Joseph Ekene Ejike | Lead Product Security Engineer

// SYSTEM DESIGN

Architectural Case Studies

ZERO-CVE BASE IMMAGE GUARANTEE

Project NetShield: Multi-Arch Hardened Runtimes

The Problem: Public base images often carry stale vulnerabilities or lack provenance, creating an insecure foundation for high-volume financial APIs.

The Architecture: Engineered a "Shift-Left" factory using Wolfi (Undistro) and apko. I implemented a parallel GitHub Matrix strategy to independently build, scan (Trivy), and sign (Cosign) AMD64 and ARM64 images.

Impact: Achieved zero critical vulnerabilities in production base images while maintaining full supply chain transparency through cryptographic signatures.

Wolfi apko Cosign Trivy GitHub Actions

graph TD
    A[apko Build] --> B{Parallel Scan}
    B -- AMD64 --> C[Trivy x86]
    B -- ARM64 --> D[Trivy arm]
    C & D -- Pass --> E[Push & Sign]
    E --> F[Verified Gold Image]
    style F fill:#064e3b,stroke:#34d399

ENTERPRISE STANDARD

The Enterprise "Golden Pipeline" Standard

The Challenge: Fragmented deployment processes led to unverified dependencies and base image staleness entering production across multiple teams.

The Solution: Standardized product delivery for a major financial group by architecting a unified control plane in Google Artifact Registry. Enforced dependency proxying, automated rebuild triggers, and image provenance via Cosign.

Impact: Reduced time-to-production by 60% while ensuring 100% artifact verification across all deployments.

GCP Artifact Registry Okta Workflows Snyk Terraform

graph TD
    A[Development Teams] --> B[Source Control]
    B --> C{Golden Pipeline}
    C --> D[Dependency Proxy]
    C --> E[Security Scanning]
    C --> F[Image Signing]
    D & E & F --> G[Artifact Registry]
    G --> H[Verified Production]
    style G fill:#064e3b,stroke:#34d399
    style H fill:#064e3b,stroke:#34d399

ZERO-TOUCH AUTOMATION

Zero-Touch Identity & Access Automation

graph TD
    HR[Jira Service Mgmt] -->|Webhook| Okta[Okta Workflows]
    Okta -->|Onboard| Prov[Provision AWS & JumpCloud]
    Okta -->|Offboard| Kill[Revoke Sessions & Lock Device]
    style Kill fill:#7f1d1d,stroke:#fff

The Challenge: Manual onboarding created "ghost accounts" and delayed access revocation by up to 48 hours, risking compliance failures and unauthorized access.

The Solution: Engineered a fully automated lifecycle using Jira Service Management, Okta Workflows, and JumpCloud. Access is granted based on Role (RBAC) and revoked instantly upon contract termination.

Impact: Eliminated ghost accounts and reduced offboarding time from 48 hours to under 5 minutes.

Okta Workflows Jira Automation JumpCloud Python

// TECHNICAL CAPABILITIES

Technical Arsenal

OFFENSIVE SECURITY

Web/API: Burp Suite Pro, OWASP ZAP
Mobile: Frida, Objection, Jadx-GUI
Network Recon: Nmap, Wireshark
Exploit Development: Python & Bash

CLOUD & HARDENING

AWS Security Hub & GuardDuty
Wolfi (Undistro) & apko Hardening
Docker & Kubernetes Security
Terraform (IaC) & Linux Hardening

APPSEC & SUPPLY CHAIN

Artifact Registry Governance
Snyk, Checkmarx, SonarQube
Sigstore/Cosign Provenance
GitHub Advanced Security

GOVERNANCE & IDENTITY

ISO 27001 & PCI DSS Compliance
Zero Trust (Okta/JumpCloud)
RBAC Design & Policy Enforcement
Incident Response & Forensics

// CAREER TIMELINE

Professional Experience

Lead Product Security Engineer

Tier-1 Financial Holding Company

2024 - Present

Adversarial Research: Led grey-box assessments on flagship banking platforms, uncovering critical Race Conditions and IDOR-based Account Takeovers.
Standardization: Designed the "Golden Pipeline" for Payment APIs, ensuring 100% of artifacts are signed and scanned before deployment.
Mentorship: Built security champion program training 30+ engineers on secure coding practices and threat modeling.

Application Security Engineer

Tier-1 Commercial Bank

2023 - 2024

API Protection: Discovered critical Refresh Token Hijacking and auth bypass scenarios on corporate endpoints serving 2M+ users.
Security Gates: Integrated automated SAST/DAST into CI/CD, reducing production vulnerability delta by 40%.
Compliance: Led PCI DSS certification efforts for payment processing infrastructure.

Cybersecurity Instructor & Mentor

10Alytics

2024 - 2025

Designed hands-on labs for Wazuh SIEM architecture and Incident Response workflows.
Mentored 50+ students in transitioning to professional security roles with 85% placement rate.

Technical Support Engineer (L3)

Enterprise Software Firm

2021 - 2023

Managed enterprise NNMi clusters and platform upgrades for Fortune 500 clients.
Supported Kubernetes security compliance for large-scale container deployments.

// OPEN SOURCE

Projects & Research

NetShield Hardened Images

Hardened, 0-CVE multi-arch base images built with Wolfi/apko and cryptographically signed with Cosign for supply chain verification.

GitHub Registry

Threat Hunting with Wazuh

Combining Wazuh File Integrity Monitoring with Yara rules for proactive threat detection on Linux endpoints.

Read Article

Bash Log Analyzer

Automated script for parsing authentication logs, detecting anomalies, and performing geolocation analysis on failed login attempts.

View Code

Network Vulnerability Scanner

Bash-based network mapper and service identifier for rapid security assessments and reconnaissance.

Watch Demo

Kubernetes Operations Guide

Technical series on optimizing K8s log analysis, deployment management, and security hardening using modern tooling.

Kube Logs Kube Delete

AWS Cloud Architecture Workshop

Delivered technical workshops on ECS Fargate, RDS security, and Docker Hub integration patterns for scalable workloads.

View Workshop

Building Security at Enterprise Scale