Ken Duck - Employment

Sonatype Inc.

Senior Software Developer

Dec 2020 - Present

Liverpool, Nova Scotia (Remote)

Ken, upon realizing that product management was not satisfying for him, moves back to a Senior Software Developer role. He moved to the newly formed "Lift" group that is developing Sonatype Lift, a cloud-based continual assurance product. He persisted through several rounds of ideation and prototyping until the desired development track was found, outlasting multiple other developers -- prototyping particularly suits Ken's temprament and skills. His role as a Senior (full stack) developer includes:

Notable Prototypes & Early-Stage Systems

Prototyping and developing features for Sonatype Lift
Mentoring new employees
Acting on behalf of the lift team in some meetings
Working with other members in the team to develop and advance the architecture
Interacting with customers to identify desired product features and improvements
Writing unit and integration tests

Of particular note, within the Lift team Ken is an approachable source of knowledge on Sonatype data and products, particularly considering his extensive experience developing and managing the software security teams. This knowledge has helped significantly streamline and improve Lift development and the Lift product itself.

Development on OSS Index has continued apace. The most significant improvement has been migrating the back end to use a subset of Sonatype's commercial data, instead of its own database. Besided being an overall improvement in data quality, this has the added benefit of streamlining the required research and subsequent team (the OSS Index and Commercial research teams were merged). This has resulted in an overall increase in research speed (and more vulnerabilities found!)

Product Manager

Jun 2018 - Dec 2020

Liverpool, Nova Scotia (Remote)

Ken continued his career at Sonatype as Product Manager of the software security teams, where his role included:

Notable Prototypes & Early-Stage Systems

Interacting with customers to identify their needs, including both internal users and external Sonatype customers.
Creating development plans and schedules to deliver features to users and customers. This includes the introduction of security data through research into Sonatype's system, through its delivery and representation to the end user. Development follows agile principles, necessitating an understanding of said principles and how they work within Sonatype's environment.
Working closely with other Product Managers to assist in cross-team planning.
Providing requirements to development teams such that appropriate features are developed for customers in a timely manner.
Act as an interface with customer support to ensure that customer questions and problems are handled appropriately.
Work with engineering managers, architects, and team leads to plan and ensure that products are developed in a sustainable way.
Assist sales engineers not just in supplying information, but occasionally talking directly with prospects to understand their needs.

Ken continued to develop for and support the public OSS Index, while putting into action plans to move the development and maintenance to Sonatype development teams. Ken has expanded the coverage of OSS Index, and developed and overseen the development of numerous open source scanning tools including:

Adding support for multiple ecosystems

Alpine Linux
Cargo
Cloajrs
Cocoapods
Conan
Conda
Cran
Go
Swift (Unreleased)

Writing command line scanning tools for a variety of ecosystems

Cheque (C/C++ scanner)
Nancy (go scanner)

Overseeing and being assisting in the development of numerous additional scanners

Bach (PHP scanner, unreleased)
Speedbump (Swift scanner, unreleased)
...

Senior Software Developer

Jun 2017 - Jun 2018

Liverpool, Nova Scotia (Remote)

Upon acquisition of Vör Security by Sonatype, Ken worked as a senior software developer working on internal software security tools behind Sonatype's products.

Ken continued to support and develop OSS Index during this time.

STARTUPVör Security (Previously TwoDucks Inc.)

CEO and Founder

Oct 2013 - Jun 2017

Ottawa

TwoDucks consulting was incorporated in October 2013 and was renamed to Vör Security. Since its incorporation Vör Security has grown to a small company of three employees.

Vör Security developed the free open source vulnerability tracking system, OSS Index, which together were acquired by Sonatype in June 2017. During this time OSS Index added support for numerous ecosystems and tool integrations and scanners.

Notable Prototypes & Early-Stage Systems

Ecosystems

Bower
Chocolatey
Debian
Drupal
Maven
npm
NuGet
PyPi
RubyGems
RPM

Integrations/scanners

Audit.js (npm)
Audit.NET (Visual Studio)
DevAudit (Multi-platform multi-ecosystem scanner written in C#)
Maven plugin (java)
Gradle plugin (java)

STARTUP Dalhousie University/Quantum Research Analytics

Senior Software Developer

June 2013 - July 2017

Halifax (remote)

QRA is "building tools to reduce engineering and testing costs for highly complex systems in the aviation, automotive, and utilities industries. By combining cutting edge technology, including quantum computing, and the latest mathematical techniques, QRA is able to find design flaws very early in the development cycle. QRA is poised to be at the forefront of complex system design through partnerships with leading institutions and corporations."^*

Notable Prototypes & Early-Stage Systems

QVTrace: Software for managing, visualizing, and mathematically verifying complex system models intended for the aviation, automotive, utilities, and other industries requiring rigorous validation and verification. I built the front and backend (full stack) for QvTrace, which managed the display, import, and storage of software system models, interfaced with a separate service to perform verification and validation, and provided a user-friendly interface for visualizing and debugging the identified issues.

References

QvTrace at the Wayback Machine (2002)

STARTUP KDM Analytics

Senior Developer & Software Architect

Mar 2007 - Oct 2013

Ottawa

KDM Analytics "is a security assurance company providing products and services for threat risk assessment and management, due diligence assessments, and information and data assurance."

Key Contributions

KDM Analytics' first developer, and the only developer for their first couple of years
Architected, prototyped, and continued development of KDM Workbench, the company's flagship product
Developed numerous prototypes and early-stage systems to support the company's engagements

Notable Prototypes & Early-Stage Systems

KDM Workbench: A desktop application using reverse engineering and software analysis for visualization and data aggregation in support of software modernization. Features included static analysis (architectural violations, code smells, metrics), model transformation, and integrations to aid in understanding and updating of legacy enterprise code-bases.
ShamrockDB (internal name): A custom database solution designed for high-performance visualization of complex code systems. For its very specific use case it outperformed traditional databases by orders of magnitude as well as being significantly faster than prevalent "NoSQL" solutions. It was used in KDM Workbench to store and visualize code models.
Unnamed code analysis platform: An Eclipse-based suite of tools and tool integrations used in large system analysis, specifically targetting Mergers & Acquisitions due dilligence. Working in conjunction with KDM Workbench, it significantly improved the ability to analyze large code-bases, and was used in many M&A engagements. The platform supported almost every software language used in legacy (and modern) systems (yes, including COBOL and Fortran).
Unnamed binary decompiler: A tool designed to reverse engineer binary files, providing insights into the structure and behavior of compiled code. It aimed to assist in understanding legacy systems and identifying potential vulnerabilities.

References

KDM Workbench at the Wayback Machine (2002)

STARTUP Klocwork

Senior software developer

Mar 2001 - Oct 2006

Ottawa

Klocwork grew rapidly as a company. Ken remained lead developer for many of the company's offerings, and was heavily involved in developing prototypes and experimental systems.

Key Contributions

Lead developer for Klocwork's defect reporting tool
Lead developer for Klocwork's web-based defect management interface, "Project Central"

Notable Prototypes & Early-Stage Systems

Ken was heavily involved in prototyping new product features and ideas to demo to customers, usually performed under VERY tight timescales and vague requirements.

Unnamed SQL static analysis tool: This early prototype static analysis tool used pattern analysis in SQL code to identify common security vulnerabilities
inSight Architect feature prototype: This customer demo code rendered of bug traces (extracted using static analysis tools) on architecture diagrams
Unnamed build log analyzer: Using build log analysis we extracted compilation information for C/C++ systems in order to properly extract code dependencies and relationships. This was required to produce accurate static analysis results.
Unnamed C/C++ include analyzer: A large enterprise customer had a problem with slow build times (an hour or more long). The solution was to use Klocwork data to simplify dependencies by reducing file includes, resulting in build speed improvements of over 30%. This was custom work performed on customer site
Unnamed customer support troubleshooting expert system: This decision-tree based troubleshooting system was used extensively by the customer support team to resolve customer problems on a daily basis. It reduced resolution time significantly, and in particular reduced the number of tickets that had to be escalated.
Unnamed customer support information aggregator: This system aggregated and cross referenced the information from customer problem reports and internal bug reports which assisted in ensuring no customer problems were lost

Nortel Networks

Senior software developer

Nov 1999 - Mar 2001

Ottawa

These years were a time of growth for the inSight project, but was a time of transition for the team as we were preparing to spin out of Nortel Networks to become a separate company, Klocwork. Ken remained the primary developer at this time, though several contracors were working remotely on the project.

Key Contributions

Re-architected of the inSight database and product to increase product speed by an order of magnitude.
Project leader in supporting one of the lead customers of inSight, valued at over $700 K.
Developed several tools and customizations required by our lead customer.

Software developer

May 1997 - Nov 1999

Ottawa

Returning to Nortel Networks, Ken continued his work as the sole developer in the "inSight" project, a continuation from his internship. The architecture prototype was further developed into a full-fledged software product. Ken was the software architect and lead developer in the group, and developped desktop software as well as full-stack web applications.

Notable Prototypes & Early-Stage Systems

These prototypes were self-guided initiatives that became part of the inSight product line.

inSight X-Ref: A cross-reference tool for languages supported by inSight (Java/C/C++) -- this was before Java IDEs became widespread, but remained in the product afterwards due to its value when exploring codebase architecture.
inSight webapp: A web-based application for exploring software architecture and related data. This saw significant use due to the complexity of the desktop-applications installation. Most developers used the web-app, and the desktop application was used by architects and who needed the additional features it provided.

References

Klocwork Insight (desktop app) at Visual Studio Marketplace. This particular link is to a successor to the version Ken prototyped and developed.
Klocwork Insight at the Wayback Machine (2002)

Software developer (internship)

May 1995 - Aug 1996

Ottawa

Ken was hired as an intern into a new research project with the goal of reverse engineer software systems into a high level modeling language for use in training and software improvements. The work he did here helped lay the foundations for the inSight architectural analysis tool, which became the foundation for the spin-off company "Klocwork".

Notable Prototypes & Early-Stage Systems

Unnamed architecture extraction product: This prototype extracted static and dynamic architecture information from a telecommunications product written in a proprietary language called Protel. Architectural components were extracted by file analysis. Automation/simulation of the system showing component interactions was accomplished through automated translation of the protel functionality in SDL (Specification and Description Language)

Hypertech Initiatives Inc.

Senior software developer

May 1995 - Dec 1996

Remote (Toronto)

Hypertech Initiatives Inc. was a small software development company that specialized in developing custom internet software solutions. They created the initial website (complete with search engine) for "Yellow Pages Limited".

Notable Prototypes & Early-Stage Systems

ScapeGoat: Graphical HTML Editor which was specifically written to produce minimal and clean HTML, unlike its contemporaries which produced bloated HTML.