primitives available in the CentOS 6.2 distribution.
- Performed architectural decomposition for distributed control plane, refactoring time-constrained functions (e.g. fault recovery and rekeying) to run on IO module CPUs instead of control plane CPU, relieving tight tolerances induced by latency of CAN bus interconnect.
- Contributing to company-wide leadership forum responsible for advancing corporate security initiatives
- Planned and executed static (Veracode) and dynamic application security scan of ERS 8600 product.
- Developed plan for orderly phase-in of Suite-B cryptography across all BU product lines by Q42010.
- Refactored software defined network simulator for use as a trainer by Sales/Marketing Team.
- Virtual network of L2/L3 switches on CentOS 6.2 Linux QEMU-KVMs with proprietary switch features
- Wrote XML parser to read config file to generate bash script to build and connect switches, switch ports, interfaces, link characteristics and switch operating parameters using OpenvSwitch and proprietary APIs.
- Added capability to assign uniqueV4 address for each switch and route external IP traffic properly using iptables, enabling standard external tools e.g. SNMP manager, to accurately represent topology.
- Added virtual-to-physical port mirroring to enable live Wireshark monitoring of any switch port.
- Analyzed/documented UCR 2003 r3 compliance requirements, including FIPS 140-2 and IEEE 802.1/.3 standards, IETF RFCs, NIST 800 Special Pubs, and STIGs for Linux host, Ethernet switch and IP router then conducted informal product security audit revealing gaps identified as SW development requirements.
- Investigated CAC/PIV card requirements for administrator authentication and authorization via Federal bridge cross-certification authority (FBCA).Further investigation lead to strategy to relax requirements for x.509v3 certificate support resulting in a net reduction of 10% man-hours in development schedule.
- Wrote prototype AES-CFB module as temporary workaround for requirement missing from Mocana crypto library.
- Designed syslog-over-SSH to meet strong crypto protection required for log transmissions with no PKI dependency.
- Wrote and/or reviewed functional/design specs for enhancements and DIACAP process documents.
- Defined secure external management API specifications and internal data structures, integrating MIBs for SNMPv3, console commands secured by SSH and web configuration via HTTPS/TLS.
- Specified security policy configuration command-line API for IPsec over IPv6 and specified IPv6 IPsec functionality.
- Performed oversight consultation to third-party lab contracted to do FIPS 140-2 level 2 (CAVP) validation.
- Coordinated 24-hour bug fix process, resulting in on-time entry/exit of lab test windows, saving late fees.
- The certification testing included the first Federal approval of Confidential 's SPB technology as an alternative to MPLS, and led to its inclusion in and huge commercial success at the 2014 Winter Olympics at Sochi.
- Tested SW was added to APL 12/2011 with only 2 issues requiring follow-on development and retest.
Principal Engineer
Confidential, Billerica, MA
Responsibilities:
- Presented technical training for SSL/IPsec VPNs, RSA SecurID and x509v3 certificates to dev team.
- Reverse-engineered IKE Phase 1 and Phase 2 protocol implementations of each interoperability target VPN gateway using Wireshark packet captures and vendor-supplied clients.
- Defined and captured all VPN UI, HA, interoperability requirements in DOORS with product owner, then worked with engineering team to refine configuration and boot requirements and compose all to story backlog in VersionOne.
- Developed C++ classes and hierarchies for authentication technologies, VPN client features and VPN gateways to enable run-time interoperability with Nortel gateways, Cisco ASA routers, Juniper routers and Checkpoint firewalls.
- Identified gaps in IPsec VPN client standard protocol and crypto functionality available in Mocana NanoSec library, and contributed software fixes/enhancements that were accepted and offered as features in future releases.
- Identified and proposed fix for bug in Mocana’s BIGNUM library specific to big-endian, 32-bit platform.
- Designed and developed OO C++ code for VxWorks stack shim, phone UI, IPsec policy, strong user authentication, and stateful host firewall handling control/data traffic and RTP and RTSP audio for bump-in-the-stack, split-tunneling.
- Developed C++ class for PKCS 11 Smartcard and USB driver for certificate-based authentication.
- Designed and developed OO C++ unified user-mode control plane class hierarchy for SSL and IPsec VPN variants.
- Developed C++ RPC interface API data structures and processing for exchanges between user-mode GUI and kernel-mode forwarding engine implemented as a Windows service. Ported custom C++ IPsec libraries to use CNG services.
- Developed C++ subscriber management features based on SQL-lite to scale up to 20,000 users.
- Optimized AAA and Cavium-accelerated IKE drivers in C to achieve 5,000 IKEv1 RAS tunnels/second.
- Designed and developed C++ classes and hierarchy for OTS and custom IPsec crypto accelerator PCI cards.