SUMMARY

• Creative senior - level software and systems security engineer wif proven leadership delivering successful new products and technologies to market seeks product or secops/devops development role.
• Expert contributor in IAM, applied cryptography, secure network protocols, distributed and embedded platforms.
• Excellent verbal communication proficiency conveying concepts and technical detail to broad audiences.

TECHNICAL SKILLS

Collaboration: Sharepoint, OneNote, MS-Office, Outlook, Word, PowerPoint, Excel, Visio and Project

Languages: C/C++, Assembler, make files, Perl, Tcl/Tk, Expect, Python, bash, DOS shell and Power Shell scripting

Structured Data: syslog, HTML, SQL, XML and JSON

OS: Linux Ubuntu/CentOS, Cygwin, VxWorks, Windows XP/Vista/10, Server 2012r2, IIS, DOS, VRTX and embedded RTOS

Networking: TCP/IP UDP, DHCP, DNS, NAT, IPSec, IKE, GRE, TLS, EAP, 802.1/802.3, SNMP and SSH

Security: PKCS/x.509v3 PKI, DH/ECDH, RSA Secure ID, AES/3DES, AWS IAM, KMS, CloudHSM.

Compliance: FIPS 140-2, STIGs for Switch/Router/Linux host, DIACAP and NIST 800SP

Methodologies: OOA/OOD/OOP, Agile Scrum, DevSecOps, Waterfall, STL and Design patterns

Tools: vim, CVS, Clearcase, VStudio, Bamboo, Crucible, SVN, Gitlab, JIRA, Leankit, Rally and VersionOne

Debug: gdb, windbg, objdump, Ping, IXIA, Qualys, Sysstat, IxChariot, tcpdump, protocol analyzers and Wireshark

PROFESSIONAL EXPERIENCE

SecDevOps Engineer

Confidential, MA

Responsibilities:

• Responsible for operational health, incident response, change management and continuous improvement projects on globally distributed Carbon Black/Splunk/RSA Archer GRC enterprise security SOC production environment.
• Implement Splunk searches, alerts and dashboards on data ingested from CB, reporting email inboxes, and threat feeds to support global L1-L3 analysts and ATMs for these and ancillary systems, all work documented as Wiki pages.
• Perform administrative and project tasks under change control, tracking on Leankit kanban in daily Agile team scrum.
• Prototype Java 1.8 install on Intel NUC Ubuntu 16.04 Linux for testing x.509 certificate administration wif Java, IIS, MMC, and Linux key management tools on Splunk, UCF, Archer and SQL Servers to dry run prior to production go-live.
• Perform all integration between RSA Archer V6.2 SecOps and Splunk V6.5.3.1 to generate Incident tickets in Archer. Develop alerts, source field customization (CIM/CEF mapping) and security hardening of syslog and Restful APIs.
• Develop automated delivery of Carbon Black events to Splunk using AWS S3 bucket and Splunk add-on for AWS.

Senior Security Engineer

Confidential, MA

Responsibilities:

• Designed, deployed and tested fault tolerant PKI for overseas robot manufacturing of per-device identity certificates and keys, all completed in under 2 months, in time for system to be used at factory during final pre-production tests.
• Wrote PKI system manual certification and accreditation test procedures and remotely supervised their execution.
• Devised policy and assurance processes for secure generation and continuous availability of crypto product materials.
• Defined emergency PKI recovery procedures integrated wif iRobot disaster recovery plan to minimize factory WRT.
• As member of cross-functional team tasked wif fixing a certificate private key storage bug, offered teh solution chosen by management to remanufacture 25k+ robots to meet Q12016 North America sales goals.
• Automated PKI system security controls tests using Python to meet wif ISO 27001 continuous improvement goal.

Confidential

Responsibilities:

• Managed third-party pen tests, using specialist vendors for robot hardware, mobile apps and cloud IoT ecosystem.
• Defined testing requirements derived from robot HW&FW threat vectors, high-level recommendations from OWASP top 10, Wi-Fi and Bluetooth connectivity, mobile application vulnerabilities for iOS/Android.
• Performed triage on initial reports wif pen testers and lead “findings” review meetings wif Engineering.
• Designed RESTful API integrations between bug bounty website, JIRA and Rally to automate defect workflows.
• POC on static code analysis tool Checkmarx for C++, Objective-C, Java, Node.js, Python, and C#, evaluating per-language analyzer performance in Dev instances of Jenkins CI/CD build pipelines.
• Infosec oversight of Design transition to AWS microservices
• Security SME on team for responsible for alternative IoT cloud provider selection and services transition
• IT security representative on cross-functional team evaluating cloud services vendors dat eventually selected AWS.
• Collaborated wif AWS security team to develop “bring-you're-own-certificate” device autantication alternative API
• for AWS IoT MQTT service, saving iRobot costs to install new certificates on 60,000+ robots during transition to AWS.
• Defined cloud account policies, created user and developer accounts secured by 2FA, and implemented IAM roles.
• Identified and implemented infrastructure VPCs, S3 security groups, DynamoDB, security controls KMS and Cloud HSM for Lambda micro-service flows, mobile app via API Gateway continuous monitoring CloudWatch/CloudTrail.

Confidential

Responsibilities:

• Enumerated robot device security enhancement goals and roadmap for multi-phase security targets proposal.
• Executed Trade Study and presented results to engineering selecting ARM processor-based TEE over standalone TPM.
• Evaluated partners for Trust Zone “secure world” OS code to support Linux running in “normal world”.
• Proposed asymmetric key-based hardware identity module designs to prevent robot battery counterfeiting.

Confidential

Responsibilities:

• Investigated application of cyber sensors derived from teh SANS top 20 as NERC CIP-compliant security controls.
• Development of prototype policy expression language for integrating intrusion detection wif mitigation.
• Application of event-handling methods, techniques and Open Source and commercial and engines.
• Trade study and prototype of Open Source security incident and event correlation (SIEM) systems to act as a field correlation component of a distributed security event detection system, to interact wif centralized log collection and correlation element, Splunk, ArcSight and Industrial Defender.
• Investigated host intrusion detection OSSEC and network intrusion detection Snort as field agents, evaluating sensor support, data interchange formats, e.g. JSON, and implementation complexity.
• Protoyped OSSEC AV detection on Raspberry Pi, integrating as source of remote attestation detection.

Sr. Principal Software Engineer

Confidential, Billerica, MA

Responsibilities:

• Defined multiple-release feature roadmap wif product manager, starting wif switch-to-switch topology to secure leased fiber between data centers, through end-to-end layer 2 secure infrastructure wif 802.1x-2010 compliant network access control autanticated using EAP-Pre-shared, wif x.509 certificates future support using EAP-TLS.
• Performed build vs. buy trade studies of MacSec key agreement software. Led functional discovery reviews of 3rd party offerings wif stakeholders and product owner, concluding to build teh code for .net saving $18K.
• Identified software requirements, led software estimation effort and generated development schedules.
• Designed, coded and tested proprietary keying algorithms in C++ and fast auto-rekey based on key derivation functions specified in teh 2010 standard, leveraging OpenSSL primitives available in teh CentOS 6.2 distribution.
• Performed architectural decomposition for distributed control plane, refactoring time-constrained functions (e.g. fault recovery and rekeying) to run on IO module CPUs instead of control plane CPU, relieving tight tolerances induced by latency of CAN bus interconnect.

Confidential

Responsibilities:

• Planned and executed static (Veracode) and dynamic application security scan of ERS 8600 product.
• Developed plan for orderly phase-in of Suite-B cryptography across all BU product lines by Q42010.
• Refactored software defined network simulator for use as a trainer by Sales/Marketing Team.
• Virtual network of L2/L3 switches on CentOS 6.2 Linux QEMU-KVMs wif proprietary switch features
• Wrote XML parser to read config file to generate bash script to build and connect switches, switch ports, interfaces, link characteristics and switch operating parameters using OpenvSwitch and proprietary APIs.
• Added capability to assign uniqueV4 address for each switch and route external IP traffic properly using iptables, enabling standard external tools e.g. SNMP manager, to accurately represent topology.
• Added virtual-to-physical port mirroring to enable live Wireshark monitoring of any switch port.
• Led Federal Certification of modular Ethernet Routing Switch ERS 8600 effort to qualify for sales to US DoD.
• Security architect/SME for 12-month development/test by 20-person offshore team of UCR 2008 r3 requirements.
• Analyzed/documented UCR 2003 r3 compliance requirements, including FIPS 140-2 and IEEE 802.1/.3 standards, IETF RFCs, NIST 800 Special Pubs, and STIGs for Linux host, Ethernet switch and IP router tan conducted informal product security audit revealing gaps identified as SW development requirements.
• Investigated CAC/PIV card requirements for administrator autantication and authorization via Federal bridge cross-certification authority (FBCA).Further investigation lead to strategy to relax requirements for x.509v3 certificate support resulting in a net reduction of 10% man-hours in development schedule.
• Wrote prototype AES-CFB module as temporary workaround for requirement missing from Mocana crypto library.
• Designed syslog-over-SSH to meet strong crypto protection required for log transmissions wif no PKI dependency.
• Wrote and/or reviewed functional/design specs for enhancements and DIACAP process documents.
• Defined secure external management API specifications and internal data structures, integrating MIBs for SNMPv3, console commands secured by SSH and web configuration via HTTPS/TLS.
• Specified security policy configuration command-line API for IPsec over IPv6 and specified IPv6 IPsec functionality.
• Performed oversight consultation to third-party lab contracted to do FIPS 140-2 level 2 (CAVP) validation.
• Coordinated 24-hour bug fix process, resulting in on-time entry/exit of lab test windows, saving late fees.
• Teh certification testing included teh first Federal approval of Avaya's SPB technology as an alternative to MPLS, and led to its inclusion in and huge commercial success at teh 2014 Winter Olympics at Sochi.
• Tested SW was added to APL 12/2011 wif only 2 issues requiring follow-on development and retest.

Principal Engineer

Confidential, Billerica, MA

Responsibilities:

• Presented technical training for SSL/IPsec VPNs, RSA SecurID and x509v3 certificates to dev team.
• Reverse-engineered IKE Phase 1 and Phase 2 protocol implementations of each interoperability target VPN gateway using Wireshark packet captures and vendor-supplied clients.
• Defined and captured all VPN UI, HA, interoperability requirements in DOORS wif product owner, tan worked wif engineering team to refine configuration and boot requirements and compose all to story backlog in VersionOne.
• Developed C++ classes and hierarchies for autantication technologies, VPN client features and VPN gateways to enable run-time interoperability wif Nortel gateways, Cisco ASA routers, Juniper routers and Checkpoint firewalls.
• Identified gaps in IPsec VPN client standard protocol and crypto functionality available in Mocana NanoSec library, and contributed software fixes/enhancements dat were accepted and offered as features in future releases.
• Identified and proposed fix for bug in Mocana’s BIGNUM library specific to big-endian, 32-bit platform.
• Designed and developed OO C++ code for VxWorks stack shim, phone UI, IPsec policy, strong user autantication, and stateful host firewall handling control/data traffic and RTP and RTSP audio for bump-in-teh-stack, split-tunneling.
• Developed C++ class for PKCS 11 Smartcard and USB driver for certificate-based autantication.
• Release 10.0 of Nortel VPN Client (NVC) for Windows Vista wif integrated IPSec and SSL VPN transports
• Led team of 7 as SME to add SSL VPN to industry-leader IPsec VPN client for Windows Vista.
• Designed and developed OO C++ unified user-mode control plane class hierarchy for SSL and IPsec VPN variants.
• Developed C++ RPC interface API data structures and processing for exchanges between user-mode GUI and kernel-mode forwarding engine implemented as a Windows service. Ported custom C++ IPsec libraries to use CNG services.
• Individual contributor/project lead for first security release of Nortel Secure Router 9000
• Nortel applied NewOak’s software to embedded Linux OS and next-gen cryptographic acceleration to produce a high-capacity, multi-tenant router wif high-performance VPN gateway for ISP market.
• Developed C++ subscriber management features based on SQL-lite to scale up to 20,000 users.
• Optimized AAA and Cavium-accelerated IKE drivers in C to achieve 5,000 IKEv1 RAS tunnels/second.
• Designed and developed C++ classes and hierarchy for OTS and custom IPsec crypto accelerator PCI cards.