SENIOR PRODUCT SECURITY ENGINEER

Building Security at
Enterprise Scale

I architect resilient security control planes that combine adversarial thinking with systems engineering discipline. From zero-CVE runtime factories to automated identity lifecycle management—I build the defensive infrastructure that keeps critical systems secure.

View Architecture Get in Touch
Joseph Ekene Ejike
Joseph Ekene Ejike
Senior Product Security Engineer
0
Critical Base Image CVEs at Build Time
150K+
Nodes Analyzed in <30s
100%
Supply Chain Provenance
50+
Engineers Mentored
System Design

Architectural Case Studies

01
ZERO-CVE RUNTIME GUARANTEE

Project NetShield: Multi-Arch Hardened Runtimes

The Problem: Public base images often carry stale vulnerabilities or lack provenance, creating an insecure foundation for high-volume financial APIs.

The Architecture: Engineered a "Shift-Left" factory using Wolfi (Undistro) and apko. I implemented a parallel GitHub Matrix strategy to independently build, scan (Trivy), and sign (Cosign) AMD64 and ARM64 images.

Impact: Achieved zero critical vulnerabilities in production runtime base images while maintaining full supply chain transparency through cryptographic signatures.

WolfiapkoCosignTrivyGitHub Actions 
graph TD
    A[apko Build] --> B{Parallel Scan}
    B -- AMD64 --> C[Trivy x86]
    B -- ARM64 --> D[Trivy arm]
    C & D -- Pass --> E[Push & Sign]
    E --> F[Verified Gold Image]
    style F fill:#312e81,stroke:#818cf8
02
ENTERPRISE STANDARD

The Enterprise "Golden Pipeline" Standard

The Challenge: Fragmented deployment processes led to unverified dependencies and base image staleness entering production across multiple teams.

The Solution: Standardized product delivery for a major financial group by architecting a unified control plane in Google Artifact Registry. Enforced dependency proxying, automated rebuild triggers, and image provenance via Cosign.

Impact: Reduced time-to-production by 60% while ensuring 100% artifact verification across all deployments.

GCP Artifact RegistryOkta WorkflowsSnykTerraform 
graph TD
    A[Development Teams] --> B[Source Control]
    B --> C{Golden Pipeline}
    C --> D[Dependency Proxy]
    C --> E[Security Scanning]
    C --> F[Image Signing]
    D & E & F --> G[Artifact Registry]
    G --> H[Verified Production]
    style G fill:#312e81,stroke:#818cf8
    style H fill:#312e81,stroke:#818cf8
03
ZERO-TOUCH AUTOMATION

Zero-Touch Identity & Access Automation

The Challenge: Manual onboarding created "ghost accounts" and delayed access revocation by up to 48 hours, risking compliance failures and unauthorized access.

The Solution: Engineered a fully automated lifecycle using Jira Service Management, Okta Workflows, and JumpCloud. Access is granted based on Role (RBAC) and revoked instantly upon contract termination.

Impact: Eliminated ghost accounts and reduced offboarding time from 48 hours to under 5 minutes.

Okta WorkflowsJira AutomationJumpCloudPython 
graph TD
    HR[Jira Service Mgmt] -->|Webhook| Okta[Okta Workflows]
    Okta -->|Onboard| Prov[Provision AWS & JumpCloud]
    Okta -->|Offboard| Kill[Revoke Sessions & Lock Device]
    style Kill fill:#7f1d1d,stroke:#fff
04
ADVERSARIAL RESEARCH

NetShield: Automated Mobile SSL Bypass Suite

The Challenge: Modern apps use native SSL implementations (BoringSSL) that evade standard interception tools.

The Solution: Built an orchestration engine that combines static pattern matching with Frida-based runtime instrumentation to bypass pinning in Flutter, OkHttp, and custom TrustManagers.

FridaBoringSSLPythonReverse Engineering 
graph TD
    A[Target APK] --> B{Static Detection}
    B -- Flutter --> C[Native Hook libflutter]
    B -- Java --> D[Hook TrustManager]
    C & D --> E[Runtime Bypass via Frida]
    E --> F[Intercept Encrypted Traffic]
Technical Capabilities

Technical Arsenal

Offensive Security

  • Web/API: Burp Suite Pro, OWASP ZAP
  • Mobile: Frida, Objection, Jadx-GUI
  • Network Recon: Nmap, Wireshark
  • Exploit Development: Python & Bash

Cloud & Hardening

  • AWS Security Hub & GuardDuty
  • Wolfi (Undistro) & apko Hardening
  • Docker & Kubernetes Security
  • Terraform (IaC) & Linux Hardening

AppSec & Supply Chain

  • Artifact Registry Governance
  • Snyk, Checkmarx, SonarQube
  • Sigstore/Cosign Provenance
  • GitHub Advanced Security

Governance & Identity

  • ISO 27001 & PCI DSS Compliance
  • Zero Trust (Okta/JumpCloud)
  • RBAC Design & Policy Enforcement
  • Incident Response & Forensics
Career Timeline

Professional Experience

Lead Product Security Engineer
Tier-1 Financial Holding Company
2024 — Present
  • Adversarial Research: Led grey-box assessments on flagship banking platforms, uncovering critical Race Conditions and IDOR-based Account Takeovers.
  • Standardization: Designed the "Golden Pipeline" for Payment APIs, ensuring 100% of artifacts are signed and scanned before deployment.
  • Mentorship: Built security champion program training 30+ engineers on secure coding practices and threat modeling.
Application Security Engineer
Tier-1 Commercial Bank
2023 — 2024
  • API Protection: Discovered critical Refresh Token Hijacking and auth bypass scenarios on corporate endpoints serving 2M+ users.
  • Security Gates: Integrated automated SAST/DAST into CI/CD, reducing production vulnerability delta by 40%.
  • Compliance: Led PCI DSS certification efforts for payment processing infrastructure.
Cybersecurity Instructor & Mentor
10Alytics
2024 — 2025
  • Designed hands-on labs for Wazuh SIEM architecture and Incident Response workflows.
  • Mentored 50+ students in transitioning to professional security roles with 85% placement rate.
Technical Support Engineer (L3)
Enterprise Software Firm
2021 — 2023
  • Managed enterprise NNMi clusters and platform upgrades for Fortune 500 clients.
  • Supported Kubernetes security compliance for large-scale container deployments.
Open Source

Projects & Research

NetShield Hardened Images

Hardened, 0-CVE runtime multi-arch base images built with Wolfi/apko and cryptographically signed with Cosign for supply chain verification.

GitHub → Registry → Article →

Threat Hunting with Wazuh

Combining Wazuh File Integrity Monitoring with Yara rules for proactive threat detection on Linux endpoints.

Read Article →

Bash Log Analyzer

Automated script for parsing authentication logs, detecting anomalies, and performing geolocation analysis on failed login attempts.

View Code →

Network Vulnerability Scanner

Bash-based network mapper and service identifier for rapid security assessments and reconnaissance.

Watch Demo →

Kubernetes Operations Guide

Technical series on optimizing K8s log analysis, deployment management, and security hardening using modern tooling.

Kube Logs → Kube Delete →

AWS Cloud Architecture Workshop

Delivered technical workshops on ECS Fargate, RDS security, and Docker Hub integration patterns for scalable workloads.

View Workshop →

NetShield Analyzer (Java)

A static analysis engine designed to solve SCA "noise." Successfully mapped 158K+ call graph nodes in <30s during benchmarks, identifying reachable vs. unreachable vulnerabilities.

GitHub → Technical Research →

Banking Infrastructure Lab

A full-scale Kubernetes-based simulation of a banking environment designed for validating zero-trust architectures and simulating multi-stage attack vectors.

View Contribution →
Thought Leadership

Speaking & Mentorship

ISC2 Nigeria Chapter

Delivered "Threat Modeling for Complex Ecosystems," teaching architectural security to certified practitioners.

CPE Provider

ISACA Lagos Boot Camp

Instructor for a 2-part Offensive Security series using the "Banking Infrastructure Lab" to train professionals on multi-stage attack vectors and zero-trust validation.

SME Training

Let's build something secure.

Interested in collaborating on security architecture, adversarial research, or DevSecOps strategy? Let's connect.

Get in Touch