Re: Programmer / Security Position

To Whom It May Concern:

I am applying to this position with the intention of finding a team, where I can excel researching, creating, proofing, and securing technology within your organization. During the last ten years of my career my main objective has been to create secure technologies, that can bring advanced digital media content to the web, and at the same time protect both the companies and clients involved in the experience. The research problem space is non-trivial and has involved reviewing server, client, device, and feature implementation, using evolving web related technologies, protocols, processes, and practices. Given the nature of our business most professionals have a hard time differentiating how security activities:

• Researching security architecture weaknesses, performing assessments on services, code, and configurations

• Investigating use of counter measures for preventing live problems (ASLR/selinux/IDS/suhosin/WAF/CSP)

• Secure coding, design, and prevention of Commonly Enumerated application Weaknesses (CWE)

• Working with Product groups to prevent consumer fraud financial/information risk, and corporate vulnerability

• Security awareness training for Web Application Developers, and Information Systems staff

relate to using a plethora of technologies to produce consumer content and entertainment (It is new-ish for most of us):

• UI design using jQuery, ExtJS, Unity3D, HTML5, CSS3 and related AJAX Web Services (REST/ SOAP)

• Server side integration with Java Restlet, and Spring/JSF API calls/annotations (JSON/XML)

• Transaction processing using JMS message brokering and Hibernate/JPA/BigData API calls/annotations

• Content Management System integration with (PHP/Drupal) and New Media related services

• Secure wireless data communication and embedded programming on various open mobile architectures

however in a previous role with a Canadian video game producer, I was tasked with such things and attempted to encourage groups towards meeting both objectives. My knowledge and abilities stem from research, and a history of working in both security software and web technology companies. While in a dev team at mobile phone company I developed a Java server side crypto API by:

• Verifying Phone configuration/signing requests in Java, and porting C code to Java for factory-side HSM verification

• Using fifty two J2EE XServes providing 3000 request/sec to iPhones performing iTunes s/w validation

• Applying nCipher Hardware Security Module to provide for a FIPS 140-2 Level 3 validated security configuration

Security Software Engineer Oct. '08 – Oct. '09

Aumkaara, Inc., Cupertino, CA, USA

• Created an installation validation J2EE servlet capable of providing 125 request/sec to phones

• Provided API for cryptographically securing Configuration Info, sent to manufacturing facilities

• Created code to translate Java objects to custom byte data, for performing cryptographic signing operations.

• Ported 'C' code to Java so as to mimic secure service signing operations, where required

• J2EE (Servlet, SOAP, nCipher/JCA, Junit), SQL (hibernate/MySQL), nCipher HSM, Mac/OSX

Software Engineer July '07 – Sept. '08

Corinex Communications Corp., Vancouver, BC, Canada

• Implemented C code customizations for ASIC based firmware

• Analyzed creating a NMS for managing multiple network/backbone device configurations

• Implemented a multi-threaded session service for providing real-time updates to field engineers

• C/C++/QT Signal/Slot(custom message protocol), QT/MySQL, shell/perl/CVS/Drupal/Linux/Win32

Software Quality/Release Engineer June '99 – March '05

Interwoven, Inc. (now Autonomy/HP), Sunnyvale, CA, USA - Xuma, Inc., San Francisco, CA, USA

Xcert International Inc. (now RSA/EMC), Vancouver, BC, Canada

• Designed, implemented, maintained, and monitored build systems (AIX, Solaris, HPUX, Linux, BSD, Win)

• Introduced parallel/debug build types, the component build infrastructure, and archival facilities (gmake/NetApp)

• Participated in creating an automated service pack and patch infrastructure (PERL/Shell)

• Integrated several build trains into a centralized global multi-site build environment and test suite

• Created a build system and installer for a multi-tiered internet content server (UNIX packages, Perl and shell)

• Design and development of product test suites using C/C++, Expect, and SilkTest

• Created a s-client fuzzer for analyzing security weaknesses in the product offerings

CERTIFICATIONS DISTINCTIONS AND AWARDS

• GWAPT - GIAC Web Application Penetration Tester – SANS Certification/License #3951

• Dean's Award – BCIT 2007 : for academic performance in B.Tech program

• Runner Up Prize – BCNET 2007 Broadband Innovation Challenge : BCIT Practicum Project to Secure SCADA

EDUCATION

Masters of Digital Media: (Not Complete) Apr. '10 – On Going

Center for Digital Media, Vancouver, BC

• Small cohort based program modeled after the ETC program at Carnegie Mellon University

• Programming for graphics related technologies OpenGL, Maya, Unity, Unreel, PHP, HTML5 etc.

• BCIT Web Application Development Courses: HTML/5, CSS/3, AJAX, JSON, XML (DOM/SAX, Xpath/XSLT), SQL (hibernate, JPA), Javascript/JQuery, PHP/Drupal, JEE (i18n, JSP/JSTL, JSF, JAX-WS/RS, JMS, EJB3)

Bachelor of Technology : Secure Computer Systems Apr. '05 – Apr. '07

British Columbia Institute of Technology, Burnaby, BC

• Graduated with honors - GPA 86% (3.1 or 4.0 depending on which scale is used.)

• Praticum Project – Remote firewall access via. rules triggered by custom encryption protocol

• 1^st PlaceTeam - Practical Hacking/Defense Contest (ie. War Games Competition)

• Covert Channels, Secure System Design, Firewalls, and Intrusion Detection Systems

• Programming Concepts for Java/C#, OpenGL, Cryptography, Wireless and Embedded systems

Diploma of Technology : Computer Systems Sep. '97 – May '99

British Columbia Institute of Technology, Burnaby, BC

• Hardware and Data Communication Concepts for Serial and TCP/IP Network Programming

• Operating Systems, Database Systems, Expert/Decision Systems

• Programming Concepts for C, C++, Java, Shell, Make, Assembler, Pascal, and Graphics

• System Analysis and Design (OMT/UML), Rapid Application Development Tools

• Communications, Marketing, Economics, Accounting, Statistics, and Law

TECHINICAL INTERESTS

• Web design: Java, PHP, AJAX, JSON, Javascript (jQuery, ExtJS), CSS/3, HTML/5

• Web Services .NET, PHP, JEE/Spring (JSP, i18n, EL, JSTL, JSF, JAX-WS, JAX-RS, JMS, EJB3), SQL (hibernate,JPA) XML (DTD/XSL, DOM/SAX, WSDL/WADL, Xpath/XSLT),

• Programming Assembler Shell, Perl, Python, Expect, Make(CVS,SVN), Pascal, C (Unix, Win32, Xwindows, OpenGL), C++ (QT), Java (Junit, Ant, Maven, J2ME, Swing) and C# (Nunit, WinCE)

• serial, network, and wireless programming in UNIX and Win32 (ie. RS-232, TCP/IP, Winsock, Berkeley Sockets, Raw Sockets, Multicast, 802.11, IPC, Threads, Protocol Design, SOAP/REST)

• Computer network/security programming (ASN.1, MD5/SHA1, RC4/WEP/WPA2, OTP/ Kerberos, AES/DSA/RSA/ECC/PGP; PKI/V3 ext.; nCipher/openSSL/JCA,/Nettle, SAML,OpenID/oAuth

• JSLint, findbugs, valgrind, nmap, ncat, socat, tcpdump, ZAP, sqlmap, Nessus, metasploit, ASLR/kernel, snort/iptables, backtrax/knopper, WAF, covert channels, Bastille/seLinux, OWASP Top 10 prevention

• Processes for designing and creating secure systems (OWASP/CLASP/BSIMM/SAMM/CWE/SDL)

• Modifying drivers, kernel configurations and programming embedded boards (SOC/GPU/DSL), SCADA equipment and protocols (DeviceNet, Modbus, DNP3, Profinet)

• OSS Standards and Protocols: cross-gcc, dhcp, dns-sec, iptables/ebtables, snort, nfs/samba, NIS/ActiveDirectory, LDAP, SNMP, SMTP/POP, httpd, jboss/tomcat/jetty, cygwin, X Windows,

• Databases, APIs and NoSQL (MSSQL, MYSQL, JDBC/ODBC, hibernate, Hadoop Cassandra Redis MongoDB)

• Content/Configuration Management Systems and their use in development and release (TeamSite, Drupal, Wiki, Confluence, JIRA, LAMP etc.)