Working at Qantas I was given the responsibility to protect the digital sales channels of one of the largest retailers in Australia, which brings the extra challenge of securing digital assets without causing any disruption to essential revenue generation vehicles. Apart from providing guidance to developers on security best practices, I was involved in red teaming engagements, code reviews and the implementation of Content Security Policies to protect Qantas booking engine against malicious client-side attacks (e.g.: Magecart). I was also part in an initiative involving Cybersecurity, Digital Channels and the Cloud Platform teams, aiming to gather security intel from multiple automated scanners such as Sonarqube, Qualys, Veracode, Cloud Conformity, Nexus IQ and others. Findings from those tools were normalised, classified, triaged, and made available through an API. The API was consumed by existing tools across Qantas Group, such as cloud consoles – used by development teams and domain owners for remediation/accountability, as well as change management systems – used by the cybersecurity team for reporting and incident response.

As a member of the application security team, I contributed to ensure the security of Tyro’s Software Development Lifecycle. Some of the initiatives was part of include: the roll-out of a pipeline step focused on code analysis (Find-Sec-Bugs integrated to Jenkins); Implementation/maintenance of a third-party vulnerability management system using Sonatype Nexus Lifecycle; use of Nexus to scan vulnerabilities in containerised applications for cloud artefacts (Buildkite); deployment of a secret management system using Hashicorp Vault deployed in AWS; penetration testing engagements to assert the safety of internal and public-facing artefacts. I was also a member of a voluntary team responsible for maintaining the company's standard operating environment for developers – a Linux based infrastructure managed with Puppet.

At Covata I was given the challenge of managing an Information Security Management System compliant to ISO 27001:2013. It was a great experience as I could stretch my knowledge in areas of Information Security I had had little contact with. It is the case of vulnerability and patch management and risk/action management frameworks, just to mention a few. In addition, I also provided support to the engineering team, responsible for developing and deploying Safe Share - a solution allowing secure file collaboration in corporate environments. Safe Share applies strong cryptography, data classification, key management and fine grained access controls to protect information assets, a feature set that kept me in touch with the engineering side of IS, which has always been my passion. Collaborating in a dynamic and fast paced environment, my time with Covata was a great opportunity for me to keep up with the security aspects applied to mainstream technologies used by Engineers and DevOps, such as those involved in containerisation, scaling and provisioning, keys and secret management as well as the vulnerability check technologies applied to continual integration pipelines.

I assumed the ownership of one of the products of the company – DPM Key Lifecycle Management System. My duties involved planning, designing and developing functionalities to securely support the management of cryptographic keys and other sensitive data. My tasks encompassed development in Java language as backend technology, allied to frameworks such as Spring and Struts. I also made heavy usage of the crypto library Bouncy Castle to implement key and certificate management functionalities. As database technologies, I worked with Java Persistence Architecture (JPA), MySQL and SQL Server. On the front-end side, I had the opportunity of implementing a single page application in HTML5 and JQuery programming. I also dealt with security standards such as Key Management Interoperability Protocol (KMIP) and NIST FIPS specification. As my main achievements, I can point out the integration of the product to three new HSM models (Safenet, Utimaco and Engage), the implementation of full TLSv1.2 support using internally generated X.509 certificates as well as the configuration of the company’s internal Certification Authority (Microsoft CA). I also incurred in penetration testing engagements using the main tools available in the Kali Linux distribution and manual code review.

I led a group of around 30 people in the development and management of the company's portfolio. In almost five years heading the technical team, I was involved with defining the company's policies and procedures, in addition to providing guidance to both the development and operations teams. My main duties involved coordinating the planning, designing, building, deploying and governing BRy’s products and services. Between 2011 and 2015, BRy's portfolio grew from a set of six products to a total of nine. The focus of the company has also been changed from the development of software products to the additional provision of security cloud solutions (SaaS). To attend to this objective five of the pre-existing products have also been completely redesigned, addressing cloud technologies and single sign-on protocols. Among the technologies employed by the company, there are web technologies such as JEE platform, PHP, as well as C++ and mobile platforms.

I assumed the leadership of the project OpenHSMd, a key management software embedded in a hardware security module called ASI-HSM. This was my first leadership experience, where I coordinated a team of four developers. At that time, I had the opportunity to improve my skills in developing applications relying in intense network communications. The project was developed in C and Java programming languages and used SQLite as the database management system. It has provided me with the experience of embedding applications in the form of a firmware, to be installed in a device running a minimalist version of FreeBSD operating system. In the area of Information Security, I had contact with a variety of standards regarding key management, such as FIPS 140-2, Common Criteria as well as PKCS family (Public Key Cryptographic Standards). I had also the pleasure of leading a successful initiative to certify the ASI-HSM through the Brazilian accreditation process similar to US FIPS, namely ICP-Brasil MCT 7.

I was part of the team who developed a certificate management system for the Root Certification Authority of Brazilian PKI (Public Key Infrastructure). The project was sponsored by the Brazilian Government and aimed to provide an open source solution to support the Brazilian's governmental Root CA. During this project I have obtained professional experience in developing C/C++ applications, in addition to building applications on Linux based operating systems. The project also demanded knowledge of some specific technologies, such as Qt framework and PostgreSQL database. Working as a developer, I have acquired strong skills on security standards regarded to management of the lifecycle of X.509 certificates. It was also the first time I had contact with the OpenSSL cryptographic toolkit, which allowed me to acquire advanced knowledge on its design and capabilities.