- Accomplished Information Security Professional with over 8 years of experience
- Senior Software Engineer with over 17 years of experience in software development
- Experience working in fast-paced, multi-geo as well as small, focused, startup-like environments
- Offensive Security Certified Professional (OSCP) Certification
- AWS Certified Security - Specialty
- Master of Applied Science in Information Systems Security
- Extensive knowledge of computer hardware/software/networks and electronics/telecommunications
|Information Security ||Information security strategy for SMBs |
| ||Security testing of native/mobile/web apps & APIs, vulnerability assessment |
| ||Security design & review of software system architecture & code, threat modeling |
| ||Security review of software systems in FinTech |
| ||Cryptography, AuthN/AuthZ protocols & implementations |
| ||OWASP (Top 10/Testing Guides/Code Review Guide/ASVS/SAMM) |
| ||Secure Development Lifecycle (SDL) |
| ||MITRE (CVE/CVSS/CWE/CAPEC/ATT&CK) |
| ||Network security protocols & implementations |
| ||Analysis of cyber threats using machine learning |
|Software Engineering ||DevSecOps & CI/CD tools for operating infrastructure on AWS & GCP |
| ||Bash & PowerShell |
| ||Go, C/C++, Visual Basic/ASP/C#.NET, Java, Objective-C, PASCAL, Assembly |
Information Security Lead
|Koho Financial ||November 2017 - Now |
- Bootstrapping and maintaining information security (products & applications, cloud & IT infrastructure) across the organization.
- Being the subject-matter expert to other teams on all things related to information security and the main driving force behind the Security & Privacy Roadmap.
- Product & Application Security:
- Collaborate with other teams to strengthen the security posture of the company.
- Perform secure code review in a variety of languages and platforms and contribute security-sensitive code.
- Conduct security reviews and tests for product releases and system integrations.
- Ensure the success of periodic external penetration tests and third-party risk assessments.
- Cloud Infrastructure Security:
- Perform intensive, continuous security review and testing of the cloud infrastructure.
- Design and implement many building blocks to strengthen the infrastructure security.
- Provide support for troubleshooting and optimizing current service platforms.
- Be the first responder when a security event occurs.
- IT Security:
- Establish a security baseline for the whole company in terms of authN/authZ, security policies, sensitive data handling, etc.
- Stand up the IT infrastructure and develop information security policies from scratch.
- Raise the security awareness by providing information security trainings and workshops.
Software Security Engineer
|Intel Security, Intel Corporation (McAfee since April 2017) ||January 2015 - October 2017 (2 years 10 months) |
- As a member of the Product Security Team, enabled frequent public releases (on multiple platforms: Windows, macOS, Android, iOS) and backend deployments without any security defects by performing security review and validation on every release cycle.
- Served as an advocate for security within development teams, providing security guidance and best practices.
- Reported to decision makers via an executive dashboard composing of industry standard metrics (OWASP Application Security Verification Standard and Product Security Maturity Model)
- Designed, implemented and executed successfully a key ceremony for HashiCorp Vault, which stores mission-critical secret keys.
- Improved considerably the confidence of features shipped by implementing Agile SDL.
- Created and maintained threat models of complex software systems, including but not limited to: client native applications, backend REST APIs, CI/CD and data analytics pipelines.
- Ensured sufficient security coverage and continuous security control in the product by integrating static code analysis tools into the CI/CD pipeline and maintaining adequate technical and process documentation.
- Provided feedback and remediation strategies in responding to externally reported vulnerabilities.
- Discovered and provided remediation solution for security vulnerabilities in other products within the company.
|National Cyber-Forensics and Training Alliance (NCFTA) Canada ||January 2011 - June 2014 (3 years 6 months) |
- Researched, designed, implemented and maintained software systems that manipulate hundreds of GB of data per day.
- Participated in many projects in collaboration with different organizations:
- Malware Analysis: Installed and maintained a dynamic malware analysis environment using GFI Sandbox. Analyzed malware reports by applying machine learning techniques.
- Darknet Traffic Analysis: Researched, designed, implemented and maintained a phishing attack detection and assessment system which extracts phishing URLs from online spam data feeds. Designed, implemented and maintained an online darknet traffic analysis system which extracts global scanning activities and DDoS attacks from online darknet traces.
- Spam Campaign Analysis: Researched, designed and implemented a spam campaign detection, analysis and investigation software framework which is utilized to enforce the Canada’s Anti-Spam Legislation.
- Cyber Threat Intelligence Databases: Designed, implemented and maintained different databases of cyber threat intelligence (passive DNS, scanning activities, DDoS & phishing attacks)
Software Development Engineer
|Vi Na Brilliant Card (VNBC), Dong A Bank ||December 2009 – August 2010 (9 months) |
- Participated in researching and building a nationwide payment system using contactless cards.
- Participated in implementing a software framework for managing close-loop payment systems.
- Developed and maintained the internal company portal.
- Monitored the development process of the main website for VNBC.
OTHER WORK EXPERIENCE
|Web Developer, Montreal Saudi Student House ||May 2013 (1 month) |
Built a website for Saudi students in Montreal using XenForo
|Lab Instructor, Concordia University ||January 2013 – April 2013 (4 months) |
Instructed students to build a simple computer using electronic devices (SOEN228)
|Technician, ASUS Vietnam ||November 2008 – November 2009 (13 months) |
Tested and reviewed new products; participated in organizing sale and marketing events.
|Member, AMTECH Overclocking Club ||January 2008 — December 2008 (12 months) |
Assembled, modified, overclocked and repaired computer hardware.
Master of Applied Science in Information Systems Security, Concordia University
Thesis: Mining Cyber Security Intelligence from Spam Data
Bachelor of Engineering in Electronics & Telecommunications, Ho Chi Minh City University of Technology
Thesis: Implementing and evaluating the Ad hoc On-Demand Distance Vector (AODV) routing protocol
SELECTED ACADEMIC PUBLICATIONS
Enquêtes sur les pourriels avec le forage de données
Délinquance et innovation, Les Presses de l’Université de Montréal (book)
Spam Campaign Detection, Analysis and Investigation
Digital Investigation, Volume 12, Supplement 1 (paper); Proceedings of the Second Annual DFRWS Europe (paper | slides)
Investigating the Dark Cyberspace: Profiling, Threat-based Analysis and Correlation
7th International Conference on Risk and Security of Internet and Systems (CRiSIS) (paper)
HIGHLIGHTED AWARDS & ACHIEVEMENTS
|Bursary ||Fonds de recherche du Québec (FQRNT) ||2011, 2012, 2013 |
|Bursary ||Concordia University Graduate Student Support Program (GSSP) ||2011, 2012 |
|Academic Award ||Excellent Student in Informatics (Ho Chi Minh City, Vietnam) ||2002, 2004, 2005 |
|Academic Award ||Nationwide Informatics Contest for Young Talents (Ha Noi, Vietnam) ||2002 |
|Academic Award ||Informatics Contest for Young Talents (Ho Chi Minh City, Vietnam) ||2001, 2002 |
|2nd place ||Worldwide Gigabyte Open Overclocking Championship (Taipei, Taiwan) ||2008 |
|3rd place ||Nationwide Gigabyte Regional Overclocking Competition (Ho Chi Minh City, Vietnam) ||2008 |
|Champion ||AMTECH Amazing Overclocking Competition (Ho Chi Minh City, Vietnam) ||2008 |
|The Best Cooperation Award ||SEAMEO Regional Schools Internet Project (Singapore) ||2003 |
First International Conference on Anti-Cybercrime (ICACC) 2015
- Provided trainings for two workshops: Network Vulnerability Scanning and Assessment, Capture-the-Flag Tutorial.
- Organized a Capture-the-Flag event.