# Md Obaidur Rahman — Résumé Engineering Leader · Full-Stack & Application Security Engineering leader with 13+ years building, securing, and shipping scalable web and mobile systems. I lead teams and own architecture end to end — from system design and full-stack delivery (React, React Native, Node.js, TypeScript) to application-security strategy for sensitive, regulated platforms. Currently consulting for the Bangladesh Election Commission, where I lead delivery and security for the country's postal-voting infrastructure. I'm equally at home setting technical direction, mentoring engineers, and hardening client-facing systems that handle high-stakes data. ## Experience ### Consultant, Cryptography — Bangladesh Election Commission *Jan 2026 — Present · Dhaka, Bangladesh* - Led the web development team and the mobile application development team, owning the security posture of all client-facing applications. - Designed, built and led delivery of the secure public web portal, the RO (Returning Officer) portal for encrypted receipt of postal votes, the admin dashboard, the prisoner-voting portal, and the post-office constituency finder. - Hardened authenticated, encrypted data flows, including secure NID API integration for the postal-vote application, in partnership with EC officials. - Drove process discovery, requirements gathering, trusted key-data synchronisation (constituency mapping) and reporting with EC officials. - Coordinated vendors on secure SDK/API integration (SMS, email) and infrastructure. Stack: React, React Native, TypeScript, Node.js, OCI ### Senior Power Platform Developer (Remote) — Modern IT *Dec 2023 — Dec 2025 · CA, USA (Remote)* - Architected and delivered enterprise solutions on Microsoft Power Platform. - Built full-stack applications with the MERN stack, Next.js and REST APIs. - Implemented secure authentication and encryption for sensitive business data. - Integrated AI capabilities to automate and enhance business workflows. Stack: Power Platform, React, Node.js, Express.js, Next.js ### Software Engineer (Remote) — Concourse Federal Group *May 2019 — Apr 2025 · USA (Remote)* - Led development of enterprise solutions using Microsoft Dynamics 365 and full-stack technologies (React, Angular, Node.js, Python, PHP). - Implemented secure API design and data encryption for federal applications handling sensitive information. - Managed deployments across AWS and Azure; mentored junior engineers and ran code reviews. Stack: Dynamics 365, React, Angular, Node.js, Python, AWS, Azure ### Full-Stack Web Developer (Freelance) — Upwork *Apr 2016 — Present · Remote* - Delivered full-stack web solutions across a wide range of stacks under tight deadlines. - Maintained a 100% client satisfaction rate over a decade of engagements. Stack: JavaScript, TypeScript, React, Node.js, PHP ## Skills - **Application Security:** Secure API design, Authentication & OAuth 2.0 / JWT, AES / RSA encryption, HTTPS/TLS, Web security best practices - **Frontend & Mobile:** React, React Native, Next.js, Angular, Vue.js, TypeScript, Tailwind CSS - **Backend:** Node.js, Express.js, GraphQL, Python, PHP / Laravel, C# / ASP.NET - **Data:** PostgreSQL, MySQL, MongoDB, Firebase - **Cloud & DevOps:** OCI, Azure, AWS, Docker, CI/CD, GitLab, GitHub Actions - **Microsoft & Power Platform:** Dynamics 365, Power Apps, Power Automate, Power BI, SharePoint ## Education - **Master of Computer Science**, Jahangirnagar University (2019–2020) - **Bachelor of Science**, University of Asia Pacific (2012–2015) ## Awards - **Top Rated Plus Freelancer**, Upwork (2020) — Maintained a 100% client satisfaction rate for over a decade. ## Languages - Bengali: Native - English: Fluent --- # Bangladesh Postal Voting System > Secure web and mobile system enabling postal and prisoner voting at national scale. **Role:** Lead — Engineering, Application Security & Mobile ## Problem The Election Commission needed a trustworthy digital pathway for postal and prisoner votes, integrating with national identity systems while keeping sensitive voter data protected end to end. ## Contribution Led the web and mobile teams and owned the security posture across the public portal, the Returning Officer portal for encrypted receipt of postal votes, the admin dashboard, the prisoner-voting portal, and a post-office constituency finder. Drove secure NID API integration and trusted key-data synchronisation with EC officials. ## Outcomes - Delivered the full client-facing surface area of the postal-voting programme. - Established hardened, authenticated data flows across every voter-facing application. ## Stack React, React Native, TypeScript, Node.js, OCI ## Links - [Postal Vote BD (Public Portal)](https://portal.ocv.gov.bd) - [Postal Vote BD (Android App)](https://play.google.com/store/apps/details?id=bd.gov.ocv.postalvoting&pli=1) - [Postal Vote BD (iOS App)](https://apps.apple.com/us/app/postal-vote-bd/id6752640139) --- # Securing a national postal-voting frontend *Jun 15, 2026 · application-security, frontend, case-notes* > Notes on the application-security decisions behind voter-facing apps that handle regulated identity data. A voter-facing application is the part of an election system that strangers are invited to touch. That framing decided most of our early choices: the frontend is not a thin shell over an API, it is an attack surface that has to assume hostile, regulated, and audited conditions from the first commit. These are working notes on the decisions that mattered while building the postal-voting and prisoner-voting portals — written for engineers who will have to defend similar systems. ## Threat model before features We wrote the threat model before the component library. Identity data flows through national systems (NID), so the question was never "what can this screen do" but "what can this screen leak, and to whom". Every form that touched identity was treated as a boundary, not a convenience. Concretely: no sensitive identifier was ever held in client state longer than a single submission, tokens were short-lived and scoped per role (public, Returning Officer, admin), and the prisoner-voting flow was isolated from the public portal entirely rather than gated behind a flag. ## Encryption at the boundary Postal votes are received encrypted at the Returning Officer portal; the client's job is to never be the weakest link in that chain. We kept cryptographic operations server-side and treated the browser as an untrusted courier — it transports ciphertext and proves identity, it does not hold keys. Trusted key-data synchronisation — the constituency mapping that decides which ballot a voter even sees — was the part we audited hardest. A wrong mapping is not a bug, it is a disenfranchisement, so it shipped behind reconciliation with EC officials rather than as a derived client computation. ## What I would keep Two practices earned their place. First, a single source of truth for content and config, validated in CI, so claims on a screen cannot silently drift from what was reviewed. Second, designing every voter-facing route to be legible to an auditor at a glance — the same discipline that makes a page trustworthy to a person makes it trustworthy to a machine reading it later. ---