Skip to content
View msuliq's full-sized avatar

Block or report msuliq

Block user

Prevent this user from interacting with your repositories and sending you notifications. Learn more about blocking users.

You must be logged in to block users.

Maximum 250 characters. Please don’t include any personal information such as legal names or email addresses. Markdown is supported. This note will only be visible to you.
Report abuse

Contact GitHub support about this user’s behavior. Learn more about reporting abuse.

Report abuse
msuliq/README.md

Hi, I'm Suleyman

I'm a senior backend and distributed-systems engineer who likes hard problems and ships them as production code. Right now I'm the sole architect of the authentication, identity, and certificate-issuance platform at a top-10 certificate authority - designing the distributed services, scaling issuance through 10x growth, writing the cryptography and algorithms underneath, and, because attackers come with the territory, running the fraud and abuse defense too.

What I do:

  • Distributed systems & architecture - extracted authentication into a standalone service with cross-service sessions; built multi-perspective certificate validation (MPIC) with quorum across vantage points; designed the API servers, async workers, and audit pipelines around them.
  • Scale & performance - scaled a backend through 10x growth in issuance; cut latency up to 5x by killing N+1s, a hot-path regex, and a write storm, and by reworking batch jobs into per-record fan-out.
  • Algorithms & cryptography - PKI and X.509, memory-hard password hashing, and post-quantum signatures (ML-DSA / FIPS 204); 14 gems published to RubyGems (~50k+ downloads).
  • Correctness in money & state - idempotent billing, atomic multi-step writes, and APIs that stay backward-compatible as they grow.
  • Auth & identity - OAuth2, OpenID Connect, SAML/SSO, and session architecture, as the provider, not just the client.
  • Fraud, security & abuse - detection and defense at a CA where attackers probe daily (a few examples below).

A few security wins I can talk about publicly:

  • Shut down months-long attacker reconnaissance across authorization, invitation, password-enumeration, and role-hijacking paths - every probed vector closed in code before exploitation.
  • Bot and fake-account defense at 1,000+ fake signups/day, including countermeasures against human CAPTCHA-solving farms.
  • Killed an SMS pumping attack burning ~$2,500/day - built and deployed the fix in 4 days; losses $0 since.
  • Stopped a persistent session-hijacking attacker who survived password resets, 2FA resets, and full endpoint forensics.

Open source

Fourteen published gems (~50k+ RubyGems downloads), across the areas I work in.

Security, PKI & certificates

  • domain_sanity - strict domain-name validation the way a CA must do it: RFC 1035, IDN/punycode, Public Suffix List, CA/Browser Forum wildcard rules, IP and reserved-range detection
  • csr_peek - safe CSR and X.509 certificate inspection: SANs, key strength, weak-signature checks, and a pluggable Baseline Requirements policy, no runtime dependencies
  • svg_sentinel - lint or sanitize untrusted SVG: blocks scripts, event handlers, XXE, and external references, with a CLI and SARIF output for CI
  • ip_geo_lookup - zero-dependency IP geolocation for fraud scoring and access control

Authentication & identity

  • omniauth_oidc - OmniAuth strategy for OpenID Connect, first-class Microsoft Entra ID support
  • openid_config_parser - fetch and parse OpenID Connect discovery configuration from any issuer endpoint
  • oidc - OpenID Connect server and client library

Cryptography & post-quantum

  • ml_dsa - Ruby C extension wrapping ML-DSA (FIPS 204), the post-quantum digital signature standard
  • pqc_asn1 - minimal ASN.1/DER/PEM/Base64 codec for post-quantum key serialization
  • balloon_hashing - pure Ruby Balloon memory-hard hashing (SHA-256, SHA-512, BLAKE2b)
  • yescrypt - Ruby C extension wrapping the yescrypt password hashing algorithm

Ruby & Rails utilities

Writing

Ruby/Rails, Python, C/C++, SQL. Before engineering: quantitative trading - risk modeling turned out to be good training for distributed systems and for fraud alike.

Open to senior/staff roles in backend, distributed systems, platform, and security engineering. US-remote (UTC+5, comfortable with US overlap).

Pinned Loading

  1. omniauth_oidc omniauth_oidc Public

    Omniauth strategy to authenticate and retrieve user data using OpenID Connect (OIDC)

    Ruby 13 2

  2. ip_geo_lookup ip_geo_lookup Public

    Zero-dependency IPv4/IPv6 geolocation lookup with embedded MaxMind database

    Ruby

  3. balloon_hashing balloon_hashing Public

    Pure Ruby implementation of the Balloon Hashing algorithm

    Ruby 1

  4. yescrypt yescrypt Public

    Ruby C extension wrapping the yescrypt password hashing algorithm

    C 1