Lead Security Engineer - DevSecOps Barcelona, España

Può essere disponibile

(Aggiornato% updatedDate%)

Lead Security Engineer - DevSecOps

Barcelona, España

Nativo Spanish, Fluente English

  • Desarrollador de varias herramientas open-source disponibles en Github
  • Conocimientos en DevSecOps, Cloud Security y Python3
  • +9 años experienca en IT Security

Competenze (30)

GCP SECURITY

THREAT MODELING

AWS Security

PENTESTING

Python

DevSecOps

SECURITY AUDITS

SECURITY ARCHITECTURE

ARCHITECTURE

PULL REQUEST

FORENSIC

LOSS PREVENTION

WHITE BOX

AUDIT

SPLUNK

Risk Management

SOC

PULL REQUESTS

SELF MOTIVATED

AUDITS

SECURITY

Flask

INTEGRATION

OPERATIONS

B2B

SOPS

MOZILLA

DNS

B2C

TRADING

Esperienze professionali

Professional Security Freelancer
DefenSEC

2017-01 - Presente

Worldwide
Collaborating as Professional Security Freelancer with many companies, customers and law
enforcement:
- Contract as Security Engineer with INTEC (https://intec2.com/), per project basis
- Collaborator with Spanish Law enforcement and police labour union for Security training and awareness
- Other collaborations per-project basis around the World (remote)
Lead Security Engineer
Ebury UK

2020-05 - Presente

Remote-based
Working for Ebury UK (+1200 employees), a leading financial and payment service provider, as a Lead Security Engineer in a multi-cloud and multi-tech stack environment. Engaged
on DevSecOps, Cloud Security (AWS/GCP), Secure Architectures, Engineering and internal
IRT/SOC, among other security areas.

SECURE ARCHITECTURES - ENGINEERING
∗ Definition of Secure Architectures for services, apps and infrastructure using MD, Flow
charts,
∗ Support to DevOps/SRE/Dev teams for definition of new RFC and Services including
Security specs from requirements and design phase
∗ Reviewer of Pull Requests for adding or modifying currently existing services before
change approval

CLOUD SECURITY (AWS/GCP)
∗ AWS Security (Security Hub integration with GuardDuty, CloudTrail, Inspector, Detective, Macie, )
∗ GCP Security (Security Command Centre + Logs)
∗ Security Automation / SOAR / Playbooks with AWS Lambda / GCP Cloud Function
∗ 3rd party cloud security tools (Prowler, Scout2, )
∗ Security checks automation with Python 3 + Boto3
∗ Integration of Cloud environments within SIEM solutions

DevSecOps
∗ Jenkins / CircleCI secure pipelines definition
∗ IaC (Terraform/CloudFormation) modules deployment and security review
∗ K8s / Docker (Aquasec, Clair, Kubesec, docker-bench, )
∗ Ansible playbooks (patching, user locking, )
∗ Secrets management (Mozilla SOPS, HC Vault, )

Application/Software Security
∗ SSDLC (evil user stories, backlog definition, code review, )
∗ SAST code analysis integrated into CI/CD pipelines (Jenkins/CircleCI)

Infra-Network Security
∗ Deployment and configuration of EDR, RASP, NGFW, IDS,
∗ Secure network architectures (trunk ports, VLANs, ACLs, )

IRT - SOC
∗ Incidence analysis and response
∗ Dynamic Malware analysis (Cuckoo) / Static malware analysis (YARA)
∗ Deployment of SOAR tools and SIEM architectures (SPLUNK, ELK, QRadar, )

Ethical Hacking / Pentester
∗ Manual Pentesting (Burp Suite). MITRE ATTACK

- Curriculum vitæ of c European Union, 2020-2021 http://europass.cedefop.europa.eu
Jorge Blanco Reales (di0nj@ck)

- Curriculum vitæ of c European Union, 2020-2021 http://europass.cedefop.europa.eu
Senior IT Security Engineer - SecDevOps
SecAutomation

2018-11 - 2020-05

Spain
Working on 'Digital Security' team and reporting to the Head of Digital Security of TeamCMP;
a leading B2C company for VR-content products, mobile apps and web applications.
- AWS Cloud Security (support cloud migration and deployment of new and existing B2C services)
- Intenal Security Services (build a new subset of Python3 Flask API internal API services for exploitation by other departments of the company or by Security team).
- DevSecOps (CI/CD hardening CircleCI/Jenkins, K8s, Docker security, Terraform modules, )
- Red/Blue Ethical hacking (web/network manual pentesting)
- On-premises Security (network and infra security architecture security review).
Technical Security Specialist
Hotelbeds Group, S.L.U

2016-03 - 2018-10

Working on a TOP 3 B2B Travel company, HotelBeds Group headquarters, as a 'Tiger Team'
leader, deploying and coordinating defensive and offensive attack techniques across the com-
pany.
- Purple Tiger Team: Coordinating and executing both 'Red TT' and 'Blue TT' activities within a centralized effort across the company. Proactive deployment of PoC attacks to our own infras-
tructure and services and properly defense and response to external threats. SOC (Security Operations Center) management and daily secops deployment.
- Office Security.: Deployment of layered defense mechanisms for protecting employees (EDR, RASP, IDS, DNS-Firewalling, ), Internal PoC, IT Security Awareness, )
- Fraud analysis and detection: Deployment of IOC (Indicators Of Compromise) and IOF (In- dicators Of Fraud) within our B2B / B2C online travel services.
Senior IT Security Engineer
SIA Group

2013-06 - 2016-03

Spain
Execution of technical security audits (forensic, web and network pentesting, social engineer- ing, ), compliance (PCI-DSSv3, ENS, ISO27k, ) and IT Service Management (ITSM; ITILv3 / ISO20000). Strong background and expertise on PCI-DSSv3 QSA audits ('SIA' certified company). DLP Audits (Data Loss Prevention)
Ethical Hacker
PenTester

2012-09 - 2013-06

Spain
Engaged on performing security audits, IT risks audits (MAGERIT/OCTAVE), and compliance
(PCI-DSS, ENS, ). Performing web pentests, execution of external and internal network pen-
tests, Industrial and Economical Espionage audits, physical security review and advanced
intelligence/information gathering.
IT & Security Auditor/Consultant
Jorge Blanco Reales

2011-10 - 2012-09

Spain
Assigned in the area of computer audit, security, technology and risk management in the Risk
Advisory Services department, deploying Web and network pentests, IT security master plans,
compliance (ISO 27001, LSSI, LOPD, PCI-DSS, ) and White box PenTesting.)

Esperienze formative

Bachelor of Computer Science
Universitat Pompeu Fabra

2006-01 - 2010-01

Contatta il consulente

/