Tyngsborough, Massachusetts, United States
High-impact data-driven leader in application security architecture, IAM, and cryptography with 25 years' experience, 50+ patents issued, and a 2023 Computer Science Ph.D. to prove my skills are up to date. I have bootstrapped application security programs and secure coding practices in 5 different companies but still write and review code. I have directly architected, reviewed, and designed highly scalable SaaS product features, especially focused on cryptography and authentication. I leveraged critical thinking to design, document, and apply long-term standards and roadmap visions, communicating them from individual developers up to the CISO and CEO. Especially enthusiastic about bringing effective, rigorous technology evaluation to problems of usable security and authentication, collaborating with key stakeholders. Through years of experience, I've seen how to operate with limited data to look beyond the next product cycle. I volunteer as a Case Lead at the Clinic to End Tech Abuse; my Erdős number is 3. See my published research articles at https://scholar.google.com/citations?user=Wms5MsgAAAAJ for examples of highly data-intensive design especially around authentication.
High-impact security leader tasked with identifying and resolving enterprise risk in the wake of multiple high-profile cryptocurrency exchange hacks. I took on major initiatives around enterprise Identity and Access Management: successfully deployed an open-source Just-in-Time access management solution to control access to sensitive Okta, AWS, and internal financial tools using OIDC, OAuth, and SAML. Extended the tool by writing custom Python and SQL database modules to meet our needs. Implemented observability hooks to produce dashboards and alerts in Datadog. Adapted Claude code generative AI to produce customized Python (PyTM) threat models of large legacy code bases. Wrote multiple company RFCs for consumer-facing TOTP, to lock down enterprise Kubernetes cloud assets with strong cryptographic PKI identities using SPIFFE/SPIRE and Open Policy Agent (OPA) to lock down containerized environments. Reviewed and contributed to efforts around smart wallet protocols and running Solana validators on bare metal providers.
A hands-on doer who consistently delivered on time for contract customers, while finishing my Ph.D. Bootstrapped application security programs in 3 companies that had none. Wrote standards for CI/CD security, incident response plans, coding best practices and procedures design. One included an emerging wireless IoT digital healthcare application for which I designed a new scalable over-the-air protocol design including firmware validation, encryption, and integrity protections. The purpose of the application is to securely identify healthcare professionals in distress using best-in-class Identity and Access Management (IAM). The initial firmware provided by the team made several critical cryptography mistakes, especially around key derivation and modes of operation. This activity was over and above the typical hands-on CI/CD pipeline tool setup, coding best practices and procedures design, staff training and augmentation for application security. I rolled up my sleeves and performed a full manual review of the C code for the bootloader and firmware. Another included a top-to-bottom rewrite of an existing SSDLC policy and standard along with a new Incident Response plan. The web application sold to hospitals is a SaaS application written in Java integrated with the odoo web framework. I architected and designed additional features to support the needs of physical-security staff in Java. These hands-on activities resulted in the product passing strict security reviews by hospital customers including reduced OWASP top-ten findings and enhanced security posture for the products in question, including reviewing code and finding bugs in existing sources.
My dissertation studies explore user authentication, focusing on knowledge-based authenticators (KBAs) like passwords and PINs. We conduct user studies involving thousands of participants, assembling the world's largest corpus of user-chosen PINs. From this, we draw on hard data to analyze and propose improved user authentication schemes. Despite their limitations, KBAs remain widely used for access control and are likely to stay relevant. The research identifies critical weaknesses in KBA design and suggests practical improvements for usability and security. A key issue is that users are responsible for creating, recalling, and entering their KBAs, often leading to poor usability and weak security. These KBAs are typically chosen from narrow probability distributions, making them easy for attackers to guess. These distributions are influenced not only by user behavior but also by system and service design, which can either strengthen or weaken security. A central theme of this dissertation is the characterization of probability distributions of various KBAs in different contexts. We analyze how system and service design decisions affect these distributions and propose how systems can enable more secure KBA choices. For instance, we demonstrate how account type influences KBA selection and examine PIN use for unlocking mobile devices and apps. The dissertation also emphasizes an attacker model focused on online guessers constrained by limited attempts. Unlimited guessing would compromise most human-chosen KBAs, so understanding adversary capabilities is essential. Findings show that 6-digit PINs are not necessarily more secure than 4-digit ones, around 1 in 8 smartphone PINs can be guessed, and user understanding correlates with more complex PINs. The dissertation concludes by suggesting user education and system interventions to enhance KBA security, providing actionable recommendations for service providers and users.
Led the scaling and integration of product and cloud workload security (across Azure, AWS, and GCP) for Carbonite/OpenText’s online data protection offerings, focusing on both strategic impact and scalable solutions. Led design of new scalable IAM approach that enables a new converged portal across product lines. Effectively communicated across all levels of the organization, collaborating closely with senior business leaders to align security priorities with business value and goals, and translating these into actionable, agile strategies for development teams. Developed and communicated strategic security roadmaps that bridged executive requirements and technical implementation, ensuring a shared vision between business objectives and developer execution. Spearheaded the full spectrum of product security, deploying and managing key security tools such as Checkmarx, Fortify, Mend, and Black Duck. Guided software security evaluations—including secure code reviews, penetration testing, and threat modeling—and integrated Privileged Access Management (PAM) solutions like OpenID Connect (OIDC), Kerberos, Thycotic Secret Server, and HashiCorp Vault. This required clear and effective communication with developers to ensure seamless integration and practical security measures within the applications. Redesigned critical authentication flows for consumer backup products, effectively translating business complexities into technical specifications that developers could implement, ensuring scalability and secure user experiences. Collaborated with cross-functional teams to enhance CI/CD pipeline security, secure .NET applications through C# code reviews, and improve deployments on Azure, Kubernetes, and other platforms, fostering transparent communication between executives on strategic security objectives and developers on implementation details.
Security Architect for the Falcon Cloud SaaS project. Kronos, long the leader in workforce management solutions, is transforming human-capital management with the move to a highly scalable, resilient cloud offering. My focus was on the application security of the Falcon project suite, a Java/JavaScript project with millions of lines of code and 300+ developers distributed across India, Canada, and USA. I designed and launched comprehensive programs for product security including threat modeling, review of identity and access management (IAM) including authentication and use of SAML; architecture review, vulnerability response, static code analysis, third-party component handling. We mapped these Secure Software Development Lifecycle activities to Kronos' existing agile methodologies. The deep DevOps integration with CI/CD pipeline tools from Jira, VersionOne, Checkmarx, and HP ALM allow traceability from requirements to development, and from QA testing to support the needs of SOC 2 compliance.