Guy Romm, a professional digest

The shortest biography

Born 1982, in Kazan’, USSR. Immigrated to Israel in 1990. Grew up in Lod. Dropped out of high school in 1999. Discovered the bicycle. Dodged the IDF. Residing in Tel-Aviv since 2001. First programming book at age of 8. First PC in 1992. First modem in 1997. Linux shortly thereafter. Internet access in 1998. First web project in 2002. Switched to Python in 2008. To JavaScript (front & back) in 2018. Ever-contemplating on what to indulge in. Married, 2 kids, 4 cats.

Concise professional experience

2003-5. First serious “job” writing a distributed CMS for a new thing called SEO, a.k.a keeping up with & playing tricks on Google. Nowadays known as FastTiger Development.

2005-6 Flew to Cyprus to build a poker website named RedKings, now part of EGO.

2007. Back in Israel to build a now-defunct indie classifieds site, Tet.

2008. Flew out with a bicycle to Portugal. Spent half a year pedalling across Europe to Russia.

2009. Built Greenie, a now-defunct, peer-to-peer bicycle delivery matching hub between clients, businesses & couriers. Was ahead of its time, not enough smartphone owners around, no meaningful bicycle culture in TLV at the time. Got some nice press nevertheless.

2009-10.  Built, a now-defunct classifieds aggregator in Serbia. Scraped around 100K items, daily, off a dozen sites, transforming them into an orderly format to be displayed, searched and filtered by their attributes on a website. Last solo project, discovered the limits of my abilities when unassisted.

2010-2018. Built & CTO’d SandStorm, a gaming platform featuring mobile-first HTML5 games, a powerful Backoffice, integrations to lots of 3rd party game providers, payment gateways, communication services. The project gave birth to a then-novel approach of creating performant mobile browser graphics, and a methodology of managing distributed developer teams, custom infrastructure, and a number of other open-source contributions.

2014- Created Web GMA R&D, a dev & consulting shop specializing in Web, Remote teams, and taking pride in its technical roots.

2018- Full time Consultant & Development services provider & Architect of custom Web projects for various clients (references to be provided upon request). Increasingly invested in a single tech-stack of choice, which includes PostgreSQL, PostgREST, NodeJS & Svelte.

Tech stack summary

The term “Full stack” has been beat into a very low, broad meaning in recent years. However, I perceive myself as precisely that - a developer able to architect & execute on the Hardware, Virtualization, OS, Network, Services, Server-side apps, and finally the Browser planes.

Technologies of preference are marked in bold.

Hardware: have assembled servers, switches & racks.

Virtualization: qemu, ibvirt, docker, user-level isolation.

OS: Linux, with an understanding of what’s out there besides.

Persistence: MySQL, PostgreSQL, Redis. Horizontal scaling. Performance optimizations.

Network: Linux routing, Firewalling, OpenVPN, tunnelling, solid grasp of security & threat vectors.

Services: apache,nginx,haproxy,wsgi,postfix, ssh and a ton I’ve forgotten about.

Server side: potent in (sic) php, python, node. Can read a bunch of others. Dabbled in FP.

Client side: lots of projects in Svelte, experience with functional React & Redux. HTML, JS, CSS, at times hands-on, mobile & desktop. Authored JS frameworks for games, business UI.

Management approach

Preference for undogmatic Agile and the lean approach. Context centric management attitude (everyone needs to know where we’re going). Creator of Project Management tools, merge orchestration tooling. Preferring to lead by example. Loves collaborative editing, documentation that's up to date by design, and diagrams.                                                            

Self assessment of competence in the area of Information Security

While I have not dealt with security directly in the role of an attacker or an active penetration tester, I am more than familiar with the field both theoretically, as well as in practice, as an Architect, designing systems that:

  • Store & transmit financial transactions, user credentials, other sensitive data.
  • Communicate to and accept information from secure parties such as Payment Gateways.
  • Are under a high risk of Denial of Service attacks
  • Operate within toxic environments with a high likelihood of data theft, manipulation & collusion by employees & customers.

Over the years, I have created systems that solved challenges, (traditional external adversarial threats aside), that are increasingly subtle & complex, such as:

  • Tenant and data separation within a given system instance.
  • Extensible & flexible Role and Object-based permission models.
  • Protection against bulk download of information by users with limited access.
  • Safeguards and protection against malicious information alteration by privileged users (DBAs, for instance).

Fulfilling the role of a CTO for several projects through my career, I have accumulated, and in turn, was guided by:

  • Understanding of the fundamental principles of threat modelling, attack vectors, exposure.
  • Familiarity with the principles of Intrusion Detection & prevention.
  • Familiarity with the concept of Penetration testing, both internal & external.
  • Secure program design principles on:
  • the architecture level (microservices architecture, separation of concerns)
  • the language & runtime level (buffer overflows, memory readability, process isolation)
  • the OS level (resource permissions, user separation, secure networking practices)
  • Understanding of the principles of encryption & its proper usage within the context of systems design.

I have managed remote teams that consist of employees operating within uncontrolled and untrusted environments. To manage risks resulting from them, I have:

  • Designed and implemented compartmentalized & peer-reviewed workflows that reduce the likelihood of employees introducing malicious changes (backdoors) into code & data.
  • Practiced extensive usage of Revision Control Systems as a means to effectively control, track & authorize changes.
  • Applied data obfuscation & encryption that enabled to leave most employees without access to sensitive production data, while maintaining their ability to simulate realistic scenarios (in terms of data volume & character).

In addition, I am familiar with common Web Application flaws, vulnerabilities and exploitation techniques, as well as effective countermeasures to them::

  • Cross Site Request Forgery (CSRF)
  • Cross Site Scripting attacks (XSS)
  • Session Hijacking & other MITM attacks.
  • Web automation for the purpose of:
  • Information collection (web-scraping)
  • Brute forcing of passwords
  • Application Denial of Service
  • Transmit of automated content (spam of various flavours).
  • SQL injections
  • Direct unprotected object referencing

© 2023 Web GMA R&D Ltd.