Vice President Lead Security Engineer
Oct 2023 - Present
Cloud Native Engineer (Contract)
Sep 2022 - Oct 2023
- Developed an ingestion tool as part of a team which scans open-source dependencies for vulnerabilities and evaluates them with Open Policy Agent (OPA).
- Established the use of GRPC service architecture to strongly define APIs, abstract layers and components into replaceable parts, and generate Swagger compatible user-facing API documentation.
- Implemented support for rotating time-limited database credentials provided by Hashicorp Vault at runtime.
Co-Founder and Director
Mar 2022 - May 2023
- Implemented Zero-Trust edges to access internal services and infrastructure with github.com/pomerium/pomerium.
- Deployed an MVP of the Dracon SaaS product with multi-tenancy at the infrastructure layer powered by Terraform, Helm, GitOps and the Please build system.
- Built a scalable version of the Dracon SaaS product with multi-tenancy at the application layer that runs on serverless infrastructure to minimise costs.
Senior Backend Engineer, Cloud Security
Apr 2021 - Sep 2022
- Technical Lead for a strategic programme making the Vault product available as SaaS on Google Cloud Platform. This involved architecting the cloud infrastructure, producing timelines and resource requirements, and ultimately being responsible for the technical delivery.
- Technical Lead for the deployment of Falco, a Kubernetes Runtime security agent across our Kubernetes clusters and the implementation of pre-building the eBPF probes that we use over at github.com/thought-machine/falco-probes.
- Drove and implemented identity-based methods for service-to-service authorization (i.e. Workload Identity) to move us away from provisioning and using multiple password-like credentials for services.
- Maintained open-sourced Please build rules for Terraform at github.com/VJftw/please-terraform.
Backend Engineer, Cloud Security
Aug 2019 - Apr 2021
- Designed and built a service that facilitated self-service federated access to Cloud and Kubernetes environments with support for break-glass processes. This was a pluggable collection of micro-services in Golang which communicate via GRPC.
- Matured our Terraform usage by writing rego policies for conftest based on CIS benchmarks to mitigate misconfiguration vulnerabilities; migrating to Terraform 0.12+; adding declarative authentication; and parallelising our CI/CD pipelines.
- Implemented simple immutable infrastructure using Packer and Terraform to be used in projects where Kubernetes was undesirable.
- Designed a scalable network architecture for our SaaS offering on AWS using AWS PrivateLink VPC endpoints to expose services between VPCs instead of VPC-peering.
- Implemented and scaled our audit logs pipeline on both AWS and GCP using AWS Kinesis/GCP PubSub and Logstash to include audit logs from AWS CloudTrail, AWS EKS, AWS Security Hub, GCP, and GKE.
- Open-sourced Dracon, a tool for building k-native security pipelines on top of Tekton CI github.com/thought-machine/dracon
- Created an Attestations Proxy for B2B clients to authenticate and verify that the Docker images they pull are signed by Thought Machine. This is an authenticating reverse proxy to Grafeas.
- Created a Docker Registry Proxy for B2B clients to authenticate and pull Docker images we create. This is now an open-source project github.com/VJftw/docker-registry-proxy
- Developed “Cheese”, a tool to help raise awareness around engineers leaving workstations unlocked.
Senior DevOps Engineer
Apr 2019 - Aug 2019
- Implemented horizontal auto-scaling of Jenkins workers with EC2 spot instances and promote the use of Docker in build processes to improve consistency and reduce developer deployment feedback loop.
- Devised, implemented and automated GitOps focussed Role-Based Access Control (RBAC) on AWS across multiple accounts based upon AWS Landing Zone principals.
- Automated weekly reports of cloud-based infrastructure via ScoutSuite.
- Reduced infrastructure divergence from code by splitting Terraform source into domain-driven modules and states that are run more frequently.
- Spearheaded Ansible to automate the deployment of new releases onto legacy “pet” instances.
Jun 2018 - Apr 2019
- Built a Highly Available platform with improved scalability, resource use and continuous deployment whilst improving existing security standards with Docker, AWS ECS (Elastic Container Service), Consul, Traefik, HAProxy, and Terraform with GitOps. HA Traefik was provided by DNS round-robin load balancing and workload instances utilised AWS Spot fleet to reduce costs.
- Introduced structured logging from Docker container output into centralised logging with ELK which allowed us to record and perform analysis on outbound requests through Squid proxies.
- Introduced Grafana and Prometheus with InfluxDB for metric-based monitoring.
- Maintained existing Puppet-based cloud infrastructure configuration, upgraded existing services such as Artifactory OSS, and RabbitMQ, whilst promoting the movement to immutable infrastructure.
- Lead the containerisation of Java applications to conform with Docker best practices with portable integration tests via docker-compose.
- Improved development workstation provisioning using a pre-seed configuration with LUKS(FDE) and LVM.
Jan 2016 - Jun 2018
- Migrated projects to use Docker containers utilising AWS ECS (Elastic Container Service), WeaveNet and Traefik to reduce costs.
- Lead security which involved vulnerability scanning, risk assessments and deploying more secure protocols such as mutual TLS (mTLS).
- Lead DevOps involving infrastructure as code with Terraform and container orchestration.
Junior Developer (Internship)
Aug 2014 - Aug 2015
- Aided in the development of projects with clients such as British Rowing and Vote for Policies which were developed in Python and PHP (Symfony).
MSc Computing and Security
Pass with Distinction
- Awarded the prize for the best overall performance on the MSc in Computing and Security (2016/17).
- Dissertation titled “Collective Privacy Management in Social Media” (74%)
- C-score: 73%. Top 5 modules: Security Engineering (92%), Group Project - Chit Chat (85%), Cryptography and Information Security (80%), MSc Individual Project - Collective Privacy Management in Social Media (74%), Network Security (69%).
BSc Computer Science with Industrial Experience
First Class Honours
- Dissertation titled “Implementations of Homomorphic Encryption” (82%)
- C-score: 75%. Top 5 final year modules: Embedded Systems (83%), Computability (82%), Project - Implementations of Homomorphic Encryption (82%), Web Programming (80%), Algorithms and Complexity (73%).
- Amazon Web Services
- Google Cloud Platform
- GitHub Actions
- Debian & Redhat-based
- Fedora CoreOS
Domain Driven Design
Behaviour Driven Development
Separation of Concerns
Cloud based virtual desktops on Google Cloud Platform to help organisations provide remote-based workspaces in response to the COVID-19 pandemic.