ObjectiveI am looking to add my experience and creativity to an exciting engineering team be part of a fast-paced, cutting-edge technology company.
- Familiar with a wide variety of development processes including Waterfall, eXtreme Programming (XP), Agile Software Development, Unified Rational Development, etc…
- Self-motivated starter.
- Happy to adapt to new technology areas, utilize different development processes, and perform within a multitude of organizational structures.
- Extensive experience interacting with a wide-range of domestic and international companies, in a diverse set of industries, varying in size from startups to Global 2000 Companies.
- Comfortable working alone or as a member of a team, locally or remotely, as a technical lead or individual contributor.
Significant Technical Accomplishments
- Enterprise architect: architected and cowrote WLS security framework1.
- Object oriented design and analysis experience including use of Rational Rose and TogetherJ/Borland Together.
- Application security expert including knowledge of Java security (JEE/J2EE and JSE/J2SE), identity management (IDM), web services security, SAML, XACML, Kerberos, Firewalls, DMZs, and many other technologies. Familiar with many national and international security guidelines including Common Criteria, Swiss and German Banking laws, security practices of dozens of the world's most secure companies and government agencies.
- Intimately familiar with the concepts behind application servers: WebLogic Server expert, WebSphere, and JRun experience.
- Extensive experience with a variety of programming languages and operating systems.
MorphoTrust USA, October 2012-Present
Principal Software Security Specialist, October 2012-Present
- Incorporated secure programming practices throughout engineering in MorphoTrust's six development sites.
- Created and documented secure programming guidelines to meet federal compliance regulations.
- Introduced and facilitated the use of Fortify Static Code Analyzer.
- Provided application security training for MorphoTrust's engineering department.
- Instituted security into the product development lifecycle, from requirements through deplymoent.
Open Source Developer/Personal Leave, January 2011-October 2012
Personal Leave, January 2011-Present
- Single parent providing 24x7 care for a sick child requiring surgery and several multiday hospitalizations over 12+ months.
- Child is currently healthy, undertaking rehab to recover from a year of bedrest, and looking for a part-time job prior to starting college in September 2012.
- I am now anxiously looking to return to the workplace.
Open Source Developer, January 2011-Present, as time permitted
- Wrote Gmail2Gcal Notifier. It is an original project that converts Gmail messages deemed important into calendar appointments with notifications. When used with a smart phone, an Android in my case, Gmail2Gcal uses Gmail filtering to provide immediate notification of important emails via your phone's calendar. Unlike most email notification systems, calendar notifications provide rich functionality such as snoozing and nags. A live demo can be found at Gmail2Gcal's Github repository page. Languages: Lua and Shell.
- Contributed to IMAPFilter: Added additional examples and submitted a still pending pull request. Languages: Lua.
- Contributed to org-ruby (a component of Github): Improved Github's functionality for displaying .org files. Languages: Ruby.
- Enhanced the Jekyll blogging engine to produce more informative error messages. Jekyll is the underlying technology used in Github Pages and the Octopress blogging system. Languages: Ruby
- Contributed to Nanoblogger. Have written a Github plugin and an original command-line interface, nbc, for Nanoblogger. Languages: Shell.
- Wrote an Octopress blog plugin that incorporates dynamic trending news into the static blogging features of Octopress and its underlying engine, Jekyll. An example of this plugin can be seen in the "Buzz" section of the sidebar of this blog posting. Languages: HTML, SCSS, CSS, YAML.
- Wrote numerous GNU Emacs extensions: Have taken over maintenance of bitly.el and rewritten it so that it now communicates with Bit.ly asynchronously, providing dramatic performance improvements. Wrote several original packages including org-defprop, defhook, and org-global-link-insert. Languages: Elisp.
- Created several code snippets (AKA: Gists).
Security Contractor/Consultant (Newton, MA), June 2008-December 2011
Contractor for Aspect Security, August 2011-December 2011
- Performed security audits for multiple clients using a combination of manual code review, custom-written scripts, and Fortify's products.
- Made improvements to Aspect's proprietary fault recording and report generation tool.
Security Consultant (multiple companies), June 2008-July 2011
- Provided security consulting to multiple companies looking to design a security strategy for future work.
- Author of an online application security skills assessment based on OWASP.org's 2007 Top-10 Web Vulnerabilities.
BEA Systems (Boston, MA), October 1999-May 2008
Chief Security Architect, November 2000-May 2008
- Responsible for all aspects of security in all of BEA’s products including tracking of relevant standards, and long-term security direction.
- Co-architected the BEA WebLogic Server security infrastructure which has been adopted by all BEA products and, following the BEA/Oracle buyout, is being adopted by Oracle products (eg: Oracle Web Services Manager).
- Implemented major portions of the security system including Java 2 Security integration.
- Developed security coding standards and processes used throughout BEA, created educational material and toured many of BEA's sites to educate (and learn from) the developers.
- Created and managed BEA's vulnerability process and team. Growing it from two two people and two vulnerabilities a year to 50+ vulnerabilities a year with a company-wide team consisting of developers, management, project and product management, QA, technical publications, legal.
- Worked hand-in-hand with key customers to help them design an effective security architecture using both BEA and non-BEA products.
- Orchestrated all technical interactions with third party security vendors and helped them design their integration strategies with the WebLogic Server's security system.
- Helped key customers design and implement an effective security architecture.
Architect/Technical Lead/Senior Engineer, WebLogic Commerce Server, October 1999-October 2000
- Architected, designed, helped implement, and led Commerce Server team.
- Designed webflow and pipeline subsystem - a Model-View-Controller paradigm for controlling web applications. Received a patent on this technology.
Bowne Internet Solutions (Cambridge, MA)
Technical Architect, July 1999-October 1999
- Responsible for all aspects of interaction with clients including responding to RFP's, sales presentations and leading the development team.
- Created a new, corporate-wide format for proposals.
Kronos Incorporated (Waltham, MA)
Architect/Technical Lead/Senior Engineer, June 1998-July 1999
- Responsible for implementation tasks, product definition, application architecture, and high level design.
- Major implementation tasks include a flexible logging package used throughout the division, the logon security sub-system and the internationalization framework.
- Key member of division wide architecture committee responsible for defining long-term directions and resolving cross product issues.
- Leadership responsibilities include helping others resolve design and implementation issues, resource allocation, scheduling, cross team interactions, task prioritization, and general problem solving.
- Designed a model/view/controller server side include mechanism for HTML files.
Remedy Corporation (Mountain View, CA)
Senior Web Engineer, November 1997-May 1998
- Technical lead and senior engineer responsible for designing and implementing a Java applet and C++ middleware for a multi-tiered client-server system.
- Assisted in specifying product requirements from the legacy Windows front-end client.
- Helped design and implement refactoring of the C++ legacy fat application into a multi-threaded library and a single-threaded fat UI. The multi-threaded library continued to be used in the C++ UI and was also the foundation of the model for the mode/-view-controller web application's middleware.
- Designed and implemented sub-systems for middleware server in C++ and thin Java client.
Sun Microsystems (Palo Alto, CA)
Technical Lead for Java Workshop Internationalization, February 1997-October 1997
- Technical lead for team internationalizing a large Java application.
- Led major effort to quickly internationalize an existing Java program for European and Asian Languages on - Solaris and Wintel platforms.
- Responsibilities included assigning tasks, resolution of technical problems, interfacing with other teams.
- Designed and implemented underlying framework for all message internationalization. Optimized %use of Java - ResourceBundle to achieve ~4X performance improvements.
- Implemented major portions of internationalization support including a tool that both checks for internationalization problems as well as modifies the code to correct the problems.
Project Lead for Visual Java, October 1996-February 1997
- Project lead for 6 person team on a fast-track development cycle to productize a university-built Java Beans based visual programming tool for Java.
- Responsibilities include technical oversight of project, internationalization, and framework integration.
Project Lead for Multi-Threaded Performance Tools, March 1995-October 1996
- Responsible for technical leadership of five performance tools.
- Led four person team on multi-year effort of developing a new multi-threaded performance tool.
- Responsibilities included scheduling, project definition, design, interface reviews, C++ implementation, testing, and documentation.
Incremental Linker Engineer, January 1994-February 1995
- Part of two person team working on incremental linker.
- Responsibilities included all aspects of development including designing, implementing, debugging, test writing, test suite maintenance, and scheduling.
DBX Engineer, July 1991-December 1993
- Chief designer and implementer of C++ support for DBX.
- Had leadership and supervision responsibilities over other engineers working on C++ support.
- Provided general support for all aspects of DBX.
Kodak Research Laboratories, Eastman Kodak (Rochester, NY)
Imaging Software Engineer Contractor, January 1991-June 1991
- Member of a three member lab responsible for prototyping Kodak photoCD software.
- Implemented a 24-bit color GUI application for displaying photoCDs.
Computer Science Department, University of Rochester
Research and Teaching Assistant, June 1986-December 1990
- Implemented a parallel debugger for the Chrysalis parallel operating system.
- Assisted in the implementation of the Psyche Multiprocessor Operating System and an X-window based visual debugging tool.
Computer Science Department, University of Buffalo
Laboratory Assistant, September 1985-May 1986, September 1986-May 1986
- Responsibilities included Unix system administration, training of new assistants and application programming.
- Designed and implemented a Modula-2 runtime library used by students and faculty.
Grumman Aerospace Systems
Summer Intern, June 1986-August 1986
- Designed and implemented a document development system reducing duplication of data by providing automated cross-referencing during the creation of MIL-STD-2167 documents
Publications, Patents, Presentations, and Open Source Contributions
- Contributor to OWASP.org's 2013 Top Ten Web Risks.
- Recognized contributor to OWASP.org's 2010 Top Ten Web Risks.
- Member JSR-196: Java Authentication Service Provider Interface for Containers.
- Member JSR-115: Java Authorization Contract for Containers.
- Participated in JSR-149: Work Area Service for J2EE, and JCA.
- Contributor to OWASP.org's 2007 Top Ten Web Risks.
- CIO Online Article: “Confidential Data: You're Giving Away Your Corporate Secrets!”, 6/2008
- "How to Secure a Web Application", WebLogic Developer's Journal October 2003.
- CSOOnline Article: “Attack Dangers Posed by 'Innocent' Files”
- Peer-reviewed "Implementation Issues for the Psyche Multiprocessor Operating System"; appearing in Computing Systems 3, 1989
- Provided internal training on "2013 OWASP Top Ten Web Risks" and "2011 CWE/SANS Top 25 Most Dangerous Software Errors" to meet government-mandated secure programming training requirements.
- Designated must see presentation by JavaOne staff: “Writing Secure Web Applications”, 2005 JavaOne.
- “Writing Secure Web Applications”, BEAWorld 2005.
- “WebLogic Server 9.0 Security Features”, BEAWorld 2005.
- "So You Want to Write a Security Provider - Now What?", BEA eWorld 2004.
- "Configuring and Administering WebLogic Security", BEA eWorld 2003.
- "Using the New WebLogic Security Architecture", BEA eWorld 2002.
- Numerous internal and customer training presentations.
- US Patent #7,979,891: Method and System for Securing Execution of Untrusted Applications, July 2011
This patent, in combination with 7,814,556 defines a model for enforcing J2EE (a.k.a: JEE) application security via sandboxing within a single process address space.
- US Patent #7,814,556: System and Method for Protecting APIs from Untrusted or Less Trusted Applications, October 2010
See patent 7,979,891.
- US Patent #7,610,813: Servlet Authentication Filters, October 2009
An extension of J2EE (a.k.a: JEE) Servlets that provides an integrated and pluggable model for authentication for Servlets. JSR-196 extended J2EE via adopting, extending, and standardizing the concepts introduced in this patent.
- US Patent #7,487,207: System and method for determining the functionality of a software application based on nodes within the software application and transitions between the nodes, February 2009
Defines a model-view-controller (MVC) model for implementing web applications. Apache Struts is based on the ideas defined in this patent.
- US Patent #7,051,069: System for managing logical process flow in an online environment, May 2006
Earlier version of 7,487,207 above.
- US Patent application pending #20,060,031,855: System and Method for Runtime Interface Versioning, February 2006
The concepts embodied in this patent application have been used to ensure backwards compatibility for WebLogic Server's Security SPIs. The implementation of this patent allows the server to continue to add new functionality to the SPIs while maintaining forwards compatibility for security all providers written since 2002. Current security SPI classes ending with "V2" are using this mechanism.
- US Patent #5,787,447: Memory allocation maintaining ordering across multiple heaps, July 1998
A memory allocation algorithm that supported incremental modification of ELF executables, while maintaining the ordering required by ELF as well as existing Solaris tools (eg: dbx) without requiring restarting of the application or the tools.
Open Source Contributions
- “Contrib” UI interface plus API modifications for TKMan.
- Emacs-style file completion for PDKSH.
- GNU Emacs ILISP-mode modifications.
- Numerous bug-fixes and suggestions.
- More recent open source contributions documented above.
- Upcoming CISSP training class and certification exam, in October 2013.
- Ph.D. all but dissertation, Computer Science, September 1986-1990; University of Rochester.
- M.S., Computer Science, May 1989; University of Rochester.
- B.S. with honors, Computer Science, May 1987; University of Buffalo
- University of Buffalo's President's List (4.0/4.0 GPA), Fall 1984 and Spring 1985
- University of Buffalo's Dean's List (3.6/4.0 GPA), Fall 1986 and Fall 1987
- New York State Regent's Scholarship Fall 1983
- National Merit Letter of Commendation Spring 1982