logo
logo-page
INTRODUCTION
0.1

IM AlEJANDRO FLORES An AppSec Engineer A Cloud Security Analyst A DevSecOps Practitioner An IT Security Guy

I am a dedicated IT security professional with a strong focus on Application Security and Cloud Security. I actively seek out new technologies and best practices in security. My commitment to sharing knowledge and effectively communicating ideas ensures that I contribute meaningfully. With emphasis on application security, I am keen on enhancing the security posture of modern applications and systems.

SCROLL DOWN

MY SHORT STORY

0.2

ABOUT

SHORT ABOUT ME.

Once upon a time in Mexico, a curious child named Alejandro was born. He immersed himself in the world of cybersecurity, dedicating countless hours to mastering ethical hacking and pentesting. By 18, he started working professionally, quickly building a reputation as a dedicated and skilled cybersecurity expert.

Now 25, Alejandro is an accomplished information security professional specializing in application security and pentesting. His days are spent identifying vulnerabilities, fortifying defenses, and staying ahead of cyber threats. Alejandro’s expertise and relentless pursuit of knowledge have made him a trusted figure in the cybersecurity community.

Outside of work, Alejandro finds balance through reading, making music, and capturing moments with his camera. These pursuits provide a creative outlet and a counterpoint to the intensity of his professional life. Alejandro's journey from a curious child to a cybersecurity expert is a testament to his dedication and passion for the field, always ready to tackle the next challenge in the ever-evolving world of cybersecurity.

DOWNLOAD MY RESUME

PENTESTING

I've practiced pentesting profesionally and for fun. I mostly use Kali Linux, Nmap, Python (for scripting), Burpsuite, Metasploit, Bash, etc.

PROGRAMMING

I use code to do automations such as executing multiple security scans at a time, information formatting, authentication testing, etc. I like coding in Python, Javascript, Golang and Bash.

CLOUD

I have studied and used different cloud providers, mostly AWS and GCP. I focus on the security aspect of the cloud and how to maintain compliance within it.

APPLICATION SECURITY

This is my main area, I do web app pentesting, code reviews, 3rd-Party Vuln Management, etc. For this I use Burpsuite or ZAP, manual validation of code to find security gaps and automated SCA tools.

DEVOPS

I know about CI/CD pipelines (Jenkins, Team City, GHA, Gitlab) and how to create builds and deployments as well as how to integrate secrets in a pipeline. I also know with Docker, Kubernetes and Terraform.

APPSEC TOOLS

To name a few tools I've used in Security. (DAST): StackHawk, WebInspect, HCL AppScan, Invicti, Nuclei, ZAP. (SAST): Sonarqube, Snyk, Bandit, Semgrep, Fortify, Linters. (Secrets Detection): Gitleaks, Trufflehog, Tartufo

NETWORK SECURITY

I've been in SecOps roles, I've used Palo Alto and Fortinet FW, Exabeam, Splunk and Chronicle SIEM and CrowdStrike as EDR. I've used DataDog, SumoLogic and NewRelic to investigate logs too.

GENERAL KNOWLEDGE

Generally speaking, I know about Server Hardening (CIS), Blockchain security, Linux and Windows management, Security Governance (Policies, Standards, Guidelines) documentation and management.

MY QUEST JOURNEY

0.3

RESUME

EDUCATION JOURNEY

2015 - 2019

Bachelor of IT Security

Universidad Autónoma De Nuevo León

2021

Certifications

CompTIA Security+ ce Certification

CompTIA Pentest+ ce Certification

Certified ISO 27001 Lead Auditor

2022

Certifications

AWS Certified Solutions Architect – Associate

HashiCorp Certified: Terraform Associate (002)

Microsoft Certified: Azure Fundamentals

Associate Cloud Engineer Certification

WORK EXPERIENCE

SR APPLICATION SECURITY ENGINEER

(FULL-TIME)

Driscoll's Inc

  • Initiated and integrated best security practices into the SDLC, including SCA, SAST, and DAST tools in CI/CD pipelines.

  • Created and delivered application security training programs and established processes for security reviews and threat modeling.

  • Implemented best practices and secure defaults for code and IaC, focusing on JS, Python, and Terraform, and conducted web application security testing using OWASP ASVS standards.

Dec 2022 - Present

EXTERNAL APPLICATION SECURITY TESTER

(FREELANCE)

Santander US

  • Conduct DAST scans for web applications and APIs, providing validation and remediation recommendations.

  • Perform SAST scans, supplemented with manual validation for accuracy.

  • Engage in web app pentesting, including validation of findings and demonstration of exploitation techniques.

May 2023 - Present

EXTERNAL SECURITY TESTER

(FREELANCE)

Dave

  • Developed automation for centralized vulnerabilities management and SOAR playbooks.

  • Assisted in web application penetration tests and improved testing documentation and checklists.

  • Created Yara rules for SIEM to enhance security monitoring.

Nov 2023 - May 2024

EXTERNAL SECURITY RESEARCHER

(FREELANCE)

Least Authority

  • Reviewed blockchain protocols, Web3 applications, and browser extensions using languages like Solidity, TypeScript, Rust, Golang, Clarity, and Python.

  • Worked with client teams to address remediation efforts and resolve false positive issues.

  • Conducted security design reviews and researched new attack vectors within the Web3 ecosystem.

Apr 2022 - Aug 2023

DEVSECOPS ANALYST

(FULL-TIME)

3PillarGlobal (Tripwire)

  • Used Alert Logic to monitor cloud alerts and incidents, and developed remediation plans for cloud vulnerabilities.

  • Created automated jobs to filter vulnerability reports from Docker images and published results in a database; developed an API and internal portal plugin for report aggregation.

  • Established a vulnerability management program for third-party vulnerabilities and conducted SAST and DAST testing using BurpSuite and OWASP's Manual Code Review Guide.

Aug 2021 - Oct 2022

INFORMATION SECURITY CONSULTANT

(FULL-TIME)

Axosnet

  • Created policies and procedures to align with ISO 27001 requirements and audited cloud security controls.

  • Developed an information security awareness program with training courses and evaluations.

  • Participated in daily SecOps activities, monitored alerts from CloudWatch, AWS GuardDuty, and Alert Logic, and conducted web application penetration testing following OWASP guidelines.

Aug 2020 - Aug 2021

INFORMATION SECURITY CONSULTANT

(FULL-TIME)

Purple Security

  • Conducted internal and external network tests using OSSTMM and PTES methodologies.

  • Tailored exercises to client needs using the MITRE ATT&CK matrix, and developed exploits and automation tools with Python.

  • Developed an internal methodology for web application testing based on OWASP ASVS and improved documentation processes.

Jun 2019 - Aug 2020

LET ME HEAR FROM YOU

0.4

CONTACT

END OF PAGE

DROP ME A TEXT

Success! Your message has been sent successfully.