About Nexten Cybersecurity

Nexten Tech Ltd was founded in 2023 by David Robert. The company is incorporated in Ireland and provides services across the globe.

David has more than 25 years of experience in security, including a significant tenure as a Principal Application Security Engineer at Amazon. During his time at Amazon, David played a crucial role in threat modeling, architecture reviews, code reviews, and penetration testing across a wide range of applications and devices. David led security efforts for Amazon Payments, contributing to the migration and storage of payment instruments to the AWS cloud. Prior to Amazon, David held various positions including head of security for Liberty Insurance in Ireland and the UK, Security service manager for Airbus in France, Germany, Spain and the UK, and Cybersecurity Advisor for the French Air Traffic Control.

David’s main area of expertise is application security:

  • Applications and infrastructure threat modeling.
  • Architecture review.
  • Secure code review.
  • Cryptography, AuthN/AuthZ, PKI code review and implementation.
  • Application pen testing.

David has extensive experience in embedded security. He has worked in the Amazon Robotics division of Amazon, where he performed security reviews of ICS/PLC systems and robotic systems. David designed secure key management, secure channels and authentication protocols for the Amazon warehouse robots. Equipped with this experience, David can help customers with their IoT, OT, or other embedded systems challenges. This includes performing hardware threat assessments and reviewing sensitive firmware areas such as: secure boot, flash encryption, trusted execution environment (TEE), authentication and key management with the cloud, secure provisioning and firmware signing.

Experience

Security consultant

JUN 2022-now (Dublin and Galway, Ireland)

As a freelancer, I began offering security services in application security, cloud security, and embedded security since June 2022. I formed Nexten Tech Ltd as a company in October 2023 and maintained my consultancy services through it.

Amazon, Principal Application Security Engineer

NOV 2010 - JUN 2022 (Seattle, U.S, then Dublin, Ireland)

I worked as principal security engineer in several internal organizations over the years including Alexa Secure AI Foundations, Internal and external Payments, Amazon Robotics (Kiva Systems), and Retail/Marketplace services and apps.

I designed, developed and shipped multiple products, including:

  • Key generation/distribution/management for Kiva/AmazonRobotics robots
  • Custom dynamic application security testing framework integrated with CI/CD (Java, Selenium, Burp Suite and creation of custom plugins)
  • Transitive authentication protocol and implementation
  • Agent and network based continuous analysis of active TLS connections
  • Threat identification tool based on predicate logic and knowledge graph database (Python, Amazon Neptune, CoreNLP, JavaScript, threejs)
  • Cloud Security, I was the main contributor to the security strategy and design for the migration to the AWS cloud for tokenization, storage, transformation and transmission of payments instruments.
  • Performed deep dive threat modeling of the payment secure zone, including applications, network, and devices such as HSM.
  • Security review of Amazon Android’s authentication libraries, single-sign on portals.
  • Threat model, architecture review, code review and penetrations testing of several backend and frontend applications. Including all components handling payment instruments, from being entered on webpages or device, internal micro-services, to being securely stored after re-encryption by HSM, tokenized and being transmitted to payments partners. Threat modeling and code review (including crypto, authentication) of POS systems.

I performed countless security reviews (Penetration testing, threat modeling, architecture review, code review, etc.) on every possible type of system. The enabled me to really sharpen my skills in threat modeling. I believe threat modeling is a very important activity, for which all other security assessment activities should build upon.

Liberty Insurance, Information Security Officer

OCT 2008 - NOV 2010 (Dublin, Ireland)

Head of security and business continuity for Liberty Insurance Ireland and the UK (formerly Quinn Insurance). I built the information security team and mentored my team to deliver our program.

  • Numerous vulnerability assessments and code reviews (eg. voice recording systems, internet web applications – Java, php) OWASP top 10, SANS top 25
  • Deployed Nessus security scanning across all Liberty Insurance assets
  • Implemented XML database to centrally store and query findings from Nessus, NMAP and other security tools.
  • Configuration of Intrusion Prevention Systems (NitroGuard), Network Behavior Analysis (Stealthwatch), HIPS (OSSEC), SIEM (Splunk):Infrastructure, procedures and metrics
  • Worked on various security architecture projects (Virtualization, Enterprise SOA/ESB, Network segregation, PCI DSS Compliance, IPS and NBA deployment, Laptop encryption, etc.)

Sogeti on behalf of Airbus — Security Engineer, then Security service manager

APR 2007 -OCT 2008 (Toulouse, France)

Security service manager for Airbus, managing security teams in France, UK, Germany and Spain.

  • Technical and compliance audits on portal applications
  • Vulnerability assessment of various applications
  • J2EE application audit (source code audit)
  • ISO 27001-2 Audits, Technical audits, source-code review
  • Work on Incident / Crisis Management processes
  • Review of policies and standards
  • Security dashboards and report to executives

DSNA-DTI (French Air Traffic Control authority) — InfoSec Advisor

JUN 2004 -FEB 2006 (Toulouse, France)

Project manager and Information Security Advisor for the French Air Traffic Control - Information Systems departments (DSNA/DTI/7)

  • Security audit of web applications, of network architecture and source code audit (Apache / PHP / Oracle / in-house applications)
  • Technical Security audit of ATCs secured internet platform.
  • Demonstrated vulnerabilities by writing shellcodes and exploits (x86 and PA-RISC 2.0) on in-house applications.
  • Assessment of the security risks on Linux distributions used at DGAC Authored system-level security guidelines.

Independant consultant— Software Engineer

AUG 2001 -JUN 2004 (Toulouse, France)

  • Developments in Java, Swing, C and Python (Telemetry transmissions software)
  • Linux and Security training work for various clients: Ministry of Economy, Ministry of Finance and Industry, Ministry of Education and Research and several private companies.

Agfa Healthcare — Information Security Officer

FEB 1999 -AUG 2001

  • Design and implementation of Netsanté’s secure Internet hosting platform Linux and FreeBSD, FreeBSD ipfilter-based firewalls, NetASQ.
  • Creation of secure connection products based on Linux for secure transmission of medical information.
  • Security audits, source-code audits of various web applications, and various training..

EDUCATION

BSc, Computer Science, Systems and Network Security

Université Paul Sabatier - Toulouse III- France

PAST CERTIFICATIONS

  • CISSP
  • CISA
  • ISO27001 Implementer
  • CHFI
  • ITIL

LANGUAGES

English (fluent), French (fluent).