I am a software and business development lead with over eight years of experience currently
working for
Grey Parrot IO Ltd
I have more than six years of experience in fintech and enterprise banking software development,
encompassing payments and collections (receivables and payables), bancassurance, cash management, and
direct debit, among others,
across Ghana, Zambia, Ivory Coast, and other African markets.
I have worked as the technical, product, and business lead on a wide range of enterprise applications, and I
have extensive experience in
ETL
implementations.
My expertise lies in platform integrations and enterprise software development.
I am an advocate for security as a first-class citizen, not an afterthought in software development.
I support simple architecture and am not a fan of complexity.
I prefer to use the simplest architectures for solutions.
I prioritize functionality over aesthetics and believe in building a solution that works first before
making it look appealing. (Nice code doesn't generate income, but working code does.)
I am also a part-time application security tester, i.e., testing the vulnerability of applications I use
in my everyday life.
Please, if you are reading this, ensure your applications don't have a
BOLA
vulnerability.
Software exists to solve the problem; if there is no clearly defined problem for the software to
solve, then there is no need for the software.
Think about the business value of the line of code you write, if that line is not giving a business
value then it is not needed
I don't like fancy things, I just love software that works and is secure.
Download my CV here
Responsible for high value clients implemenations
Responsible for organizational strategic management
Project manager and lead developer for school management system. This was forked from an open source
project and customised for the Ghanaian market
Responsible for enterprise integrations with other organizations
Part of team for building and deploying an enterprise collections management platform for a Pan African
Bank
Lead for building
Unstructured Supplementary Service Data(USSD)
applications
Researched, built software applications to automate processes and organized workshops for the college
Automated all internship processes for students and lecturers in the college
In 2017, I found out that
Lead for building
OMGVoice's website
website was vulnerable to XSS.
They redesigned the
site
shortly after I informed them and the new one doesn't have
such vulnerability.
In 2022, I discovered two security vulnerabilities on
DVLA, i.e., the Driver and Vehicle License Authority in
Ghana's official site.
The site used users' phone numbers as usernames and passwords for users who did not change their default
password after the first time logging in, which is probably 99% of users.
This was a big concern, as once entered, you aren't forced to reset your password; hence, you could access
anyone's account if you know their phone number (both at the UI and API level).
The problem this poses is that a bad actor can write a script to randomly generate giant records of phone
numbers and then use the API to authenticate the generated phone numbers.
If authentication is successful for a phone number, the person can then obtain other PII such as DOBs, emails,
identification card details, etc.
The second vulnerability was excessive information exposure.
The site also had information such as fingerprint information (that is the format that fingerprint information
is stored in) exposed on the API but not displayed on the UI.
This also poses a significant security problem.
I informed DVLA of my findings, and they have since implemented an OTP that is sent to the user's phone for
confirmation as part of the authentication process for the first problem.
They have taken out the fingerprint information that was returned in the API response.
There are other vulnerabilities I have found in other applications in Fintech apps and even Telecom
applications.
Unfortunately I can't post them here as they still exist and can be exploited.
If they are resolved, I will post them here.
But the key takeway is that please take application security very serious.
Apart from being a software developer, I enjoy most of my time being indoors.
I am an avid fan of history especially world war histories.
I also delight in reading a lot about military strategies and technological innovation as well as business and
financial articles
To force myself to release early and often, I have listed some of my projects/articles that are in progress
in their draft form.
The rational is to experience the shame in having an unfinished project or article in the open and to force
myself to complete it to avoid such shame 🤣🤣🤣🤣