SecurePath Wayne Howlett

SERVICES

Security-first help for web apps, APIs, cloud, and technical setups

I focus on practical improvements you can ship: safer architecture decisions, cleaner implementation patterns, and documentation you can reuse. Some offerings are available now; others are actively in development as part of my roadmap.

Request a ConsultationView Projects

Available Now

These are services I can deliver today with clear scope and documented outcomes.

Web & Application Security Foundations

Security-first guidance for modern web apps—focused on practical hardening and safe patterns.

  • HTTPS + security headers guidance (HSTS, CSP basics, frame protections)
  • Secure auth flow review (session/token handling fundamentals)
  • Frontend security best practices (XSS prevention patterns, safe API usage)
  • Next.js deployment hardening checklist (Vercel-friendly)
Next.jsHeadersAuthHardening

API Security Review (Entry Level)

High-signal review of API exposure and design risks—mapped to common OWASP API concerns.

  • Endpoint review (auth, authorization gaps, input validation risks)
  • Token handling & secure client usage
  • Rate-limiting and abuse prevention guidance (design-level)
  • Written findings + prioritized recommendations
APIsOWASPRisk ReviewRecommendations

Security Architecture Review (Small Systems)

Architecture-first review of your app/system: trust boundaries, threats, and pragmatic controls — with clear deliverables.

  • System map: components, data flows, and trust boundaries (public-safe diagram if desired)
  • Threat modeling (STRIDE-style) focused on realistic misuse paths
  • Control recommendations: auth, IAM, network boundaries, logging, secrets, backups
  • Written report: risks ranked + quick wins + longer-term roadmap
ArchitectureThreat ModelingTrust BoundariesReport

Identity & Access Hardening (MFA + Least Privilege)

Reduce the most common breach path: identity misuse. Practical hardening for accounts, roles, and access patterns.

  • MFA rollout plan (accounts, recovery, device trust basics)
  • Least-privilege guidance for users/admins/service accounts
  • Permission review checklist (what to remove, what to gate)
  • Account hygiene: password manager guidance + recovery hardening
IAMMFALeast PrivilegeHardening

Logging & Monitoring Baseline (Audit-Friendly)

Set up a usable monitoring baseline: what to log, why, and how you’d investigate incidents later.

  • Logging plan: auth events, admin actions, API access, errors, rate limits
  • Basic alert ideas (brute force, token abuse indicators, privilege escalation attempts)
  • Retention guidance (what matters, how long, and cost-aware options)
  • Runbook starter: ‘what to check first’ during common incidents
MonitoringLoggingIRRunbooks

Vulnerability Scan + Fix Plan (Beginner-Friendly)

A practical scan + remediation plan you can actually follow, with clear next steps.

  • Guided scanning approach (what to scan, what not to scan, safe scope)
  • Prioritized remediation list (quick wins first)
  • Verification steps: how to confirm the fix is real
  • Documentation you can reuse for future scans
Vuln MgmtRemediationVerificationDocs

Cloud Security Basics (Vercel / AWS concepts)

Architecture-oriented security review for cloud-connected apps and small environments.

  • Secure secrets & environment variable handling
  • Least-privilege IAM concepts and access patterns
  • Deployment and configuration review (high-level)
  • Cloud security checklist tailored to your stack
CloudSecretsIAMArchitecture

Secure Deployment & Secrets Hygiene

Improve deployment safety: environment variables, secrets, and secure configuration patterns.

  • Secrets handling review (what belongs in env vars vs secret store)
  • Rotations + leak prevention checklist (tokens, keys, client secrets)
  • Build/deploy hardening checklist (CI/CD basics, safe defaults)
  • Minimal documentation so it stays maintainable
SecretsDeploymentCI/CDHardening

Security-First Portfolio & Resume Sites

Fast, clean, professional sites built with secure defaults and a modern stack.

  • Next.js + Vercel setup with security-minded defaults
  • Performance and SEO-friendly structure
  • Simple content updates (projects, skills, blog scaffolding)
  • Optional: custom sections for labs / evidence artifacts
Next.jsVercelPortfolioPerformance

Technical Configuration & IT Support

Practical configuration support focused on secure setups, reliability, and clear documentation—ideal for individuals and small teams.

  • Windows / Linux / macOS setup and configuration (basics to intermediate)
  • Secure user accounts, permissions, and access controls
  • Network & Wi-Fi setup (routers, guest networks, segmentation basics)
  • System hardening fundamentals (updates, firewall settings, device security)
  • Software installation and configuration (productivity + dev tools)
  • Backup strategy guidance and setup (local + cloud concepts)
  • Clean documentation so the setup is repeatable and maintainable
IT ConfigSystemsNetworkingSecurity BasicsDocs

Secure Home & Small Office Setup

Security-first setup for home offices and small environments—reduce risk without overcomplicating the network.

  • Secure home office baseline (devices, accounts, and update strategy)
  • Router configuration review (admin access, Wi-Fi security, guest isolation)
  • Work vs personal separation guidance (simple trust boundaries)
  • Device hygiene recommendations (password manager, MFA, encryption basics)
  • Remote access patterns (safer options + configuration guidance)
  • Lightweight security checklist you can keep using
Zero Trust BasicsHome OfficeWi-FiHardeningChecklist

Coming Soon

These offerings are in active development as I expand my labs, evidence artifacts, and repeatable workflows.

Advanced API Security Testing

Deeper testing of auth logic, abuse cases, and hardening patterns as my portfolio expands.

  • Auth logic abuse scenarios (role/tenant boundary checks)
  • Token misuse and replay-resistance guidance
  • Rate-limit strategy + monitoring recommendations
  • Secure API gateway patterns (design-oriented)
API SecurityThreat ModelingAbuse CasesGateway

SOC & Detection Engineering (Labs → Practice)

Detection-driven analysis and documentation using real lab work and repeatable writeups.

  • Log review patterns and alert reasoning (SIEM concepts)
  • MITRE ATT&CK mapping for common behaviors
  • Incident response writeups and playbook-style notes
  • Detection tuning approach (conceptual + documented)
SIEMMITREIRDetection

Home & Small Business Security Architecture

Hybrid home-lab and small network security design with practical segmentation plans.

  • Network segmentation and device trust boundaries
  • Zero-trust concepts for small environments
  • Remote access and secure admin patterns
  • Documentation-first architecture diagrams (where applicable)
Zero TrustNetworkSegmentationArchitecture

Privacy-First Health & Sensitive Data Apps

Secure design patterns for apps handling sensitive data (privacy-focused, design-led).

  • Threat modeling for sensitive user data flows
  • Data minimization and privacy-by-design guidance
  • Secure storage and transport patterns (high-level)
  • Documentation + architecture notes for your app ideas
PrivacyThreat ModelData FlowsDesign

Threat Model + Risk Register Package

A portfolio-grade threat model + risk register that’s readable by engineers and reviewers.

  • Threat model document (assets, boundaries, abuse cases, assumptions)
  • Risk register: likelihood/impact + mitigation plan
  • Control mapping: threat → control → verification
  • Public-safe artifacts suitable for portfolio evidence
Threat ModelRisk RegisterControlsEvidence

Wazuh / SIEM Starter Setup (Lab → Production-Style)

Entry SIEM setup and documentation once the lab environment is fully standardized.

  • Agent onboarding plan + log sources to prioritize
  • Basic rules/tuning strategy (reduce noise, increase signal)
  • Triage workflow: alert → context → decision → action
  • Runbooks + evidence screenshots (public-safe)
WazuhSIEMDetectionIR

Scope Notice

My services focus on secure architecture, configuration, and compliance-aligned design. I support HIPAA, PCI-DSS, and ISO 27001 readiness through technical controls, documentation, and best-practice implementation. I do not provide formal compliance certification, legal attestation, or act as an external auditor. Penetration testing and red-team engagements are not currently offered. IT support is project-based and does not include 24/7 managed services.

Email MeDownload RésuméView Roadmap