Designed and shipped a stateless overlay package manager for read-only RHEL Linux dev images,
bind-mounting unpacked RPM content into a writable stateless partition to enable
install/update/remove across 4 internal OS products
Cut developer package refresh from >60 minutes for full VM reimages to <1 minute per RPM
install (95%+ reduction); supported bulk installs and safe updates via state manifests and
atomic rollback
Hardened overlays with SHA-256 integrity checks, SELinux/MAC relabeling, and DAC/permission
preservation; built a test suite to validate contexts, placements, and system file constraints
(>60k files validated/test)
FIPS-Compliant Lightweight Web Server
Surveyed 10+ open-source servers against GRC and FIPS requirements, constrained-device
footprint, and community supply-chain risk, ruling out heavyweight stacks and
single-maintainer projects
Configured and packet-traced HTTP/3 and TLS 1.3 stacks (tcpdump, traceroute, netstat) to
verify real-world behavior; narrowed recommendations to Nginx, Jetty, and OpenLiteSpeed with
hardened baselines
Presented findings to the Architecture Review Board in a 30-minute briefing; became team SME
on HTTP/3, TLS 1.3, PKI, mTLS, OAuth/JWT, and quantum-resistant/FIPS-approved SSL
implementations
Linux USB Device Security Hardening
Performed in-depth analysis of Linux USB enumeration, driver binding, interface classes, and
common attack vectors (BadUSB, rogue HID, keystroke injection), mapping risk across udev,
USBGuard, and device-authorization paths
Developed advanced real-time auditing and correlation tooling that aggregates udev + USBGuard
telemetry, producing concise security summaries and actionable logs for system developers
Automated strict USB allowlisting by programmatically updating USBGuard rules through D-Bus
IPC, enabling authenticated device onboarding without manual daemon configuration edits