Date of Birth 11 December 1974 Location Edinburgh Phone

1. 
   Development – Java (J2EE 1.6 and JDK 1.6) with Spring, Hibernate, OSGi and other frameworks, Python, Perl and Ruby
   
2. 
   Systems – Management of Windows and Unix (RedHat Linux and others, Solaris, AIX), Networking with TCP/IP, Optimization and Performance tuning
   
3. 
   Security – Engineering and development, Risk analysis and penetration testing, Application security reviews, Security policies, Intrusion detection and incident management, Single sign-on, Cryptography
   
4. 
   Build Environments – Maven and Ant, Continuous Integration (Hudson/Jenkins and Cruise Control), Automated testing with JUnit, Eclipse IDE, Version control (Git, CVS and Subversion)
   
5. 
   Architecture - ESB, SOA, JMS Messaging (Qpid, Active MQ, and MQ series), Web Applications (Tapestry, Struts and Spring MVC), Application servers (IIS, Apache, Tomcat, Websphere, Geronimo, JBoss) and Databases (SQL Server, PostgreSQL and Oracle)
   
6. 
   Open Source – Apache Software Foundation developer and active Apache Qpid committer
   

As part of a team, my tasks normally involve the architecture, design and engineering of applications and middleware for the production of high quality software and documentation using test-driven development. I am able to document and communicate software concepts effectively, and have been part of the high level decision making process on many large applications. I have created and maintained build environments using Maven and CI with integrated automated testing suites for both services and user interfaces. My background in Security gives me the ability to produce secure applications and to appreciate, review, audit and mitigate risks effectively.

I am an experienced information security consultant, with practical experience of implementing and assessing secure systems. This requires a variety of IT, project management, systems design, risk management and technical skills, which I believe, will be of value to any employer. During my time working in the City of London with the IT and IS departments of major investment banks I have been involved in the design, implementation and rollout of many different pieces of security and banking software.

I can write programs fluently in Java, Perl, Ruby and Python as well as C, C++ and C#. I can create scripts using Unix bash and C shell, Tcl and expect, and write Windows batch and PowerShell files for system automation.

I worked a one year contract with the Firmwide Engineering and Architecture department as part of a team maintaining and supporting the Apache Qpid JMS messaging broker, used in many back office and trading applications throughout the bank. Qpid is an open source JMS broker, using the industry standard AMQP protocol between Java, .NET, C++ and python clients and both Java and C++ broker implementations.

This involved both supporting production application issues and consulting with application developers on architecture and other issues encountered during development. I also continued the development of Apache Qpid for the 0.6, 0.8 and 0.10 releases, with concurrent internal development based on the 0.5 release. Many features developed for the broker are the result of JPMC internal customer requirements, as well as public requests and discussions on the Apache mailing lists.

As part of this work, I became an Apache committer, and have been actively contributing to the Qpid source code and documentation, developing mostly in Java and also Python. Large contributions include an implementation of ACLs for the broker, implementing the 0-10 AMQP protocol over Mina transport, rearchitecting the network layer and diagnosing and fixing bugs reported both in the bank and by external users on the Apache JIRA system. I am currently working on upgrading the build system to Maven and introducing OSGi features to the broker.

As an Apache committer, I liased with Red Hat, Microsoft and other companies, as well as independent developers. I am also active on the public developer and user mailing lists, and have been involved in the SOAP-JMS W3C standards process.

Development used an Agile methodology and required the ability to co-ordinate with developers in other companies and disparate geogtreaphical locations. Pair programming and peer review enabled code quality to be kept high, and automated unit testing with JUnit and code checking using Sonar was part of the nightly build process.

This role required an in-depth understanding of messaging systems including the JMS and AMQP standards, as well as an ability to understand complex concurrency and threading issues. Knowledge of financial and trading sytem architectures and processes allowed me to support the banks applications that used the Qpid broker, and provide consultancy and development advice.

Yell Adworks (January 2009 – January 2010)

Software Engineer / Architect

I worked a one year contract as part of a team that was developing a new workflow application to replace legacy systems. This application was Java 1.6 based and was built using the Mule ESB with JBoss application server. My responsibilities involved design, architecture and development, including the build process and developer training. My role was to produce the base application infrastructure and framework for further development, assist in implementation of business logic, as well as being a member of the architecture board which had control of all technology and design decisions.

The system was designed using the Iconix modeling process using Enterprise Architect and UML, and was use-case driven, with an emphasis on testability. The development model used was an agile test-driven process, and I created a system testing framework for black-box evaluation of the use-cases, using JUnit. I also developed much of the build environment using Maven and the Hudson continuous integration server, and automated deployment of the application and execution of system tests.

I created a modular framework for the service layer using Spring 2 and Hibernate 3 with the JBPM workflow engine, which was integrated into the ESB using Active MQ JMS and CXF web services. My team implemented the business logic for the server side of the application, and provided an API for development of client systems using XML messaging based on schemas and JAXB.

After the base system was completed and tested, I wrote and presented a series of training sessions for the offshore maintenance teams, to familiarize them with the applications design, development methodology, tools and technologies used. During system development I was also responsible for producing technical documentation and reports on system features and evaluations of design decisions.

My final tasks during this handover phase involved performance tuning and analysis of the application. This encompassed SQL query optimization, Hibernate configuration, application profiling and algorithm analysis.

I have been instrumental in setting up the latest iteration of the Companies Internet facing and intranet sites, by moving to a full Java and J2EE based architecture. This involves IBM Websphere application servers (Community Edition, the IBM modified open source versions of Apache Geronimo, both version 1.x and 2.x). The websites run using Tapestry 4.x as a front end, linked to a mid-tier shared by all applications which uses Spring and Hibernate, as well as Apache ActiveMQ for message services. The whole system communicates with a master IBM DB2 database running on an AS/400 which is replicated using the database’s native audit trails, negating the need for contention on the actual database tables or having to constantly poll for changed records.

I also maintained the company coding standards, and took part in regular code reviews with fellow developers and have also been instrumental in carrying out detailed data forensics work on potentially compromised production machines to ensure damage limitation, working with other developers, Compliance and Legal.

Freelance (September 2005 – July 2006)

Freelance Developer

I have been working as a freelance Java, PHP and Web developer, bidding on projects posted on freelance websites such as “Rent A Coder” and other, similar sites. Projects to date have included writing client software for eBay and Betfair (the latter being an automated robot betting system) as well as websites and web applications using PHP, Struts and JSP services. Most projects are of a short duration (around one month) for individuals with small/home businesses. Most clients have little to no programming skills, so communication of what is and is not possible within the time and monetary constraints available is very important, as is translating their requests into a viable functional specification that can be used as the basis for agreeing deliverables. The nature of this work means that I also write the documentation, including fully commented source code, and translating technical concepts into simple English is essential to properly communicate what has been done.

The varied nature of the work means I have learned several new APIs and language features while producing an application, particularly working with web services and XML-RPC. For web applications, I have used XHTML, JavaScript/DOM and CSS to produce interactive (AJAX) layouts and pages, and again this has involved learning a lot of new techniques.

Betfair (April 2005 - August 2005)

Security and Fraud Engineer

I was employed on a short-term contract to provide application security services and anti-fraud technical support and development. The security work involved application reviews of the Betfair Exchange platform and associated sites and services, producing risk-analysis reports of any exploitable holes or security issues found.

My other role involved working with the Fraud team to analyse the transactional database and data warehouse for suspicious transactions, either credit card usage or betting patterns. I developed a J2EE application to interrogate the data warehouse, allowing the fraud analysts to enter queries which were translated into SQL and produced a report on suspicious or linked accounts. Additionally, scripts were developed to allow the Unix team to match parts of the Web server logs to betting transactions in the database, to allow searching by IP addresses and other information not stored in the data warehouse.

I also investigated vendors of fraud analytics software to try and find a commercial solution to reduce the chargeback ratio (from stolen credit card fraud) to acceptable levels, however the industry is not very mature and the project was cancelled.

I carried out development and testing work using J2ME as part of a project to develop game software for Nokia mobile phones. This gave me a good grounding in the J2ME Java APIs and programming techniques. I also implemented the obfuscation and anti-reverse-engineering mechanisms used to protect the final game. The company involved was a small Edinburgh based start-up.

I was employed by the Investigation and Threat Management team, as part of the Royal Bank of Scotland Group Information Security department. My main responsibilities are for Penetration Testing and Vulnerability Assessment, and secondary duties include Alert management, Forensic examinations in support of fraud and misconduct investigations and acting in an advisory capacity on general threats to the Group IT infrastructure.

I manage the day to day running of the contacts with external penetration testing service providers, and control and supervise any third party security testing that occurs on Group systems. This includes the technical review and management of a pool of suppliers to determine those most suitable to provide services to the Bank.

I also carry out penetration tests of internal systems that do not warrant a third party test. This involves usage of a comprehensive suite of tools, from vulnerability scanners to network mapping utilities, web protocol analysers and active proxies for HTTP modification, and custom scripts to perform ad-hoc testing or one-off tasks. Vulnerability analysis of systems is carried out using automated tools, which I manage and control, generating reports and statistics about the overall security posture of the externally facing Group systems.

I have attended training courses on the enCase Forensic software, as used by most Police forces in the UK and other countries. This is used to perform forensic examinations of PCs in support of internal investigations into employee misconduct or fraud.

Freelance (January 2002 – February 2003)

Freelance Java Developer

I worked as a freelance Java developer. I have completed several projects for small business clients in the Edinburgh area. These include custom add-on packages for Sage Accounting and Payroll systems and visualisation software for industrial dataloggers, using Java 2 with Swing and JDBC.

I worked part time as a developer, taking over an existing in house project to augment the monthly and weekly Intrusion Detection reports. This performed network state monitoring and information gathering to provide additional information in a report designed to aid vulnerability assessment. The software used Unix tools such as Whisker and Nessus, and Perl and Shell scripting to scan the Bank’s systems and networks, and collate and process the information to produce a weekly HTML report, detailing any changes to the network state and highlighting security issues discovered. This informed both senior management as well as network and system administrators, who were able to obtain detailed information about specific issues.

I completely rewrote the existing codebase to make the scanner modular, allowing plug-ins to be added for new scanning or monitoring tools. I also created a file based configuration system, which allowed individual scans to be described using a simple scripting language, thereby allowing scans and reports to be pre-defined and saved.

ABN Amro Bank (May 2001 – October 2001)

Senior Security Consultant

I was part of the Global Information Security Department, working as a Senior Security Consultant. I was responsible for Risk Analysis for several projects assigned to the Security Consulting Group. This primarily involved carrying out Risk Assessments against Systems, both new, during implementation, in development and existing projects as part of an audit and review process.

My main responsibility was for Risk Assessment of the Global Equities Toolkit project, a Client Relationship Management System using Siebel and Oracle on HP-UX and NT, that was being deployed and rolled out in London, Singapore and North America. I worked closely with the project management team, liasing with the acceptance testing and quality assurance staff to integrate security assessments, tests and metrics into their testing program. At each stage of the project I carried out a series of security tests, including database and system penetration tests, network and operating system vulnerability scanning, user account and role auditing and a review of operating, administration and user processes and procedures. I produced the Risk Assessment reports and checklists to record the level of compliance with the Bank’s policies and standards. This documentation was used to inform the further stages of development of the system and to improve the security until full compliance with the required policies was achieved.

I also carried out Risk Assessments of Web applications, including a Java Enterprise (J2EE) powered Loan Pricing System, and outsourced Document Management System for OTC Derivatives Contracts and a Portfolio Management Tool. These systems were being developed for various Business Units within the bank, however I also assessed individual Infrastructure components and systems, including one of the Internet Banking Gateways and its associated Firewall and Router systems, and several Oracle and SQL Server database applications.

As part of the Penetration Testing team I carried out testing and attacks against Bank systems to determine their susceptibility to compromise by malicious internal and external threat agents. To do this I used both commercial software, such as ISS Internet and Database Scanner, free tools such as NMAP and Nessus, publicly available and custom written exploits and attack scripts and several of my own tools developed in house. Systems tested included Lotus Domino Web servers, Microsoft IIS Web servers, Databases, UNIX, Windows NT and 2000 servers and network infrastructure (routers) and Firewalls. I used the information obtained during the testing process to produce documentation of the details of systems compromised, weaknesses detected and vulnerabilities exploited, and worked with the System Administrators to secure any vulnerable systems.

In a reactive role, I was involved in Incident Response and Forensics, in particular during large-scale worm attacks, such as the recent Code Red and Nimda attacks. During these attacks, I carried out damage assessment and limitation. This involved detecting infected systems and then disinfecting and recovering data, using software and scanners I have written for each specific attack.

I also contributed to the development of the CIRT Incident Response plan, which was updated due to the additional threats posed by such Internet worm attacks, and produced reports and a white paper outlining strategies and technological solutions for future security issues the Bank might face.

Deutsche Bank (May 1999 - December 2000)

Security Engineer

I was project lead for the design, implementation and deployment of the bank’s security monitoring infrastructure, using Axent Enterprise Security Manager. This involved a global rollout of the ESM agent software and regional implementations of the security management systems.

I also installed a pilot version of UNIX Privilege Manager, a distributed version of SUDO, which was used to broker privileged access requests from developers on production systems.

I carried out research into a host-based intrusion detection system for the bank, which included evaluations of current commercial and military systems, including CyberSafe Centrax, ISS RealSecure System Agent, SRI International project EMERALD and Litton PRC Précis. This evaluation produced a set of formal requirements for testing and comparing security systems which are used as a model for product evaluation.

I worked on the bank’s UNIX and other security standards and policies, and used ESM to bring systems into compliance with these documents using automated scripts to patch systems and upgrade security settings. This also involved vulnerability research and allowed me to pre-emptively secure systems against potential compromise.

ScotiaMocatta and Bank of Nova Scotia (August 1998 - April 1999)

Trade Systems Support

My main role was technical support and systems administration of the ScotiaMocatta Unix servers and PC systems and support and project work for Unix systems in Bank of Nova Scotia London. As well as this, I have been involved in several projects within ScotiaMocatta.

I was the technical manager of a project to transfer the trading system used by ScotiaMocatta from an IBM RS/6000 AIX platform to a Sun Enterprise Server Solaris platform. This involved copying a UniVerse database system and all trade data from one machine to another, overseeing the installation of the trading software by the vendor, rewriting the database and system maintenance scripts, reworking the user administration procedures and documenting the operational changes. In addition I implemented a user acceptance and integration testing platform where all vendor supplied code changes could be tested before being moved to the production systems. This platform is also used for disaster recovery and hot standby purposes.

I integrated ScotiaMocatta’s user, password and host database with Bank of Nova Scotia London’s NIS and DNS servers and installed DNS and NIS servers at ScotiaMocatta.

I was also part of a team that migrated the PC systems from Novell NetWare to Windows NT. This involved installation and rollout of Windows NT Workstation on the desktop, via automated installation procedures that I created, conversion of PC systems that used Novell to NT and transfer of all user files and programs to the NT server.

Prior to an internal audit, I compiled a procedures manual for the MIS department and reworked the company business resumption plan as part of a disaster recovery implementation programme.

I developed a suite of Windows NT tools and utilities to manage security policies on networked Windows NT machines using Microsoft Visual C++ and the MFC library. This included ‘Enforcer’, a graphical NT security management solution, which is used by NatWest Markets.

I was part of a security team responsible for securing Unix hosts after an external audit. This involved installing and implementing Axent ESM policies, as well as creating scripts to patch common Unix security flaws. I also developed a secure anonymous FTP application to allow secure file transfers between business groups.

I was part of the Product Acceptance Group, involved in quality assurance and acceptance testing of the Reuters 3000 financial information products. In addition, I was responsible for day to day management of the test laboratory network of Windows NT and Sun Solaris workstations, which involved installation of operating systems and pre-release versions of Reuters software.

I was also responsible for co-ordinating the testing of the Reuters Discovery project, a cross platform Unix and Windows NT historical market data application. This involved liasing with the software development teams and developing and implementing a test strategy.

Standard Chartered Bank (January 1997 - March 1997)

I was responsible for the security of the base metals and bullion trading settlement system. This ran on AIX platforms, using CA UniCenter security management software, and Axent ESM for ongoing security assessment and auditing. During this contract I documented and fixed security vulnerabilities found by ESM and other analysis tools, both in the base Unix operating system, the trading software and the CA UniCenter set-up. I also re-implemented the security rules for the system and documented a set of system management procedures to maintain the required level of security using ESM’s reporting facilities and custom tools.

I was part of a small team that designed and implemented the Web site for the TUC Congress in September 1995 and the Labour Party conference in October 1995. This involved creating a generic ‘Virtual Conference’ Web server on a Unix workstation. I created CGI scripts in PERL to display dynamic information about the conferences and implemented a bulletin board system on the server where visitors to the conference could leave comments. I was also involved in the design of the HTML and the visual look and feel of the sites.

I managed the installation and maintenance of a temporary Web server and Internet connection at the Brighton Conference Centre during both events and liased with the Labour Party and TUC information services units to ensure accurate and up-to-date information was presented on the Server.

I was also involved in the set-up and maintenance of a temporary cyber café network at both events, including cable installation and network administration.

I have been involved in the creation of a permanent Web presence for the Trades Unions Congress. This involved the creation of a ‘Virtual Building’ stored in a SQL Server database, with no actual HTML code present as part of the server. I designed and implemented the SQL database and created a suite of CGI programs to access it and render the contents as HTML. This included a search mechanism and an automated system to add non-HTML documents to the server.

Education

Edinburgh University (October 1992 - July 1995)

I gained a BSc degree in Computer Science and Artificial Intelligence.

The course covered programming in C and ML, and was based on an algorithmic approach to problem solving. Other elements of the course covered computer design, operating system design and implementation, mathematical applications of computing and analysis of algorithms. Artificial Intelligence techniques covered included expert systems, neural networks, genetic algorithms, predicate logic and proof systems, knowledge discovery and data-mining. As part of the third year of the course, I undertook a large scale team project involving the design and implementation of a security camera monitoring application in both software and hardware, where I was responsible for the coding of the GUI using OSF/Motif.

Abronhill High School (August 1986 - May 1992)

I passed the following Highers at ‘A’ grade: Mathematics, English, Chemistry, Physics and Computer Studies.