Roger's Portfolio Website!

Author: roger

  • 2025 IncThread Full Stack SaaS Development

    Scope: Founder, Application Architect, and Platform Engineer
    incthread.com

    Situation:

    Small-to-midsize screen printing and embroidery shops often rely on outdated ERP systems or disconnected manual workflows to manage orders, approvals, artwork, and customer interactions. Through direct conversations with print shop owners, I identified an opportunity to build a modern, all-in-one platform tailored to their real-world operational needs.

    Task:

    Build a scalable, full-featured SaaS platform that automates core business functions for custom print shops—combining eCommerce, mockup generation, order approval workflows, and supplier integration into a single, intuitive system.

    Action:

    As the sole engineer and founder, I led the platform from concept to production, driving architecture, development, and deployment:

    • Platform Architecture: Combined WooCommerce (WordPress) for eCommerce with custom PHP plugins for order workflows and Python microservices for backend logic and automation.
    • Mockup Generator: Built an in-browser artwork editor using Fabric.js that lets users drag, position, and preview artwork on apparel templates—dynamically tied to product variations.
    • Quote & Payment System: Designed a multi-step quoting workflow with automated pricing logic, email approvals, and Stripe-based payment triggers.
    • Inventory Integration: Integrated with the S&S Activewear API to sync live product data, inventory, and automate garment ordering.
    • Import Tools: Wrote Python-based REST API clients to manage bulk imports of SKUs, mockups, and pricing data, reducing admin workload.
    • Infrastructure: Deployed on a hardened Debian LAMP stack with Apache and MySQL; future-ready for containerization and CDN optimization.

    Result:

    • Production-Ready MVP launched and trialed with multiple real-world print shops, validating UX and workflow coverage.
    • Built a scalable feature foundation that supports custom artwork workflows, pricing automation, and product sourcing.
    • Platform actively being pitched to early customers, with positive feedback driving roadmap development and investor interest.
    • Incorporated forward-looking capabilities like AI-based artwork validation (e.g., resolution checks, print-readiness scoring), positioning IncThread competitively against legacy systems.

    IncThread represents my end-to-end ability to conceive, architect, and engineer real-world SaaS solutions—blending full-stack skills, business insight, and hands-on delivery.

  • 2024 Capris Security Assessment

    Scope: Client-Side Infrastructure Security Review & Remediation

    Summary: I was engaged by a client to independently validate and expand upon a vulnerability assessment report previously conducted by a third-party contractor. The report focused on seven interconnected web applications, each with unique objectives and security profiles critical to the client’s infrastructure.

    Tasks:

    • Review the original vulnerability assessment report
    • Validate findings and assess accuracy
    • Conduct a deeper, independent security audit
    • Identify overlooked vulnerabilities
    • Develop and execute a comprehensive remediation plan
    • Coordinate with the original assessment team for final verification

    Actions:

    While the third-party report covered surface-level issues, it missed a dozen+ critical vulnerabilities—primarily due to a lack of familiarity with the underlying CMS technologies (primarily WordPress) and custom application logic. For example:

    • No enumeration or assessment of vulnerable WordPress plugins
    • No review of insecure custom logic and business workflows
    • Lack of testing around access control and input sanitization

    Additionally, I worked directly with the businesses internal teams over a mutli week engagement performing actions like:

    • Manually validated each finding from the original report and expanded coverage with my own black-box and white-box testing
    • Conducted a CMS-aware audit, discovering misconfigurations, outdated components, and plugin vulnerabilities
    • Reverse-engineered custom application flows to uncover logic flaws and insecure implementations
    • Created a prioritized remediation gameplan, balancing business risk and development effort
    • Remediated vulnerabilities directly by patching code, hardening server configurations, and removing insecure plugins
    • Worked with the original assessment vendor to verify that all issues had been mitigated to their satisfaction

    Results:

    All sites were successfully hardened, patched, and revalidated, improving the client’s security posture significantly. This engagement emphasized my ability to critically evaluate third-party assessments, identify gaps, and provide end-to-end remediation and coordination with multiple stakeholders The 3rd party security auditing team confirmed and validated the remediation and controls I implemented, concluding the engagement.

  • 2024 YClas Application Architecture for AI Integration

    Scope: Application Architect, AI API Integration, and SRE Leadership

    Situation:

    Yclas is a white-label classifieds SaaS platform serving global customers with customizable, self-hosted or cloud-hosted marketplace solutions. I was brought in during a period of accelerated feature development and infrastructure evolution, with the goal of expanding platform capabilities, modernizing architecture, and improving stability.

    Task:

    My primary objectives were to:

    • Propose and Architect and implement AI-powered features to enhance platform value
    • Lead a small development team to deliver scoped features across frontend, backend, and DevOps
    • Improve infrastructure reliability and observability through SRE-focused initiatives
    • Identify and remediate architectural inefficiencies and technical debt

    Action:

    • AI API Integration: Designed and implemented a new modular AI pipeline that leveraged third-party APIs (e.g., OpenAI) to assist users in listing generation and content moderation.
      • Architected secure API routing and fallback logic
      • Ensured compliance with usage rate limits and error handling best practices
      • Developed configurable admin settings for customers to enable/disable AI features
    • Team Leadership:
      • Led a small, remote team with developers/stakeholders.
      • Wrote detailed implementation specs and reviewed pull requests for backend (PHP) and frontend (jQuery)
      • Coordinated weekly standups and sprint retrospectives
    • Site Reliability Engineering (SRE):
      • Hardened MYSQL database configurations for performance and availability.
      • Coordinated feature deployment workflows to reduce downtime achieving all sprint milestones.
      • Set up custom application logging and health checks for proactive monitoring
      • Assisted in debugging critical performance issues caused by ORM query misuse and unbounded parameterization.

    Result:

    • Successfully delivered AI-assisted listing features to production—boosting user engagement and positive customer feedback
    • Reduced incident response times and deployment-related downtime through improved observability and CI/CD hygiene
    • Helped modernize Yclas’s technical architecture and workflows, enabling smoother scaling for both self-hosted and managed instances
    • Strengthened team velocity and cross-discipline collaboration between backend, frontend, and ops contributors

    This engagement highlights my ability to blend application architecture, AI integration, technical leadership, and SRE discipline—all while working across a fast-moving SaaS platform with real users and uptime expectations.

  • 2023 Ultimay Security Assessment

    Application Penetration Testing & Remediation Guidance for a SaaS Platform

    Category: B2B SaaS (Project & Client Management for Marketing/Software Agencies)
    Stack: Debian, Apache, PHP (Laravel), JavaScript (Angular), Python Microservices

    I was brought in by the Ultimay engineering leadership to perform a targeted security assessment of their flagship SaaS platform, which supports project management workflows across multiple roles—Owner, Manager, Developer, and Customer.

    🎯 Scope of Engagement:
    Full-scope authenticated web application pentest

    Coverage of multi-role permission testing and custom file handling logic

    Direct collaboration with the internal development team to review security architecture and advise on remediation

    Bonus input into feature architecture for safer future implementations

    🛠️ Tools & Methodology:
    I performed a thorough black-box and authenticated assessment using:

    nmap for port and service enumeration

    OpenVAS for infrastructure-level vulnerability scanning

    Burp Suite for proxy-based web testing and XSS/IDOR exploitation

    Nikto and Dirb for directory traversal and server misconfiguration discovery

    Custom multi-user testing scripts to simulate role-based access control abuse scenarios

    🚨 Key Findings:
    I discovered multiple high-impact vulnerabilities, including:

    Stored Cross-Site Scripting (XSS) across project notes and comment interfaces, allowing persistent JavaScript injection and potential session hijacking via stolen cookies

    Insecure Direct Object References (IDORs) enabling cross-account access to documents, client notes, and internal timelines by manipulating resource identifiers

    Remote Code Execution (RCE) via a race condition in the file upload and zip handler, where a malicious PHP payload could be temporarily executed before sanitation logic was applied

    🤝 Outcome:
    I worked hands-on with the internal engineering team to:

    Reproduce and patch all identified issues with proper input validation, session scoping, and secure file handling

    Build unit tests and regression logic to prevent future reintroduction of similar bugs

    Advise on secure-by-design principles for upcoming features in their roadmap

    This engagement demonstrated my ability to combine deep application security knowledge with collaborative engineering processes, ensuring that Ultimay could ship safer code with confidence.

  • 2022 SyncOrStream Full Stack SaaS Development

    Stack: Next.js hosted on AWS

    SITUATION
    An independent artist platform needed a secure SaaS application for uploading, managing, and distributing audio content to fans and business collaborators. The client’s vision was to allow full-length track distribution to verified users while offering public previews to unregistered listeners — all without risking unauthorized access or scraping.

    TASK
    I led platform architecture, DevOps, and security strategy, while providing independent contribution as a full stack developer built using Next.js (React). My core responsibility was to design a media delivery system that enforced access controls based on user roles and subscription level while protecting artist-uploaded content from leakage, piracy, or direct-link abuse.

    ACTION

    • Designed and implemented a role-based access control (RBAC) system across artist, business, and fan user types
    • Built a token-based gating system for full track streaming and downloads, with expiring URLs tied to active sessions
    • Developed backend media playback rules to prevent scraping or replay of audio files through direct URLs
    • Hardened the system against enumeration attacks, improper role escalation, and unauthorized asset exposure


    RESULT
    The platform launched with scalable audio delivery, secure gated access, and zero incidents of unauthorized file exposure. Artists were able to confidently share high-quality versions of their work with verified partners, while the general public accessed limited previews — maintaining content protection without compromising user experience.

  • 2022 DormMom Security Engineering

    Scope: Python Test Automation & High-Impact Security Vulnerability Discovery

    Summary: I was initially brought in by DormMom to build comprehensive Selenium-based test units for their CI/CD pipeline. This testing suite focused on validating role-specific functionality across multiple user types, including end users, managers, and franchise owners.

    My relationship with the client expanded after I proactively identified and reported a critical bug during testing—leading to a formal security testing engagement that uncovered multiple high-severity vulnerabilities.

    Tasks:

    • Design and implement automated UI test coverage for key features
    • Ensure stable, role-aware test logic for Franchise, Manager, and User workflows
    • Proactively identify bugs or gaps in the frontend/backend interface
    • Scope and execute a targeted security assessment of the user portal
    • Report vulnerabilities with technical recommendations

    Actions:
    Through manual security testing and code behavior analysis, I uncovered two Broken Access Control vulnerabilities (IDOR) with significant impact:

    1. Full Account Takeover via Hidden Input Tampering
      • A hidden form field containing the user ID could be manipulated to modify the email of any account.
      • This allowed an attacker to trigger a password reset and gain full access to victim accounts.
      • OWASP Category: Broken Access Control → Insecure Direct Object Reference (IDOR)
    2. Lateral User Data Manipulation via ID-based Input/OnClick Handlers
      • Multiple frontend features improperly exposed database user IDs via onclick handlers and input value fields.
      • This allowed users to update or overwrite data associated with other users of similar privilege (agents, clients).
      • Affected features included phone number updates, special instructions, and widget configuration.
    • Wrote dozens of Python Selenium test units, validated across multiple roles and edge cases
    • Delivered automated coverage for onboarding flows, franchise management, and user profile handling
    • Identified a serious bug in the user profile logic and initiated security testing scope
    • Manually tested frontend inputs and network behavior to uncover IDOR logic flaws
    • Documented and disclosed vulnerabilities with annotated screenshots and impact analysis
    • Delivered practical, low-friction security recommendations aligned with DormMom’s architecture

    Results:

    • The owner commended my test coverage and code quality, and welcomed the security audit findings
    • Both vulnerabilities were acknowledged and prioritized for remediation
    • I provided a secure session-based handling recommendation, helping DormMom move toward proper role isolation and access control

    This engagement showcases my ability to move fluidly between automated QA, security testing, and secure coding consultation—delivering tangible value and trust across the software development lifecycle.