Paul Wright's Future Employer Page

Dear prospective future employer,
As of the 2nd September 2007, this is the CV site of Paul Michael Wright, Oracle/Java Security Consultant, Developer and Forensic Analyst for NGS Software in Sutton, Surrey.
I have worked for NGS for the last 2.5 years and previously in a similar role for Pentest Ltd of Cheshire. I am a non-smoking, British, 39 year old who is relocatable with no criminal record, disabilities or health problems and can be identified by this photograph.

Introductory summary:
-Consulted to top banks and technology companies on the subject of Oracle/Java security and general IT security.
-Responsible for writing the Oracle security checks in NGS SQuirreL for Oracle.
-Research interest is Java Security with relation to Oracle. I maintain and Instruct the SANS Java Security course and Author of the GIAC Java exam.
-Currently the most GIAC qualified SANS person outside of the US with 12 GIAC certs including the GSE specialised in Oracle Forensics.
-Credited by Oracle in their April 2007 CPU and July 2007 CPU with finding and ethically reporting security vulnerabilities in the Oracle RDBMS.
-Author of Oracle Forensics by Rampant Techpress. ISBN 0-9776715-2-6. Currently working on Oracle/Java Security book around work.
-Instructor for SANS of Oracle security, Incident Handling and Metasploit courses and Instructing Java Security at SANS London 2007.
-Published in the IOUG SELECT Journal July 2007.
-Author of many papers including a NISR paper on Oracle passwords (in Japanese), Oracle forensics for vulnerability detection in the SANS Reading Room and the first paper published on the subject of Oracle Forensics at GIAC. New paper on Oracle SYSDBA backdoors.
-Published paper on Time Security which contributed to the reconsideration of a slightly rushed attempt to drop the leap second.
-Speaker and Presenter at ISACA and SANS Vegas 2006 on the subject of Oracle Security.

In general I have over eight years of wide IT Security related experience complimented by twelve years technology experience with SONY, LINN, VICS and Sumners Ltd. I offer internationally excellent, technical IT security skills learnt in my Security roles with NGS Software, Pentest Ltd and SANS/GIAC with whom I have worked at 12 conferences internationally.

My overall career strategy has been, to be able to plan, implement and secure an ebusiness application architecture using an Oracle Database (Solaris/Linux), CISCO networking/firewall and Microsoft front end applications (though increasingly browser based). I am interested in the process by which these proprietory technologies are being replaced by Open Source.

My recent focus has been Oracle Forensics as shown by my well received GCFA paper which was the first published paper on Oracle Forensics and resulted in a new Security Related Oracle bug number (4137048). Here is a summary of the Oracle training I have attended. Manchester University, SQL, PL , Forms and the first SANS Oracle Security Training event in San Diego 2005 which I Proctored.
Application security is a large area of my work, which includes using fuzzers like SPIKE to test client server applications. I have also done some http based exploitation of applications using proxies such as Web Scarab. I can program in most languages including C, C++, C#, Java, HTML/XML, PL/SQL and BASIC (Visual/Spectrum) at a reasonable speed as I am a proficient touch typist. I have a good knowledge of hacking tools and test them on my 6 PC home network.

At NGS I have worked as a Consultant and Software developer responsible for writing Oracle Security checks using C++ and PL/SQL. This has required an indepth knowledge of Oracle database security.

At Pentest Ltd I was working on Oracle security auditing based around the new SANS Step-By-Step Guide v2 for Oracle Security which required UNIX shell scripting.

For the rest of 2007 I plan to spend more time on Oracle applications security both in terms of Java and Web based applications as implemented in Oracle products.

Professional history from 2007 --> 1994 hyperlinked to sections below.
03/2005->NOW: NGSSoftware Ltd in Sutton as a Forensic Incident Handler with Oracle DBA responsibility.
09/2004->03/2005: IT Security Consultant for Pentest Ltd specialised on Oracle Auditing.
09/2002->07/2004: University of Manchester Advanced Computer Science MSc, EPSRC funded, whilst working for SANS as a Proctor.
3/2002->09/2002: VICS Software as a Programmer in small video software company in Manchester.
9/2000->3/2002: UMIST/MPhil in Ecommerce Security with SONY 1 month and LINN 6 month ORACLE consultancy included.
1996->2000: MMU/ebusiness degree(pt)/CharteredMarketer.
1994->1999: SumnersAudioVisual/SoundEngineer/Technicalsales.

Feb 2005-Sep 2007: NGSSoftware Ltd
My latest work for NGS Software is writing Oracle Security Checks to go in the SQuirreL scanner for Oracle. At NGS I have futhered the concept of Forensic security checks and created a new method of automatically detecting Oracle patch level. I have also discovered many Oracle vulnerabilities reported directly to Oracle for which I have been credited in the last two CPUs. I started at NGS on the Consultancy floor working on bank and technology code reviews and incident handling consultancy. Whilst at NGS SANS have employed me as an Instructor for many of their courses in London. I am also a named contributor to the well received Advanced Database Security course, authored by NGS, which has ran at Black Hat many times.
I have Presented at SANSFIRE 2006 in DC on the subject of Oracle Security. I was the first GSOC proctor and graduate. I am also the first GIAC GSOC Gold Advisor which means that I supervise new GIAC Gold students on Oracle Security. The GSOC paper I wrote and Rory Mckune's paper that I supervised are available at this URL. SANS/GIAC kindly allow me to sit on their GCIH, GCFA and GSEC Advisory Boards. I am not a "blackhat" as I try to have an ethical philosopy in everything I do.

Oct 30th 2004 to Feb 28th 2005: Pentest Ltd
I was invited to join NGS whilst I was working for Pentest Ltd and left after I had worked for exactly 6 months. At Pentest I was responsible for updating the Oracle Security Scripts to include the SANS Guide Version 2 checks, which I did successfully with my colleague John Netherwood who gave me one to one tuition on Oracle DBA scripting skills. Whilst at Pentest Ltd I achieved my GCFA forensics qualification(159) at Honours level, specialised on the original subject of Oracle Forensics. The way to find any GIAC graduate is to google the qualification and their name like this: paul wright gcfa". It usually comes top.

Whilst at Pentest Ltd I attended the SANS Las Vegas conference for Ed's Cutting Edge Hacker Techniques aimed at Track 4 Alumni. I subsequently scored 96% in the GHTQ exam for this course. In Las Vegas I also took the DOTNET Security track and passed the relevant GNET qualification. SANS asked me to work in their terminal room as a technician which helped pay the tuition fees and was great fun to work with good people. Lastly I presented to Eric Coles Track 1 class which is a big class on how to write a GIAC practical paper.

October 2002 to October 2004: University of Manchester Advanced Computer Science MSc (68%), EPSRC funded, whilst also contracting to SANS as a Proctor for conferences.
Previous to Pentest Ltd I passed my GCFW GIAC paper (503). I also passed the updated CCNAv3 with a score of 912 in August 2004.
At SANS London June 2004 I attended Forensics Track 8 course and chaired the GIAC meeting there.
I was contracted by SANS as a technical assistant (Proctor) at Amsterdam (T2/T1) in 2003 , and also volunteered for Lances Honeypot class SANSFIRE2003and T3 in Washington 2003, London(T4) 2003, Sydney(T2) 2003 and Louisiana(T1) 2003. This work with SANS included full training in the respective Tracks. As part of this training I passed both the GSEC(3097) and GCIH(525) qualifications with honours which enabled me to join the GIAC Advisory Board which includes the cream of US Security practitioners.

At the same time as working for SANS I was funded by EPSRC to study at the University of Manchester on their MSc in Advanced Computer Science. I have passed all modules with 68% average with best marks in an eCommerce project taught by Dr Giordano of MIT and my IT Security Risk Management Project for Professor Simon French of Manchester Business School. After the six month module stage from May 2003 my final research project was on "Securing an Ebusiness Architecture", supervised by Dr Ning Zhang who teaches Network Security at the Dept. The research project funded by EPSRC led to the creation of UKCERT (www.ukcert.org.uk) and proposed a novel approach to combining IDS sensors via a centralised SQL database which we entitled "Cross-Referencing Pseudoservers". I implemented this new approach using VMware, RedHat Linux, MySQL, PHP and Java. I was the only ACS MSc project to use Java on Linux (can be challenging). Unlike previous years I was also one of a handful of students able to involve a commercial organisation in their project and one of very few funded students. The project was successful thanks to help from Dr Zhang (Man Uni's leading IT Security academic) and the thesis passed with an above average mark of 68% and no corrections.

Whilst finishing my Man Uni thesis I aligned myself with the global business IT job market by studying vocational IT Training courses which include CCNA/CCNP/CCSP CISCO courses at MANCAT including security training on PIX firewalls. I also finished the ORACLE Academy training which has taken me through SQL, PL, Forms 6i and 8i over the past five years attending 30 full saturdays at MANCAT in the Instructor led commercial level training..
I have also taken and passed a Man Uni MSc Module in Oracle databases that was demanding.
I have studied two 10 week MANCAT courses in DOTNET technologies given by Kevin Tan.

September 2000 to October 2002: VICS
Directly before starting Manchester University I worked for VICS software as Software Developer and Business Development Manager from May 2002 till Sept 2002. I wrote mass email software for them and learnt a lot about web bugs and commercial software development. Here is my managers employer reference from 6 month contract at VICs ). At VICs I wrote an email program in access and ASP which we converted to LAMP. This was my conversion from MS technologies.

September 2000 to May 2002: UMIST Computation Dept MPhil and LINN/ SONY Consultancy
As an MS follower I have achieved MCSE, MCDBA, MCSD (and MOUS). Here is my Microsoft transcript. I practised MS technologies as an IIS Admin at Linn Products from October 2001 till March 2002 (6 month contract). My main role at LINN was connecting Oracle to the outsource companies web server and writing Oracle applications which connected to our internal Intranet on IIS. After I finished at Linn I was employed to run a Security evaluation of the technologies I had worked with there.

Whilst at Linn Products I discovered SANS and attended the Phoenix conference in March 2002 in Windows IIS security. They were recommended by Microsoft at the time for security training. The SANS reading room immediately caught my eye and has been captivated since.

Previous to Linn Products I was at UMISTs Centre of Expertise for eCommerce where I studied XML and Database Security. I started at UMIST Sept 2000 on an E-Centre funded studentship and finally graduated with the MPhil in May 2002 after already commercially consulting for SONY (1 month) and LINN (6 months). The Ebusiness Security Masters Thesis passed with no corrections (this is edited as the original version was put on library restriction for three years for commercial reasons).
The SONY consultancy was ebusiness based and included some payment security issues.

Introductory academic reference from Prof Macaulay who supervised my UMIST ebusiness security MPhil from 2000-2002. Professor Linda Macaulay, UK expert on eBusiness, Head of UMIST Computation department and Director of "Centre of Expertise for eCommerce" and Head of HISPEC - Government funded project into Data Protection issues.

PaulWright Evidence of Qualifications and Experience 2000-2002

1996-2000 part time Manchester Metropolitan University Business Degree turned Ebusiness Degree (57%)
At MMU, I converted my part time business degree into the first ebusiness final year project that MMU had ran. It was exciting as I gained the highest mark for the Project Presentation in the year. Plus my final Analysis document scored the highest mark in the year. The consultancy included all the aspects of an ecommerce business including payment security and search engine strategy. Here is the finished documentation.
Ecommerce Undergraduate Degree Thesis (SkateUK).
Certificates 1999-2000
References 1999-2000
In my previous life I was a Chartered Marketer from my years with the Chartered Institute at ebusiness degree at MMU. CIM Marketing number - 4709047.
I was interested in the technology aspects of marketing at the time though I had come to question an over-reliance on marketing in order to be successful in business (or simply as an organisation serving the public). I have not done any business theory/marketing over the last six years but I understand that the theory/practise has not changed a huge amount. For me the last six years have been 100% technology based which has changed considerably as we all know. This makes me different from most technology hybrids who have experienced technology and then studied business/management marketing afterwards by which time the technology skills have become out of date. My technology skills are up to date and underpined by an understanding of business management and marketing.

1993-1999 Sumners Audio Visual: Sound Engineer and Senior technical sales:
It was my experience and qualifications as a sound engineer that brought me this job with the North Wests leading Audio Visual Technology Service Centre whilst I studied part time business degree and ran my own part time business as a landlord. My hobby at this time was music technology using Atari, Cubase and Soundtools for PC. 6 years Business Technology reference from the Director of Sumners with whom I still keep in touch.

1988 to 1993 I trained to be a Geography teacher and was involved in the networking of the college campus at an early stage in DOS' development. We also used and learnt about Geographical Information Systems and how they were used to decide the location of new businesses. In a gap in my studies I ran my own book business, was active on the Manchester music scene as a guitarist and sound engineer during an exciting period in Manchester music history. I was a Stone Rose's fan and employee which involved me working at Spike Island.

1985-1987 Three A'levels passed first time from St Albans College which were natural science based.

Geography-B
Biology-E
Environmental Studies-E

1979-1985 At Francis Bacon secondary school where I was in the top 10 out of over 100 pupils with 8 o'levels, science, english and maths.

4 Bs and 4 Cs.

-------------------------------------------------------------------------------------------------------------------
Current hobbies:
In my limited spare time I enjoy guitar (grade 8), Jeet Kun Doh martial arts(medium level) and walking in the country. I would very much like to develop the sport of Aquathlon in the South East of UK so this is my target for the next year. I am married to my partner of five years, Haley, who is also a University of Manchester Computer Scientist and business hybrid. Haley and I enjoyed Alton Towers here and this is where we met.