QUALIFICATIONS
PROFESSIONAL SKILLS
| Application Security | Security design & architecture, threat modeling, secure code review, security testing, supply chain security |
| Cloud Operation | IAM, security hardening, monitoring, logging & auditing, vulnerability management, incident response |
| Offensive Security | Vulnerability assessment, penetration testing, red teaming, bug bounty |
| Cyber Security | Information security policies & compliance, cyber threat intelligence |
| DevOps | Cloud (AWS, GCP) infrastructure orchestration, DevSecOps, CI/CD |
| Software Engineering | Python, Ruby, PHP, JavaScript/TypeScript, HTML, CSS |
| | Rust, Go, C/C++, Visual Basic/ASP/C#.NET, Java, Objective-C, PASCAL, Assembly, Dart |
PROFESSIONAL EXPERIENCE
Senior Product Security Engineer
| OpenZeppelin | August 2024 - Now |
- Lead the product security effort, in charge of implementing the secure software development lifecycle across the company
- Perform security architecture review, secure code review & security testing of various projects, including but not limited to: web applications, backend services, cloud infrastructure & smart contract libraries
- Implement and maintain security tools and processes
- Serve as a subject-matter expert on product security, providing guidance and best practices
- Assist IT Security with establishing security policies and achieving compliance (SOC2, ISO27001)
- Contribute to leading the company-wide effort of leveraging AI to improve software development productivity and security
Co-founder
| I4S Digital (formally ERPTech) | 2021 - Now |
- Helping small and medium businesses to improve their digital presence
Chief Technology Officer
Senior Offensive Security Engineer
| Amazon | February 2022 - August 2024 |
- As a senior member of the Devices & Services Red Team, conducted red team operations on a variety of both internally and externally facing services
Senior Security Engineer
| CrowdStrike | May 2020 - February 2022 |
- As a senior member of the Product Security Team, continuously improved the security posture of the product platforms
- Performed security architecture review of various product features and platform integrations
- Maintained least privilege access to the platforms
- Served as a subject-matter expert on cryptography, performing critical crypto operations and providing guidance and best practices
- Mentored and supported other members within the Product Security Team
- Led a multi-team project to set up new hardware security module (HSM) appliances and harden systems within their network perimeter, designed and implemented systems in order to securely maintain the lifecycle of mission-critical crypto keys
- Led a multi-team effort to drastically improve the security of the product code signing practices
- Provided technical support to ensure successful periodic audits (SOC2)
Technical Lead - Cyber Security
| KOHO Financial Inc | November 2017 - April 2020 |
- Served as the main subject-matter expert on cyber security and the main driving force behind the Security & Privacy Roadmap
- As the first security engineer, bootstrapped, scaled and maintained the information security program
- Led the Platform & Security Team to support the company growth, hired and mentored new Security/DevOps/IT engineers
- Application Security:
- Collaborated with other teams to strengthen the company security posture
- Performed secure code review in a variety of languages and platforms and contributed security-sensitive code
- Conducted security reviews and tests of product features and system integrations
- Owned and maintained the public vulnerability disclosure program (HackerOne)
- Ensured the success of periodic external penetration tests and third-party risk assessments
- Security Operations:
- Performed continuous security review and testing of the cloud infrastructure
- Established company-wide information security baseline: policies, MFA, IAM, data security/classification, etc.
- Designed and implemented critical building blocks of the infrastructure
- Spearheaded the DevOps and Infrastructure as Code transformation effort
- Provided expertise for troubleshooting and optimizing current service platforms
- The first responder when a security event occurs
- Stood up the on-prem IT infrastructure and developed IT security policies from scratch
- Improved security awareness by providing mentorship, trainings and workshops internally
Software Security Engineer
| Intel Security, Intel Corporation (McAfee since April 2017) | January 2015 - October 2017 |
- As a member of the Product Security Team, enabled frequent public releases (on multiple platforms: Windows, macOS, Android, iOS) and backend deployments without any security defects by performing security review and validation on every release cycle
- Served as an advocate for security within development teams, providing security guidance and best practices
- Reported to decision makers via an executive dashboard composing of industry standard metrics (OWASP Application Security Verification Standard (ASVS) and Product Security Maturity Model)
- Successfully designed, implemented and executed a key ceremony for HashiCorp Vault, which stores mission-critical secret keys
- Improved considerably the confidence of features shipped by implementing Agile SDL
- Created and maintained threat models of complex software systems, including but not limited to: client native applications, backend REST APIs, CI/CD and data analytics pipelines
- Ensured sufficient security coverage and continuous security control in the product by integrating static code analysis tools into the CI/CD pipeline and maintaining adequate technical and process documentation
- Provided feedback and remediation strategies in responding to externally reported vulnerabilities
- Discovered and provided remediation solution for security vulnerabilities in other products within the company
Cyber Security Researcher
| National Cyber-Forensics and Training Alliance (NCFTA) Canada | January 2011 - Dec 2014 |
- Researched, designed, implemented and maintained software systems that manipulate hundreds of GB of data per day
- Participated in projects in collaboration with different organizations: analysis of malware, darknet traffic, spam campaigns and seeding cyber threat intelligence databases
- Participated in projects in collaboration with different organizations:
- Malware Analysis: Installed and maintained a dynamic malware analysis environment using GFI Sandbox, analyzed malware reports by applying machine learning techniques
- Darknet Traffic Analysis: Researched and developed a phishing detection and assessment system that extracts phishing URLs from online spam data feeds; Designed and developed a system that analyzes darknet traffic to infer global scanning activities and DDoS attacks in near real-time
- Spam Campaign Analysis: Researched, designed and implemented a spam campaign detection, analysis and investigation software framework which is utilized to enforce the Canada’s Anti-Spam Legislation
- Cyber Threat Intelligence Databases: Designed, implemented (full-stack) and maintained different databases of cyber threat intelligence (passive DNS, scanning activities, DDoS & phishing attacks)
Software Development Engineer
| Vi Na Brilliant Card (VNBC), Dong A Bank | December 2009 – August 2010 |
- Researched and built a nationwide payment system using contactless cards
- Implemented a software framework for managing close-loop payment systems
- Developed and maintained the internal web portal
- Managed the development process of the main website
OTHER WORK EXPERIENCE
| Web Developer, Montreal Saudi Student House | May 2013 | Built a website for Saudi students in Montreal using XenForo
| Lab Instructor, Concordia University | January 2013 – April 2013 | Instructed students to build a simple computer using electronic devices (SOEN228)
| Technician, ASUS Vietnam | November 2008 – November 2009 | Tested and reviewed new products; participated in organizing sale and marketing events
| Member, AMTECH Overclocking Club | January 2008 — December 2008 | Assembled, modified, overclocked and repaired computer hardware
EDUCATION
Master of Applied Science in Information Systems Security, Concordia University
Thesis: Mining Cyber Security Intelligence from Spam Data
Bachelor of Engineering in Electronics & Telecommunications, Ho Chi Minh City University of Technology
Thesis: Implementing and evaluating the Ad hoc On-Demand Distance Vector (AODV) routing protocol
SELECTED ACADEMIC PUBLICATIONS
Enquêtes sur les pourriels avec le forage de données - Délinquance et innovation, Les Presses de l’Université de Montréal
Enquêtes sur les pourriels avec le forage de données - Délinquance et innovation, Les Presses de l’Université de Montréal (book)
Spam Campaign Detection, Analysis and Investigation - Digital Investigation, Volume 12, Supplement 1 (also Proceedings of the Second Annual DFRWS Europe)
Spam Campaign Detection, Analysis and Investigation - Digital Investigation, Volume 12, Supplement 1 (paper); Proceedings of the Second Annual DFRWS Europe (paper | slides)
Investigating the Dark Cyberspace: Profiling, Threat-based Analysis and Correlation - 7th International Conference on Risk and Security of Internet and Systems (CRiSIS)
Investigating the Dark Cyberspace: Profiling, Threat-based Analysis and Correlation - 7th International Conference on Risk and Security of Internet and Systems (CRiSIS) (paper)
HIGHLIGHTED AWARDS & ACHIEVEMENTS
| Bursary | Fonds de recherche du Québec (FQRNT) | 2011, 2012, 2013 |
| Bursary | Concordia University Graduate Student Support Program (GSSP) | 2011, 2012 |
| Academic Award | Excellent Student in Informatics (Ho Chi Minh City, Vietnam) | 2002, 2004, 2005 |
| Academic Award | Nationwide Informatics Contest for Young Talents (Ha Noi, Vietnam) | 2002 |
| Academic Award | Informatics Contest for Young Talents (Ho Chi Minh City, Vietnam) | 2001, 2002 |
| Bursary | Fonds de recherche du Québec (FQRNT) | 2011, 2012, 2013 |
| Bursary | Concordia University Graduate Student Support Program (GSSP) | 2011, 2012 |
| Academic Award | Excellent Student in Informatics (Ho Chi Minh City, Vietnam) | 2002, 2004, 2005 |
| Academic Award | Nationwide Informatics Contest for Young Talents (Ha Noi, Vietnam) | 2002 |
| Academic Award | Informatics Contest for Young Talents (Ho Chi Minh City, Vietnam) | 2001, 2002 |
| 2nd place | Worldwide Gigabyte Open Overclocking Championship (Taipei, Taiwan) | 2008 |
| 3rd place | Nationwide Gigabyte Regional Overclocking Competition (Ho Chi Minh City, Vietnam) | 2008 |
| Champion | AMTECH Amazing Overclocking Competition (Ho Chi Minh City, Vietnam) | 2008 |
| The Best Cooperation Award | SEAMEO Regional Schools Internet Project (Singapore) | 2003 |
PROJECTS
The First International Conference on Anti-Cybercrime (ICACC) 2015
- Provided trainings for two workshops: Network Vulnerability Scanning and Assessment and Capture-the-Flag Tutorial.
- Organized a Capture-the-Flag event.