Backend Security &Authorization Engineer

I design high-performance authorization engines,zero-trust architectures, and secure multi-tenant systems.

Specializing in systems where a single authorization bug can leak millions of records.

FAPI 2.0Zero Trust87K RPSmTLS X.509OpenZitiDPoP RFC 9449
go test -bench=. -benchtime=10s -cpu=20zsh
goos: windows
goarch: amd64 · cpu: Intel(R) Core(TM) i7-13700H
--- Running 150 concurrent goroutines for 10s ---
BenchmarkConcurrentLoad-20
✓ 504.4 ns/op 533 B/op 13 allocs/op
BenchmarkEvaluatorLatency-20
✓ 5031 ns/op 1522 B/op 37 allocs/op
--- gRPC Network Benchmark (10s sustained) ---
Total Requests: 874,280
Throughput: 87,411.40 req/sec ✓
Avg Latency: 1.7060 ms ✓
Error Rate: 0.00% (0 failures) ✓
PASS — 8.7× above 10,000 RPS target
87K
RPS
504
ns/op
Scroll to explore

What I Build

Four domains where I operate at production depth — not tutorial depth.

01 /

IAM & Authorization

Policy Decision Points, RBAC/ABAC engines, OAuth 2.1 / FAPI 2.0, DPoP token binding.

02 /

SaaS & Multi-Tenant Data

PostgreSQL RLS, tenant isolation at database layer, WORM audit ledgers, IPFS archiving.

03 /

Zero Trust Networks

OpenZiti dark services (0 open ports), mTLS X.509, cross-layer identity binding.

04 /

Distributed Systems

gRPC + Protobuf microservices, in-memory data structures, lock-free concurrency, sync.Pool.

Numbers That Matter

Measured on production-grade hardware under sustained load. Not synthetic. Not average.

LIVE DATA
LIVE
0RPS
gRPC Throughput
Policy decision requests/sec
LIVE
0ns/op
In-Memory Eval
Concurrent policy evaluation
LIVE
0ms avg
Network Latency
Including proto marshal/unmarshal
LIVE
0%
Error Rate
874,280 / 874,280 success
LIVE
0MB
Static RAM
For 10K policies in-memory
LIVE
0%
Tenant Isolation
DB-layer RLS, zero bypass
LIVE
0/op
Allocations
sync.Pool optimized, low GC
LIVE
0TCP
Open Ports
OpenZiti dark service, nmap Filtered
Test Environment
Intel i7-13700H (20 vCPUs) · 16 GB DDR5 · Go 1.22.0 · 150 concurrent goroutines · 10s sustained
standalone-policy-engine / benchmarks/results.md

Case Studies

Three production systems built from scratch. Each solving a real, high-severity security problem.

GogRPCProtobufRedis Pub/SubPostgreSQLsync.Pool

Microservice Authorization Bottleneck

  • Generic engines (OPA) suffer from AST traversal latency spikes under heavy load.
  • High GC memory pressure due to dynamic JSON object allocation per evaluation.
  • Mutex lock contention blocks parallel policy reads during hot reloads.
  • OPA requires ~150 MB+ RAM for 10K policies vs 25 MB for custom trie.

Defense-in-Depth

Security is not a feature. It's a layered architecture. Each layer assumes the one above it has already been breached.

NIST SP 800-207 Zero Trust Architecture
Defense-in-Depth Architecture
1
Network Layer
OpenZiti Dark Services · 0 open ports · mTLS
2
Application Layer
FAPI 2.0 · DPoP · JWT Claims · RBAC
3
Database Layer
PostgreSQL RLS · set_config per transaction
4
Audit Layer
WORM triggers · SHA-256 hash-chain · IPFS
↑ breached = next layer holds
01

Never Trust, Always Verify

Every request is authenticated and authorized regardless of network location. Internal does not mean trusted.

02

Assume Breach

Design systems as if the perimeter is already compromised. Lateral movement must be impossible even for authenticated identities.

03

Least Privilege

Every principal (user, service, token) receives the minimum permissions required — enforced at the database layer, not the UI.

04

Verify Explicitly

Authorization decisions use all available signals: identity, device state, location, and time — not just a valid token.

System Architecture

Interactive architecture diagrams for each project. Each layer is independently verifiable.

ARCHITECTURE
Standalone Policy Engine
In-Memory PDP Architecture
87,411 RPS504 ns/op13 allocs0% error
PEP ClientgRPCServerPolicyEngineRadixTrieRoleHierarchyDAGsync.PoolContextatomic.PointerCOW Swap

Skills Matrix

Technologies I use at production depth — each backed by a real shipped system.

Languages
Go (Golang)95%
TypeScript85%
SQL (PL/pgSQL)90%
Go (Golang)TypeScriptSQL (PL/pgSQL)gRPC / ProtobufNext.js (App Router)OAuth 2.1 / FAPI 2.0OpenZiti SDKPostgreSQL (RLS, Triggers)Redis (Pub/Sub, Cache)SupabaseZero Trust (NIST 800-207)mTLS / X.509 / DPoPWORM / Audit LedgersCryptography (SHA-256, ECC)Docker / Docker ComposeIPFS / Pinata SDKGit / GitHub ActionsVercel / Supabase Cloud

Commit Telemetry

Real commit activity pattern across 3 active security projects.

Rochthii
contributions · last year
Less
More
Languages
Go
58%
TypeScript
22%
SQL
14%
Other
6%
Active Repos
standalone-policy-engine
secure-fapi-zta
ptit-thesis-saas
Recent Commits
feat
feat: implement lock-free COW policy swap with atomic.LoadPointer
standalone-policy-engine · 2h ago
fix
fix: DPoP jti cache TTL hardening — prevent replay window edge case
secure-fapi-zta · 6h ago
feat
feat: add SHA-256 hash-chaining trigger for WORM audit ledger
ptit-thesis-saas · 1d ago
perf
perf: sync.Pool optimization reduces allocs from 37 to 13 per op
standalone-policy-engine · 2d ago
security
security: cross-layer binding Ziti identity ↔ token sub claim
secure-fapi-zta · 3d ago
feat
feat: IPFS archiving via Pinata SDK with CID stored in DB
ptit-thesis-saas · 4d ago

Ready to BuildSecure Systems?

Available for backend security contracts, architecture consulting, and authorization system design.

rochthii@gmail.com
Primary contact
Vietnam · Remote-first
Open to contracts
< 24h response
Download Full CV (PDF)
TIMEZONE
UTC+7 · Vietnam
Available Mon–Sat 08:00–22:00 ICT