Curriculum Vitae

Details
Name Andrew Kennedy
Date of Birth 11 December 1974
Location Edinburgh
Phone +44 7582 293 255
E-mail andrew.international@gmail.com
Web http://uk.linkedin.com/in/grkvlt
http://bit.ly/adk-qpid-jira

Overview
1. Development – Java (J2EE 1.6 and JDK 1.6) with Spring, Hibernate, OSGi and other frameworks,
Python, Perl and Ruby
2. Systems – Management of Windows and Unix (RedHat Linux and others, Solaris, AIX), Networking
with TCP/IP, Optimization and Performance tuning
3. Security – Engineering and development, Risk analysis and penetration testing, Application security
reviews, Security policies, Intrusion detection and incident management, Single sign-on,
Cryptography
4. Build Environments – Maven and Ant, Continuous Integration (Hudson/Jenkins and Cruise Control),
Automated testing with JUnit, Eclipse IDE, Version control (Git, CVS and Subversion)
5. Architecture - ESB, SOA, JMS Messaging (Qpid, Active MQ, and MQ series), Web Applications
(Tapestry, Struts and Spring MVC), Application servers (IIS, Apache, Tomcat, Websphere,
Geronimo, JBoss) and Databases (SQL Server, PostgreSQL and Oracle)
6. Open Source – Apache Software Foundation developer and active Apache Qpid committer
I am a skilled software engineer with experience in infrastructure, component and enterprise
application architecture, development and design. This includes both open source and commercial
components on the Java platform, such as Websphere, Geronimo, JBoss and Tomcat. I have used
Spring MVC, Struts and Tapestry as the main front end technologies, with Spring, Hibernate and EJB
components, as well as integration with web services using SOAP and XML for inter-process
communication and messaging systems and databases. I am able to easily embrace new, modern
technologies, such as ESB and SOA designs, and have used them in large projects, along with
additional technologies such as jBPM, JAXB, CXF and JMS.
As part of a team, my tasks normally involve the architecture, design and engineering of applications
and middleware for the production of high quality software and documentation using test-driven
development. I am able to document and communicate software concepts effectively, and have been
part of the high level decision making process on many large applications. I have created and
maintained build environments using Maven and CI with integrated automated testing suites for both
services and user interfaces. My background in Security gives me the ability to produce secure
applications and to appreciate, review, audit and mitigate risks effectively.
I am an experienced information security consultant, with practical experience of implementing and
assessing secure systems. This requires a variety of IT, project management, systems design, risk
management and technical skills, which I believe, will be of value to any employer. During my time
working in the City of London with the IT and IS departments of major investment banks I have been
involved in the design, implementation and rollout of many different pieces of security and banking
software.
I can write programs fluently in Java, Perl, Ruby and Python as well as C, C++ and C#. I can create
scripts using Unix bash and C shell, Tcl and expect, and write Windows batch and PowerShell files for
system automation.
Employment
J P Morgan Chase Bank (February 2010 – March 2011)
Senior Software Engineer
I worked a one year contract with the Firmwide Engineering and Architecture department as part of a
team maintaining and supporting the Apache Qpid JMS messaging broker, used in many back office
and trading applications throughout the bank. Qpid is an open source JMS broker, using the industry
standard AMQP protocol between Java, .NET, C++ and python clients and both Java and C++ broker
implementations.
This involved both supporting production application issues and consulting with application developers
on architecture and other issues encountered during development. I also continued the development of
Apache Qpid for the 0.6, 0.8 and 0.10 releases, with concurrent internal development based on the 0.5
release. Many features developed for the broker are the result of JPMC internal customer requirements,
as well as public requests and discussions on the Apache mailing lists.
As part of this work, I became an Apache committer, and have been actively contributing to the Qpid
source code and documentation, developing mostly in Java and also Python. Large contributions
include an implementation of ACLs for the broker, implementing the 0-10 AMQP protocol over Mina
transport, rearchitecting the network layer and diagnosing and fixing bugs reported both in the bank
and by external users on the Apache JIRA system. I am currently working on upgrading the build
system to Maven and introducing OSGi features to the broker.
As an Apache committer, I liased with Red Hat, Microsoft and other companies, as well as independent
developers. I am also active on the public developer and user mailing lists, and have been involved in
the SOAP-JMS W3C standards process.
Development used an Agile methodology and required the ability to co-ordinate with developers in
other companies and disparate geogtreaphical locations. Pair programming and peer review enabled
code quality to be kept high, and automated unit testing with JUnit and code checking using Sonar was
part of the nightly build process.
This role required an in-depth understanding of messaging systems including the JMS and AMQP
standards, as well as an ability to understand complex concurrency and threading issues. Knowledge of
financial and trading sytem architectures and processes allowed me to support the banks applications
that used the Qpid broker, and provide consultancy and development advice.
Yell Adworks (January 2009 – January 2010)
Software Engineer / Architect
I worked a one year contract as part of a team that was developing a new workflow application to
replace legacy systems. This application was Java 1.6 based and was built using the Mule ESB with
JBoss application server. My responsibilities involved design, architecture and development, including
the build process and developer training. My role was to produce the base application infrastructure
and framework for further development, assist in implementation of business logic, as well as being a
member of the architecture board which had control of all technology and design decisions.
The system was designed using the Iconix modeling process using Enterprise Architect and UML, and
was use-case driven, with an emphasis on testability. The development model used was an agile test-
driven process, and I created a system testing framework for black-box evaluation of the use-cases,
using JUnit. I also developed much of the build environment using Maven and the Hudson continuous
integration server, and automated deployment of the application and execution of system tests.
I created a modular framework for the service layer using Spring 2 and Hibernate 3 with the JBPM
workflow engine, which was integrated into the ESB using Active MQ JMS and CXF web services. My
team implemented the business logic for the server side of the application, and provided an API for
development of client systems using XML messaging based on schemas and JAXB.
After the base system was completed and tested, I wrote and presented a series of training sessions
for the offshore maintenance teams, to familiarize them with the applications design, development
methodology, tools and technologies used. During system development I was also responsible for
producing technical documentation and reports on system features and evaluations of design decisions.

page 2 of 7
My final tasks during this handover phase involved performance tuning and analysis of the application.
This encompassed SQL query optimization, Hibernate configuration, application profiling and algorithm
analysis.
CIGNA International (July 2006 – December 2008)
Senior Enterprise Java Developer
I have been instrumental in setting up the latest iteration of the Companies Internet facing and intranet
sites, by moving to a full Java and J2EE based architecture. This involves IBM Websphere application
servers (Community Edition, the IBM modified open source versions of Apache Geronimo, both version
1.x and 2.x). The websites run using Tapestry 4.x as a front end, linked to a mid-tier shared by all
applications which uses Spring and Hibernate, as well as Apache ActiveMQ for message services. The
whole system communicates with a master IBM DB2 database running on an AS/400 which is
replicated using the database’s native audit trails, negating the need for contention on the actual
database tables or having to constantly poll for changed records.

I also maintained the company coding standards, and took part in regular code reviews with fellow
developers and have also been instrumental in carrying out detailed data forensics work on potentially
compromised production machines to ensure damage limitation, working with other developers,
Compliance and Legal.
Freelance (September 2005 – July 2006)
Freelance Developer
I have been working as a freelance Java, PHP and Web developer, bidding on projects posted on
freelance websites such as “Rent A Coder” and other, similar sites. Projects to date have included
writing client software for eBay and Betfair (the latter being an automated robot betting system) as
well as websites and web applications using PHP, Struts and JSP services. Most projects are of a short
duration (around one month) for individuals with small/home businesses. Most clients have little to no
programming skills, so communication of what is and is not possible within the time and monetary
constraints available is very important, as is translating their requests into a viable functional
specification that can be used as the basis for agreeing deliverables. The nature of this work means
that I also write the documentation, including fully commented source code, and translating technical
concepts into simple English is essential to properly communicate what has been done.
The varied nature of the work means I have learned several new APIs and language features while
producing an application, particularly working with web services and XML-RPC. For web applications, I
have used XHTML, JavaScript/DOM and CSS to produce interactive (AJAX) layouts and pages, and
again this has involved learning a lot of new techniques.
Betfair (April 2005 - August 2005)
Security and Fraud Engineer
I was employed on a short-term contract to provide application security services and anti-fraud
technical support and development. The security work involved application reviews of the Betfair
Exchange platform and associated sites and services, producing risk-analysis reports of any exploitable
holes or security issues found.
My other role involved working with the Fraud team to analyse the transactional database and data
warehouse for suspicious transactions, either credit card usage or betting patterns. I developed a J2EE
application to interrogate the data warehouse, allowing the fraud analysts to enter queries which were
translated into SQL and produced a report on suspicious or linked accounts. Additionally, scripts were
developed to allow the Unix team to match parts of the Web server logs to betting transactions in the
database, to allow searching by IP addresses and other information not stored in the data warehouse.
I also investigated vendors of fraud analytics software to try and find a commercial solution to reduce
the chargeback ratio (from stolen credit card fraud) to acceptable levels, however the industry is not
very mature and the project was cancelled.
Critical Spark (May 2004 - November 2004)
J2ME Development and Consulting
I carried out development and testing work using J2ME as part of a project to develop game software

page 3 of 7
for Nokia mobile phones. This gave me a good grounding in the J2ME Java APIs and programming
techniques. I also implemented the obfuscation and anti-reverse-engineering mechanisms used to
protect the final game. The company involved was a small Edinburgh based start-up.
Royal Bank of Scotland Group (April 2003 - May 2004)
Security Consultant, Penetration Testing
I was employed by the Investigation and Threat Management team, as part of the Royal Bank of
Scotland Group Information Security department. My main responsibilities are for Penetration Testing
and Vulnerability Assessment, and secondary duties include Alert management, Forensic examinations
in support of fraud and misconduct investigations and acting in an advisory capacity on general threats
to the Group IT infrastructure.
I manage the day to day running of the contacts with external penetration testing service providers,
and control and supervise any third party security testing that occurs on Group systems. This includes
the technical review and management of a pool of suppliers to determine those most suitable to
provide services to the Bank.
I also carry out penetration tests of internal systems that do not warrant a third party test. This
involves usage of a comprehensive suite of tools, from vulnerability scanners to network mapping
utilities, web protocol analysers and active proxies for HTTP modification, and custom scripts to
perform ad-hoc testing or one-off tasks. Vulnerability analysis of systems is carried out using
automated tools, which I manage and control, generating reports and statistics about the overall
security posture of the externally facing Group systems.
I have attended training courses on the enCase Forensic software, as used by most Police forces in the
UK and other countries. This is used to perform forensic examinations of PCs in support of internal
investigations into employee misconduct or fraud.
Freelance (January 2002 – February 2003)
Freelance Java Developer
I worked as a freelance Java developer. I have completed several projects for small business clients in
the Edinburgh area. These include custom add-on packages for Sage Accounting and Payroll systems
and visualisation software for industrial dataloggers, using Java 2 with Swing and JDBC.
ABN Amro Bank (November 2001 – January 2002)
Security Engineer / Developer
I worked part time as a developer, taking over an existing in house project to augment the monthly
and weekly Intrusion Detection reports. This performed network state monitoring and information
gathering to provide additional information in a report designed to aid vulnerability assessment. The
software used Unix tools such as Whisker and Nessus, and Perl and Shell scripting to scan the Bank’s
systems and networks, and collate and process the information to produce a weekly HTML report,
detailing any changes to the network state and highlighting security issues discovered. This informed
both senior management as well as network and system administrators, who were able to obtain
detailed information about specific issues.
I completely rewrote the existing codebase to make the scanner modular, allowing plug-ins to be
added for new scanning or monitoring tools. I also created a file based configuration system, which
allowed individual scans to be described using a simple scripting language, thereby allowing scans and
reports to be pre-defined and saved.
ABN Amro Bank (May 2001 – October 2001)
Senior Security Consultant
I was part of the Global Information Security Department, working as a Senior Security Consultant. I
was responsible for Risk Analysis for several projects assigned to the Security Consulting Group. This
primarily involved carrying out Risk Assessments against Systems, both new, during implementation, in
development and existing projects as part of an audit and review process.
My main responsibility was for Risk Assessment of the Global Equities Toolkit project, a Client
Relationship Management System using Siebel and Oracle on HP-UX and NT, that was being deployed
and rolled out in London, Singapore and North America. I worked closely with the project management

page 4 of 7
team, liasing with the acceptance testing and quality assurance staff to integrate security assessments,
tests and metrics into their testing program. At each stage of the project I carried out a series of
security tests, including database and system penetration tests, network and operating system
vulnerability scanning, user account and role auditing and a review of operating, administration and
user processes and procedures. I produced the Risk Assessment reports and checklists to record the
level of compliance with the Bank’s policies and standards. This documentation was used to inform the
further stages of development of the system and to improve the security until full compliance with the
required policies was achieved.
I also carried out Risk Assessments of Web applications, including a Java Enterprise (J2EE) powered
Loan Pricing System, and outsourced Document Management System for OTC Derivatives Contracts
and a Portfolio Management Tool. These systems were being developed for various Business Units
within the bank, however I also assessed individual Infrastructure components and systems, including
one of the Internet Banking Gateways and its associated Firewall and Router systems, and several
Oracle and SQL Server database applications.
As part of the Penetration Testing team I carried out testing and attacks against Bank systems to
determine their susceptibility to compromise by malicious internal and external threat agents. To do
this I used both commercial software, such as ISS Internet and Database Scanner, free tools such as
NMAP and Nessus, publicly available and custom written exploits and attack scripts and several of my
own tools developed in house. Systems tested included Lotus Domino Web servers, Microsoft IIS Web
servers, Databases, UNIX, Windows NT and 2000 servers and network infrastructure (routers) and
Firewalls. I used the information obtained during the testing process to produce documentation of the
details of systems compromised, weaknesses detected and vulnerabilities exploited, and worked with
the System Administrators to secure any vulnerable systems.
In a reactive role, I was involved in Incident Response and Forensics, in particular during large-scale
worm attacks, such as the recent Code Red and Nimda attacks. During these attacks, I carried out
damage assessment and limitation. This involved detecting infected systems and then disinfecting and
recovering data, using software and scanners I have written for each specific attack.
I also contributed to the development of the CIRT Incident Response plan, which was updated due to
the additional threats posed by such Internet worm attacks, and produced reports and a white paper
outlining strategies and technological solutions for future security issues the Bank might face.
Deutsche Bank (May 1999 - December 2000)
Security Engineer
I was project lead for the design, implementation and deployment of the bank’s security monitoring
infrastructure, using Axent Enterprise Security Manager. This involved a global rollout of the ESM agent
software and regional implementations of the security management systems.
I also installed a pilot version of UNIX Privilege Manager, a distributed version of SUDO, which was
used to broker privileged access requests from developers on production systems.
I carried out research into a host-based intrusion detection system for the bank, which included
evaluations of current commercial and military systems, including CyberSafe Centrax, ISS RealSecure
System Agent, SRI International project EMERALD and Litton PRC Précis. This evaluation produced a
set of formal requirements for testing and comparing security systems which are used as a model for
product evaluation.
I worked on the bank’s UNIX and other security standards and policies, and used ESM to bring systems
into compliance with these documents using automated scripts to patch systems and upgrade security
settings. This also involved vulnerability research and allowed me to pre-emptively secure systems
against potential compromise.
ScotiaMocatta and Bank of Nova Scotia (August 1998 - April 1999)
Trade Systems Support
My main role was technical support and systems administration of the ScotiaMocatta Unix servers and
PC systems and support and project work for Unix systems in Bank of Nova Scotia London. As well as
this, I have been involved in several projects within ScotiaMocatta.
I was the technical manager of a project to transfer the trading system used by ScotiaMocatta from an
IBM RS/6000 AIX platform to a Sun Enterprise Server Solaris platform. This involved copying a

page 5 of 7
UniVerse database system and all trade data from one machine to another, overseeing the installation
of the trading software by the vendor, rewriting the database and system maintenance scripts,
reworking the user administration procedures and documenting the operational changes. In addition I
implemented a user acceptance and integration testing platform where all vendor supplied code
changes could be tested before being moved to the production systems. This platform is also used for
disaster recovery and hot standby purposes.
I integrated ScotiaMocatta’s user, password and host database with Bank of Nova Scotia London’s NIS
and DNS servers and installed DNS and NIS servers at ScotiaMocatta.
I was also part of a team that migrated the PC systems from Novell NetWare to Windows NT. This
involved installation and rollout of Windows NT Workstation on the desktop, via automated installation
procedures that I created, conversion of PC systems that used Novell to NT and transfer of all user files
and programs to the NT server.
Prior to an internal audit, I compiled a procedures manual for the MIS department and reworked the
company business resumption plan as part of a disaster recovery implementation programme.
Integrated Technology Services (April 1998 - August 1998)
I developed a suite of Windows NT tools and utilities to manage security policies on networked
Windows NT machines using Microsoft Visual C++ and the MFC library. This included ‘Enforcer’, a
graphical NT security management solution, which is used by NatWest Markets.
NatWest Markets (October 1997 - April 1998)
I was part of a security team responsible for securing Unix hosts after an external audit. This involved
installing and implementing Axent ESM policies, as well as creating scripts to patch common Unix
security flaws. I also developed a secure anonymous FTP application to allow secure file transfers
between business groups.
Reuters (March 1997 - October 1997)
I was part of the Product Acceptance Group, involved in quality assurance and acceptance testing of
the Reuters 3000 financial information products. In addition, I was responsible for day to day
management of the test laboratory network of Windows NT and Sun Solaris workstations, which
involved installation of operating systems and pre-release versions of Reuters software.
I was also responsible for co-ordinating the testing of the Reuters Discovery project, a cross platform
Unix and Windows NT historical market data application. This involved liasing with the software
development teams and developing and implementing a test strategy.
Standard Chartered Bank (January 1997 - March 1997)
I was responsible for the security of the base metals and bullion trading settlement system. This ran on
AIX platforms, using CA UniCenter security management software, and Axent ESM for ongoing security
assessment and auditing. During this contract I documented and fixed security vulnerabilities found by
ESM and other analysis tools, both in the base Unix operating system, the trading software and the CA
UniCenter set-up. I also re-implemented the security rules for the system and documented a set of
system management procedures to maintain the required level of security using ESM’s reporting
facilities and custom tools.
Research Systems (July 1995 - August 1996)
I was part of a small team that designed and implemented the Web site for the TUC Congress in
September 1995 and the Labour Party conference in October 1995. This involved creating a generic
‘Virtual Conference’ Web server on a Unix workstation. I created CGI scripts in PERL to display dynamic
information about the conferences and implemented a bulletin board system on the server where
visitors to the conference could leave comments. I was also involved in the design of the HTML and the
visual look and feel of the sites.
I managed the installation and maintenance of a temporary Web server and Internet connection at the
Brighton Conference Centre during both events and liased with the Labour Party and TUC information
services units to ensure accurate and up-to-date information was presented on the Server.
I was also involved in the set-up and maintenance of a temporary cyber café network at both events,
including cable installation and network administration.

page 6 of 7
I have been involved in the creation of a permanent Web presence for the Trades Unions Congress.
This involved the creation of a ‘Virtual Building’ stored in a SQL Server database, with no actual HTML
code present as part of the server. I designed and implemented the SQL database and created a suite
of CGI programs to access it and render the contents as HTML. This included a search mechanism and
an automated system to add non-HTML documents to the server.

Education
Edinburgh University (October 1992 - July 1995)
I gained a BSc degree in Computer Science and Artificial Intelligence.
The course covered programming in C and ML, and was based on an algorithmic approach to problem
solving. Other elements of the course covered computer design, operating system design and
implementation, mathematical applications of computing and analysis of algorithms. Artificial
Intelligence techniques covered included expert systems, neural networks, genetic algorithms,
predicate logic and proof systems, knowledge discovery and data-mining. As part of the third year of
the course, I undertook a large scale team project involving the design and implementation of a
security camera monitoring application in both software and hardware, where I was responsible for the
coding of the GUI using OSF/Motif.
Abronhill High School (August 1986 - May 1992)
I passed the following Highers at ‘A’ grade: Mathematics, English, Chemistry, Physics and Computer
Studies.

page 7 of 7