Ken Duck - Employment

Sonatype Inc.

Staff Engineer, Tech Lead

Dec 2020 - Present

REMOTE Fulton, Maryland

Ken, upon realizing that product management was not satisfying for him, moved to a Staff Engineer role. He was often involved in teams dedicated to new concept prototypes, though was often involved in development for existing products as well.

Major product involvement

Maven Central: Maven Central (also known as the Central Repository or Maven Central Repository) is the largest and most widely used repository for Java and JVM-based libraries and dependencies. It is microservice-based web service with tie-ins to Sonatype's Nexus Repository Manager for certain legacy features, as well as multiple databases and assorted AWS services. Ken works on the backend services, predominantly in Java and Rust.

Sonatype Developer: "Sonatype Developer" refers to a developer-focused interface and experience layer within Sonatype's Nexus IQ platform (also marketed alongside Sonatype Lifecycle). It's designed to bring security, open-source governance, and dependency management directly into the tools that developers use every day. Ken predominantly worked on the backend services.

Sonatype Lift: Sonatype Lift was a static analysis and automated code review tool created by Sonatype to help developers identify security vulnerabilities, bugs, and code quality issues in real time—directly inside their GitHub repositories. Ken predominantly worked on the backend services.

OSS Index: Development on OSS Index moved in a different direction during this period. OSS Indexes data aggregation was merged with the commercial data aggregation processes resulting in streamlining the required research processes leading to a significant increase in research speed (and more vulnerabilities found!)

Notable Prototypes & Early-Stage Systems

Unnamed customer service expert system: The Maven Central development team itself is small, and alongside development also provides customer support for the service. This expert system was designed to assist the team in answering customer questions and resolving issues, particularly for new team members. It also integrated to the various Maven Central services and databases in order to provide real-time information about the state of the service. It was designed to be a "living" system, with the ability for team members to add new questions and answers, and to update existing ones.

SAST features for Sonatype Lifecycle: Sonatype prototyped SAST (static analysis) features for Sonatype Lifecycle, which aimed to identify security vulnerabilities in application source. The project was shelved due to shifting company priorities. This project involved a four person development team.

Cloud Native (Sonatype for Azure DevOps): Cloud Native was an intiative to refactor Sonatype's flagship product (Nexus Lifecycle) into a series of microservices which could be integrated. The first integration was with Azure DevOps. The project was shelved when Sonatype shifted their focus to Sonatype Lift. Development for this project was done by a two person team (including Ken).

References

Sonatype for Azure DevOps at the Visual Studio Marketplace
OSS Index active website

Novonix Inc

Consultant - Software Development

Nov 2022 - Oct 2024

REMOTE Halifax, Nova Scotia

Novonix is a battery-technology and materials company that plays a significant role in the lithium-ion battery industry. Ken was hired to work on a small "Skunkworks" team, which was dedicated to developing their new web-based battery testing and analysis platform. Ken was hired for full-stack development.

Key Contributions

Full stack development of Angular-based web application with python backend.
Led refactoring efforts to improve code quality and maintainability in both the front and back ends.
Headed migration from Angular to React

Notable Prototypes & Early-Stage Systems

"Ahead" battery testing and analysis software: The software would load battery testing data from hardware devices, and provide a web-based interface for analysis and visualization of the data. It was designed to be used by battery researchers and engineers to understand battery performance and characteristics.

References

Novonix partnership with Voltaiq. This partnership was announced in October 2024, and signalled the end of the in-house development of the Ahead software.

Sonatype Inc.

Product Manager/Senior Software Developer

Jun 2017 - Dec 2020

REMOTE Fulton, Maryland

Upon acquisition of Vör Security by Sonatype, Ken worked as a senior software developer working on internal software security tools behind Sonatype's products. Shortly thereafter he transitioned to Product Manager of the software security teams.

Major product involvement

Automated Vulnerability Detection (AVD): AVD encompases a large set of programs and features that scrape the web and other sources to find vulnerabilities in open source software. It is the primary source of vulnerability data for Sonatype's products. Ken was both a developer, and later the product manager for the AVD team.

Notable Prototypes & Early-Stage Systems

OSS Index: Though OSS Index was an "established" product at the time of acquisition, it was still considered an early-stage system, and advancement was not officially supported by Sonatype. Most progress occured during "non-work" hours. Several new ecosystems were added: Alpine Linux, Cargo, Clojars, Cocoapods, Conan, Conda, Cran, Go, Swift

Cheque (C/C++): Identifies libraries used by your C/C++ projects and retrieving known vulnerabilities from OSS Index. Cheque attempts to be build-framework agnostic.
Nancy (go): Nancy is a tool to check for vulnerabilities in your Golang dependencies. It works with both OSS Index and Nexus IQ Server
[Management role] Bach (PHP): Dependency vulnerability auditor for PHP. Works with both composer and pear dependency management.
[Management role] Speedbump (Swift): Audits Swift dependencies for known vulnerabilities.

References

OSS Index active website
Cheque (C/C++) GitHub repository
Nancy (go) GitHub repository
[Management role] Bach (PHP) GitHub repository
[Management role] Speedbump (Swift) GitHub repository

STARTUPVör Security (Previously TwoDucks Inc.)

CEO and Founder

Oct 2013 - Jun 2017

Ottawa

TwoDucks consulting was incorporated in October 2013 and was renamed to Vör Security. After its incorporation Vör Security grew to a small company of three employees. Vör Security developed the free open source vulnerability tracking system, OSS Index, which together were acquired by Sonatype in June 2017. During this time OSS Index added support for numerous ecosystems and tool integrations and scanners.

Notable Prototypes & Early-Stage Systems

OSS Index: OSS Index is a free, publicly accessible vulnerability database and scanning service. It's designed to help developers and teams identify known security issues in open-source components. It supported a wide variety of ecosystems: Bower, Chocolatey, Debian, Drupal, Maven, npm, NuGet, PyPi, RubyGems, RPM

Audit.js (npm): Identify vulnerabilities in your npm dependencies. This supports npm, yarn, bower, and Angular projects.
Audit.NET (Visual Studio): Audit.NET is a Visual Studio extension that highlights NuGet package dependencies with security vulnerabilities.
DevAudit: DevAudit can scan your operating system and application package dependencies, application and application server configurations, and application code for potential vulnerabilities.
Maven plugin (java): Identify vulnerabilities in maven dependencies.
Gradle plugin (java): Audits a gradle project to identify known vulnerabilities in its dependencies.

References

OSS Index active website
Audit.js (npm) GitHub repository
[Management role]Audit.NET (Visual Studio) GitHub repository
[Management role] DevAudit GitHub repository
Maven plugin (java) Online help
Gradle plugin (java) GitHub repository
Sonatype press release on the acquisition of Vör Security

STARTUP Dalhousie University/Quantum Research Analytics

Senior Software Developer

June 2013 - July 2017

REMOTE Halifax, Nova Scotia

QRA is "building tools to reduce engineering and testing costs for highly complex systems in the aviation, automotive, and utilities industries. By combining cutting edge technology, including quantum computing, and the latest mathematical techniques, QRA is able to find design flaws very early in the development cycle. QRA is poised to be at the forefront of complex system design through partnerships with leading institutions and corporations."^*

Notable Prototypes & Early-Stage Systems

QVTrace: Software for managing, visualizing, and mathematically verifying complex system models intended for the aviation, automotive, utilities, and other industries requiring rigorous validation and verification. Ken built the front and backend (full stack) for QvTrace, which managed the display, import, and storage of software system models, interfaced with a separate service to perform verification and validation, and provided a user-friendly interface for visualizing and debugging the identified issues.

References

QvTrace at the Wayback Machine (2002)

STARTUP KDM Analytics

Senior Developer & Software Architect

Mar 2007 - Oct 2013

Ottawa

KDM Analytics "is a security assurance company providing products and services for threat risk assessment and management, due diligence assessments, and information and data assurance."

Key Contributions

KDM Analytics' first developer, and the only developer for their first couple of years
Architected, prototyped, and continued development of KDM Workbench, the company's flagship product
Developed numerous prototypes and early-stage systems to support the company's engagements

Notable Prototypes & Early-Stage Systems

KDM Workbench: A desktop application using reverse engineering and software analysis for visualization and data aggregation in support of software modernization. Features included static analysis (architectural violations, code smells, metrics), model transformation, and integrations to aid in understanding and updating of legacy enterprise code-bases.
ShamrockDB (internal name): A custom database solution designed for high-performance visualization of complex code systems. For its very specific use case it outperformed traditional databases by orders of magnitude as well as being significantly faster than prevalent "NoSQL" solutions. It was used in KDM Workbench to store and visualize code models.
Unnamed code analysis platform: An Eclipse-based suite of tools and tool integrations used in large system analysis, specifically targetting Mergers & Acquisitions due dilligence. Working in conjunction with KDM Workbench, it significantly improved the ability to analyze large code-bases, and was used in many M&A engagements. The platform supported almost every software language used in legacy (and modern) systems (yes, including COBOL and Fortran).
Unnamed binary decompiler: A tool designed to reverse engineer binary files, providing insights into the structure and behavior of compiled code. It aimed to assist in understanding legacy systems and identifying potential vulnerabilities.

References

KDM Workbench at the Wayback Machine (2002)

STARTUP Klocwork

Senior software developer

Mar 2001 - Oct 2006

Ottawa

Klocwork grew rapidly as a company. Ken remained lead developer for many of the company's offerings, and was heavily involved in developing prototypes and experimental systems.

Key Contributions

Lead developer for Klocwork's defect reporting tool
Lead developer for Klocwork's web-based defect management interface, "Project Central"

Notable Prototypes & Early-Stage Systems

Ken was heavily involved in prototyping new product features and ideas to demo to customers, usually performed under VERY tight timescales and vague requirements.

Unnamed SQL static analysis tool: This early prototype static analysis tool used pattern analysis in SQL code to identify common security vulnerabilities
inSight Architect feature prototype: This customer demo code rendered of bug traces (extracted using static analysis tools) on architecture diagrams
Unnamed build log analyzer: Using build log analysis we extracted compilation information for C/C++ systems in order to properly extract code dependencies and relationships. This was required to produce accurate static analysis results.
Unnamed C/C++ include analyzer: A large enterprise customer had a problem with slow build times (an hour or more long). The solution was to use Klocwork data to simplify dependencies by reducing file includes, resulting in build speed improvements of over 30%. This was custom work performed on customer site
Unnamed customer support troubleshooting expert system: This decision-tree based troubleshooting system was used extensively by the customer support team to resolve customer problems on a daily basis. It reduced resolution time significantly, and in particular reduced the number of tickets that had to be escalated.
Unnamed customer support information aggregator: This system aggregated and cross referenced the information from customer problem reports and internal bug reports which assisted in ensuring no customer problems were lost

STARTUP TwoDucks Consulting

Freelance Developer

May 2002 - Oct 2013

REMOTE Ottawa

Ken did freelance software development work for a variety of small clients. Often these were small maintenance projects, with the occasional prototype or early-stage system.

Notable Prototypes & Early-Stage Systems

Unnamed shopping cart system: A custom shopping cart for a small software business.

Unnamed custom CMS: A minimal CMS with built in scheduling and contact page

Unnamed hardware driver code maintenance: Upgrade/port of Linux kernel driver module for scientific photon counting board use in LIDaR (Light Detection and Ranging or Laser Imaging Detection and Ranging) applications. The upgrade involved porting from a Linux 2.2.x kernel to a 2.4.x kernel, and also required fixes to bugs found in counting board operations in extreme operation situations. The LIDaR application involved included the remote installation and operation of the equipment in the high arctic and therefore required high degrees of stability.

Unnamed inventory management and e-commerce software: A custom inventory management and e-commerce platform for a small retail business. This software manages the inventory across multiple store locations, and provides a web interface for managing the inventory and sales. It also provides a web-based e-commerce interface for customers to browse and purchase products online. Existing inventory management and e-commerce software was not suitable for the business's needs.

Nortel Networks

Software developer/Senior software developer

May 1997 - Mar 2001

Ottawa

Returning to Nortel Networks, Ken continued his work as the sole developer in the "inSight" project, a continuation from his internship. The architecture prototype was further developed into a full-fledged software product. Ken was the software architect and lead developer in the group, and developed desktop software as well as full-stack web applications. The team/project continued to grow and was incubated to spin out of Nortel Networks to become a separate company, Klocwork. Ken remained the primary developer at this time, though several contracors were working remotely on the project.

Key Contributions

Assumed ownership of and subsequently headed development of the inSight architect product
Re-architected of the inSight database and product to increase product speed by an order of magnitude.
Project leader in supporting one of the lead customers of inSight, valued at over $700 K.
Developed several tools and customizations required by our lead customer.

Notable Prototypes & Early-Stage Systems

These prototypes were self-guided initiatives that became part of the inSight product line.

inSight X-Ref: A cross-reference tool for languages supported by inSight (Java/C/C++) -- this was before Java IDEs became widespread, but remained in the product afterwards due to its value when exploring codebase architecture.
inSight webapp: A web-based application for exploring software architecture and related data. This saw significant use due to the complexity of the desktop-applications installation. Most developers used the web-app, and the desktop application was used by architects and who needed the additional features it provided.

References

Klocwork Insight (desktop app) at Visual Studio Marketplace. This particular link is to a successor to the version Ken prototyped and developed.
Klocwork Insight at the Wayback Machine (2002)
X-Ref functionality still available in modern Klocwork tool iterations (Perforce Validate)

Software developer (internship)

May 1995 - Aug 1996

Ottawa

Ken was hired as an intern into a new research project with the goal of reverse engineer software systems into a high level modeling language for use in training and software improvements. The work he did here helped lay the foundations for the inSight architectural analysis tool, which became the foundation for the spin-off company "Klocwork".

Notable Prototypes & Early-Stage Systems

Unnamed architecture extraction product: This prototype extracted static and dynamic architecture information from a telecommunications product written in a proprietary language called Protel. Architectural components were extracted by file analysis. Automation/simulation of the system showing component interactions was accomplished through automated translation of the protel functionality in SDL (Specification and Description Language)

STARTUPHypertech Initiatives Inc.

Senior software developer

May 1995 - Dec 1996

REMOTE Ottawa

Hypertech Initiatives Inc. was a small software development company that specialized in developing custom internet software solutions. They created the initial website (complete with search engine) for "Yellow Pages Limited".

Notable Prototypes & Early-Stage Systems

ScapeGoat: Graphical HTML Editor which was specifically written to produce minimal and clean HTML, unlike its contemporaries which produced bloated HTML.