# Muhammad Kashif Raza — Portfolio > Muhammad Kashif Raza is an Application Security Engineer with a Full Stack Background (MERN) based in Dubai, United Arab Emirates. This single-page portfolio has two modes: a developer profile and an application-security / red-team profile. All facts below come from the site's own content data. - Website: https://www.kashifraza.dev - Email: kashiraza102004@gmail.com - GitHub: https://github.com/kashiraza01 - LinkedIn: https://www.linkedin.com/in/kashif-raza-se - Location: Dubai, United Arab Emirates ## About I engineer full-stack systems that scale—and resist attack. With 2+ years building ERP/CRM platforms using MERN, TypeScript, and Next.js, I specialise in backend-heavy architecture, API design, and system integrations. But I don't stop at "it works." I ask: "Is it secure by design?" My security focus isn't theoretical. I apply OWASP guidelines to real projects: hardening authentication flows, implementing parameterised queries to prevent injection, and designing RBAC systems that follow least-privilege principles. I'm currently deepening my hands-on security skills through structured labs, vulnerability research, and automation scripting (Python/Bash). What I bring to teams: senior-capable full-stack engineering (scalable backends, clean API contracts, performance optimization), security-aware development (threat modeling in design, secure coding patterns), and hybrid value—I bridge the gap between dev and security, reducing rework and accelerating secure delivery. ## Security Profile Red Team Enthusiast & Security Researcher. Transitioning from senior software engineering into offensive security and red teaming. I leverage deep knowledge of application architecture, API design, and system internals to identify and responsibly disclose vulnerabilities. Focused on application security, IDOR research, API misconfigurations, OWASP Top 10 hardening, and Python/Bash automation for security testing. Focus areas: Application Security, API Security Testing, OWASP Top 10, IDOR Research, Secure SDLC, Python/Bash Automation. ## Experience ### Software Consultant — Knack International Accounting & Management Services (September 2025 – Present, Dubai, United Arab Emirates) Technical Software Consultant specialising in secure, scalable ERP/CRM architecture and backend engineering with Next.js/Node.js. Addressed fragmented business processes by designing modular architecture patterns, process automation workflows, and event-driven systems. Proactively conducted vulnerability assessments and implemented defence-in-depth patterns including input validation, secure authentication, and least-privilege access controls. Bridged business stakeholders and engineering teams by translating operational requirements into technical specifications. - Designed modular, secure ERP/CRM architecture for multi-region deployments across UAE and Pakistan - Built resilient APIs and Kafka-based microservices supporting 50K+ daily transactions - Embedded OWASP principles and led 6–12 engineer teams through secure delivery cycles Tech: Next.js, Node.js, Kafka, PostgreSQL, Docker, OWASP ### Software Engineer — Knack International (October 2024 – August 2025, United Arab Emirates) Specialised in developing and maintaining PWAs using Next.js for the frontend, Express.js for backend services, and MySQL for database management. Established patterns for component reusability, API consistency, and security-conscious input handling. Enabled secure in-house deployment of internal applications including chat and inventory management with audit-ready configurations. - Developed Progressive Web Applications with Next.js and Express.js backends - Architected MySQL data layers with secure, maintainable query patterns - Configured in-house deployment for internal tools with environment-specific security controls Tech: Next.js, Express.js, MySQL, PWA, Linux ### Associate Software Engineer — XpertDigi (September 2023 – September 2024, Lahore, Pakistan) Backend-focused development specialising in real-time applications and CRM systems using the MERN stack and Next.js. Solved real-time communication challenges with Socket.io, persistent connection management, and message queuing. Automated sales workflows through intelligent form design and pipeline orchestration. - Engineered WebSocket chat platform supporting 500+ concurrent users with ~200ms delivery - Built custom CRM solutions with Next.js, Node.js, and MongoDB - Delivered full-stack REST APIs with consistent data contracts and error handling Tech: Next.js, Node.js, Socket.io, MongoDB, React ### Web Development Intern — United Computer Solutions (June 2023 – August 2023, Lahore, Pakistan) Gained foundational experience in modern frontend development by contributing to React.js component development and UI implementation in a professional setting. - Contributed to React.js component development and UI implementation - Learned component lifecycle, state patterns, and collaborative workflows - Built foundation for professional full-stack engineering practice Tech: React, JavaScript, HTML, CSS ## Security Experience ### Security-Aware Architecture & Assessment — Knack International (2024 – Present) Applied application security engineering alongside full-stack delivery: threat modeling during architecture reviews, secure coding checkpoints in code review, and proactive hardening of authentication and data-access layers across enterprise systems processing 50K+ daily transactions. - OWASP-aligned architecture for multi-tenant ERP deployments - Input validation and parameterized data access patterns - Security-conscious in-house deployment configurations ### Application Security Researcher — Independent Security Research (2024 – Present) Hands-on security research bridging development expertise with offensive testing: interactive labs demonstrating IDOR exploit and remediation paths, automated email threat classification, and structured vulnerability research workflows. - IDOR lab with vulnerable vs hardened comparison targets - AI-assisted phishing email risk scoring pipeline - Open-source tools for API RBAC endpoint testing ## Projects - [SifGen — WPS SIF File Generator](https://www.sifgen.com/): Free browser-based tool for UAE employers to generate WPS Salary Information Files (SIF) instantly. Supports bulk Excel/CSV import, IBAN validation, and outputs EDR & SCR records — all processed 100% client-side with zero data storage or registration. (Next.js, TypeScript, React, MUI) - [ERP Notifications — Kafka & WebSockets](https://github.com/kashiraza01/erp-notifications-kafka-websockets-invoicing): High-throughput, event-driven orchestration layer distributing enterprise real-time updates via decoupled microservices. Apache Kafka ingests invoicing actions; WebSockets stream sub-second status notifications to reactive UIs. (Node.js, Kafka, Socket.IO, React) - [JWT Hardening Monorepo](https://github.com/kashiraza01/JWT-Token-Checks-And-Refresh-Scenario-Lab): Production-grade JWT authentication monorepo featuring Redis-backed refresh token rotation, breach detection via family wipe on token reuse, algorithm confusion prevention (HS256 pinning), XSS/CSRF mitigations, and a Next.js security lab workspace for live attack-and-defence scenarios. (Node.js, Express, TypeScript, Redis, Next.js, Docker) - [WebSocket Resilience — React Native](https://github.com/kashiraza01/web-socket-reselience-with-react-native): Fault-tolerant network engine managing resilient WebSocket links across unstable mobile interfaces with exponential backoff, heartbeats, and offline message queues. (React Native, Expo, WebSocket, JavaScript) - [React Native Performance Demo](https://github.com/kashiraza01/React-Native-Performance-Optimization): Hands-on demo taking a React Native list from 12 FPS → 60 FPS across 5,000 invoice records. Showcases three targeted fixes — React.memo, useMemo, and FlatList virtualization props — with a live FPS counter and side-by-side toggle between unoptimized and optimized modes. (React Native, Expo, TypeScript) - [PostgreSQL Optimization](https://github.com/kashiraza01/postgres-optimization): Performance blueprint for PostgreSQL and Sequelize demonstrating indexing strategies, N+1 countermeasures, and transaction control for low-latency queries at scale. (PostgreSQL, Sequelize, JavaScript) - [Email Cleanup Service](https://github.com/kashiraza01/Email-Cleanup-Service): Production-ready full-stack platform for secure OAuth2 Gmail linking, sender analytics, and asynchronous batch inbox cleanup with a glassmorphic UI. (TypeScript, Node.js, Express, MongoDB, React, Tailwind) - [CSR vs SSR vs ISR](https://github.com/kashiraza01/CSR-vs-SSR-vs-ISR): Architectural laboratory comparing Client-Side, Server-Side, and Incremental Static Rendering lifecycles with identical layouts to expose TTFB, payload, and SEO trade-offs. (TypeScript, Next.js, React) - [Cyberpunk Eid Card](https://github.com/kashiraza01/cyberpunk-eid-card): Responsive thematic generator with cyberpunk neon components, programmatic user-string injection, and atomic style management. (TypeScript, React, Vite) - [MERN Lectures](https://github.com/kashiraza01/MERN-Lectures): Instructional repository of production-ready MERN patterns: REST route separation, Mongoose schemas, and React state integration examples. (JavaScript, Node.js, Express, MongoDB, React) ## Security Projects & Research - [MERN Secure-by-Default Lab](https://github.com/kashiraza01/MERN-Secure-By-Default-Vulnerability-Lab): Interactive vulnerability assessment environment demonstrating OWASP-aligned secure coding practices in the MERN stack with live, side-by-side execution models (Zod input validation, Helmet configuration, NoSQL injection defenses, and rate limiting). (TypeScript, Next.js, React, Node.js, Express, MongoDB, Tailwind CSS) - [IDOR Testing Lab](https://github.com/kashiraza01/idor-lab-checks): Interactive AppSec environment with vulnerable and hardened targets demonstrating Insecure Direct Object Reference exploitation and server-side ACL mitigation middleware. (TypeScript, Vite, React, Node.js) - [JWT Hardening Monorepo](https://github.com/kashiraza01/JWT-Token-Checks-And-Refresh-Scenario-Lab): Production-grade JWT authentication monorepo featuring Redis-backed refresh token rotation, breach detection via family wipe on token reuse, algorithm confusion prevention (HS256 pinning), XSS/CSRF mitigations, and a Next.js security lab workspace for live attack-and-defence scenarios. (Node.js, Express, TypeScript, Redis, Next.js, Docker) - [AI Phishing Email Detector](https://github.com/kashiraza01/AI-phising-email-detector): Threat intelligence engine applying contextual heuristics and NLP to classify spear-phishing vectors before user engagement, with isolated sanitization and inference boundaries. (TypeScript, Python, NLP) ## Certifications - Introduction to Cybersecurity — Cisco Networking Academy (2024) - Networking Basics — Cisco Networking Academy (2024) ## Education - Bachelor's, Computer Software Engineering, National University of Computer and Emerging Sciences (FAST-NUCES) (September 2021 — September 2025) ## Skills - Languages: JavaScript, TypeScript, Python, Dart (Flutter), SQL, Bash / Shell - Tools & frameworks: React, Next.js, React Native, Flutter, Node.js, Express.js, Kafka, MongoDB, PostgreSQL, MySQL, Docker, Linux, Git, Nginx - Other: System Architecture Design, Microservices, Client Requirement Analysis, Technical Team Leadership, Agile / Scrum Methodology, In-House Server Deployment, Scalable API Design, Code Review & Mentorship, OWASP-Aware Development, RBAC & Least Privilege, PostgreSQL Query Optimisation, WebSocket Integration, Security-Aware SDLC ## Optional - [Sitemap](https://www.kashifraza.dev/sitemap.xml) - [Robots policy](https://www.kashifraza.dev/robots.txt): all crawlers, including AI crawlers, are welcome