SUMMARY:

• Creative senior - level software and systems security engineer with proven leadership and value delivery in all phases of the system/security/product development lifecycle.
• Background in applied cryptography, secure network protocols, distributed and embedded systems.
• Excellent verbal communication proficiency conveying concepts and technical detail to broad audiences.
• Multi-disciplinary technologist demonstrably successful developing and deploying leading-edge products.

Collaboration: Sharepoint, OneNote, MS-Office, Outlook, Word, PowerPoint, Excel, Visio and Project

Languages: C/C++, Assembler, make files, Perl, Tcl/Tk, Expect, Python, bash and DOS shell scripting

Operating Sys: Linux, Cygwin, VxWorks, Windows, DOS, VRTX and embedded RTOS

Networking: TCP/IP UDP, DHCP, DNS, NAT, IPSec, IKE, GRE, TLS, EAP, 802.1/802.3, SNMP and SSH

Security: PKCS/PKI, DH/ECDH, RSA Secure ID, AES/3DES, AWS IAM, KMS, CloudHSM.

Compliance: FIPS 140-2, STIGs for Switch/Router/Linux host, DIACAP and NIST 800SP

Methodologies: Agile Scrum, DevSecOps, Waterfall, OOD/OOP, STL and Design patterns

Tools: emacs, vim, CVS, Clearcase, VStudio, Bamboo, Crucible, SVN, Git, JIRA, Rally and VersionOne

Debug: gdb, windbg, objdump, Ping, IXIA, Qualys, IxChariot, tcpdump, protocol analyzers and Wireshark

PROFESSIONAL EXPERIENCE:

Senior Security Engineer

Confidential, Bedford, MA

• Devised certification and accreditation system test procedures and remotely supervised their execution. All testing completed in time to use system for final pre-production runs despite shipping and other challenges.
• Generated asymmetric keys and certificates on offline root HSM and replicated across all devices in the redundant online system. Created/archived paper and electronic forms of backups for all crypto objects.
• Developed and documented formal robot embedded firmware signing policies, standards and procedures, with controls for safeguarding unsigned code until successful signing operation completed.
• Trained Infosec team on HSM configuration, FW signing procedures and crypto material handling policies.
• As member of cross-functional team faced with a manufacturing bug, offered a solution to make production certs available at remanufacturers enabling repair of first 25k robots in time to meet quarterly demand.
• Developed PKI security controls automation for ISO 27001 compliance effort using Python scripts.

Confidential

Director of Information Security

• With internal audit staff perform site tour of local IoT cloud provider to observe physical environment, and first-hand knowledge of administrative and logical controls for staff, servers, applications and networks.
• Monitored issue mitigation processes over multiple internal vendor releases finalized before launch.
• Managed third-party pen testing robot hardware, mobile apps and cloud IoT ecosystem.
• Defined requirements from robot HW&FW threat vectors, high-level recommendations from OWASP top 10 for Wi-Fi and Bluetooth connected back-ends and mobile application vulnerabilities for iOS/Android.
• Performed triage on initial reports with pen testers and lead finding review meetings with Engineering capturing results as defects, user stories or new features in Rally.
• Trade study to select bug bounty service as alternative to Red Team, evaluating processes, support for CVSSv3 on website, security policies, and sampled researcher personalities/relationships and costs.
• Connected bug bounty website RESTful APIs to JIRA and Rally APIs to centralize and automate all phases of security vulnerability reporting, tracking and defect resolution in single tool controlled by IT security team.
• POCs on automated code analysis tool Checkmarx to extend languages supported by Coverity, configured and administered test server to run on VmWare under control of Jenkins for automated CI/CD process.es
• IT security team representative on site visits to several prospective vendors, leading to selection of AWS.
• Collaborated with AWS security team to develop “bring-your-own-certificate” authentication alternative API for the AWS IoT MQTT service, avoiding overhead costs and labor to remanufacture 50K+ fielded robots.
• Defined Confidential security policies and processes with AWS Pro Serve security architect’s guidance.
• Identified implemented requirements to secure all serverless micro-service flows based on Lambda.
• Used the AWS console to create and secure accounts with 2FA, implement IAM rules, VPCs, security groups for S3, Lambda, DynamoDB, KMS and CloudHSM, with mobile app networking via API Gateway.
• Performed live POCs with 4 MSSPs for continuous monitoring/correlation of CloudWatch/CloudTrail logs.

TPM experts

Confidential

• Enumerate robot device security enhancement goals and means in multi-phase implementation proposal.
• Evaluate standalone TPM chip vs. ARM processor-based TEE to secure private key and crypto ops.
• Evaluate partners for Trust Zone “secure world” OS code to support Linux running in “normal world”.
• Evaluate Engineering’s microcontroller/processor designs for security flaws/opportunities for improvement.

Member of Technical Staff

Confidential, Marlboro, MA

• Analyzed cyber sensors derived from the SANS top 20 security controls to identify gaps in NERC CIP compliance and expand machine awareness for better intrusion detection and mitigation policy expression.
• Researched event handling methods, techniques and engines. Studied Open Source SIEM systems e.g. Alien Vault, comparing available rule sets/definition tools, interaction w/Splunk/ArcSight/Industrial Defender.
• Investigated various host (HIDS) and network intrusion detection systems (NIDS), including OSSEC and Snort, evaluating sensor support, centralized vs. distributed architectures, interchange formats, e.g. JSON, and product suitability for Windows, Linux platforms and Arduino/Raspberry Pi-based field units.
• Investigated SOA implementation using custom, low-end field processing devices with home office server.

Consulting Software Engineer

Confidential, Billerica, MA

• Defined multiple-release feature roadmap with product manager, starting with switch-to-switch topology to secure leased fiber between data centers, through end-to-end layer 2 secure infrastructure with 802.1x-2010 compliant network access control authenticated using EAP-Pre-shared initially, with x.509 certificates support using EAP-TLS planned for future.
• Performed build vs. buy trade studies of MacSec key agreement software. Led functional discovery reviews of 3rd party offerings with stakeholders and product owner, concluding to build the code for .net saving $18K.
• Identified software requirements, led software estimation effort and generated development schedules.
• Designed, coded and tested proprietary keying algorithms in C++ based on key derivation functions specified in the 2010 standard, leveraging OpenSSL primitives available in the CentOS 6.2 distribution.
• Performed architectural decomposition for distributed control plane, refactoring time-constrained functions (e.g. fault recovery and rekeying) to run on IO module CPUs instead of control plane CPU, relieving tight tolerances induced by latency of CAN bus interconnect.
• Planned and executed static (Veracode) and dynamic application security scan of ERS 8600 product.
• Developed plan for orderly phase-in of Suite-B cryptography across all BU product lines by Q42010.

Refactored software defined network simulator

Confidential

• Wrote custom XML parser to read config file to generate bash script to build and connect switches, switch ports, interfaces, link characteristics and switch operating parameters using standard and custom APIs.
• Define bridge and router ports, and initiate forwarding and protocol operations using Open vSwitch.
• Added capability to assign uniqueV4 address for each switch and route external IP traffic properly using iptables, enabling standard external tools e.g. SNMP manager, to accurately represent topology.
• Added virtual-to-physical port mirroring to enable live Wireshark monitoring of any switch port.

Security architect/technical lead

Confidential

• Analyzed/documented UCR 2003 r3 compliance requirements, including FIPS 140-2 and IEEE 802.1/.3 standards, IETF RFCs, NIST 800 Special Pubs, and STIGs for Linux host, Ethernet switch and IP router then conducted informal product security audit revealing gaps identified as SW development requirements.
• Investigated CAC/PIV card requirements for administrator authentication and authorization via Federal bridge cross-certification authority (FBCA).Further investigation lead to strategy to relax requirements for x.509v3 certificate support resulting in a net reduction of 10% man-hours in development schedule.
• Designed syslog-over-SSH, adding strong crypto protection to log stream with no PKI dependency.
• Wrote and/or reviewed functional/design specs for enhancements and DIACAP process documents.
• Defined secure external management API specifications and internal data structures, integrating MIBs for SNMPv3, console commands secured by SSH and web configuration via HTTPS/TLS.
• Specified security policy configuration API for IPsec over IPv6 and specified IPv6 IPsec functionality.
• Performed reviews and inspections of application code produced by team of 20 off-shore developers.
• Wrote, edited and/or reviewed all customer documentation, user guide updates and conditions of fielding.
• Performed oversight consultation to third-party lab contracted to do FIPS 140-2 level 2 (CAVP) validation.
• Coordinated 24-hour bug fix process, resulting in on-time entry/exit of lab test windows, saving late fees.
• The certification testing included the first Federal approval of Confidential 's SPB technology as an alternative to MPLS, and lead up to its inclusion and huge commercial success at the 2014 Winter Olympics at Confidential .
• Tested SW was added to APL 12/2011 with only 2 issues requiring follow-on development and retest.

Principal Engineer

Confidential, Billerica, MA

• Presented technical training for SSL/IPsec VPNs, RSA SecurID and x509v3 certificates to dev team.
• Defined all VPN UI, HA, interoperability, configuration and boot requirements. Used Wireshark packet capture to analyze IKE Phase 1 and Phase 2 protocol implementation for each interoperability target.
• Worked with product owner to define and capture requirements in DOORS, then worked with team to translate to story backlog in VersionOne, meeting original development estimate using Agile methodology.
• Developed objects to capture behavioral variation and supported authentication types for interoperability to all Nortel VPN gateways, select call managers, Cisco ASA routers, Juniper routers and Checkpoint firewalls.
• Identified gaps in IPsec VPN client standard protocol and crypto functionality in Confidential NanoSec library, and contributed software fixes/enhancements that were accepted and offered as features in future releases.
• Identified and proposed fix for bug in Confidential ’s BIGNUM library specific to big-endian, 32-bit platform.
• Designed and developed OO C++ code for VxWorks stack shim, phone UI, IPsec policy, strong user authentication, and embedded firewall handling RTP and RTSP audio for bump-in-the-stack implementation.
• Coordinated with Program Lead to plan sprint activities to optimize developer efficiencies to hit target stride.

Lead team

Confidential

• Designed and developed OO C++ unified user-mode control plane object hierarchy for SSL and IPsec VPN.
• Developed C++ RPC interface API data structures and processing for exchanges between user-mode GUI and kernel-mode forwarding engine implemented as a Windows service.