Application Security  ·  DevSecOps  ·  ASPM  ·  Cloud Security  ·  API Security  ·  Penetration Testing  ·  Security Automation  ·  Vulnerability Management  ·  Application Security  ·  DevSecOps  ·  ASPM  ·  Cloud Security  ·  API Security  ·  Penetration Testing  ·  Security Automation  ·  Vulnerability Management  · 
Senior Application Security Engineer — Monterrey, MX

Alejandro Flores

Specialization
AppSec · DevSecOps
Cloud Security · ASPM
Status
Sr. AppSec Engineer
@ Driscoll's Inc
Get in Touch View Résumé ↗
Alejandro Flores Covarrubias
MONTERREY / MEX
APPSEC ENG.
EST. 2017
[001]
01
About
Alejandro in Japan

Senior Application Security Engineer with hands-on experience building and operating security programs across cloud-native environments. I started in incident response and red teaming, then moved into AppSec — building programs from scratch at companies across fintech, agri-tech, and blockchain.

My work centers on making security practical: integrating it into CI/CD without slowing teams down, reducing noise through risk-based prioritization, and automating the repeatable stuff so humans can focus on judgment calls.

I've also done security research in the Web3 space — reviewing smart contracts and protocols in Solidity, Rust, Go, and Clarity.

Outside of work: photography, music, and travel. The photo to the left is from Japan.

Location Monterrey, Mexico
Email contact@alejandrocovrr.com
Web alejandrocovrr.com
Education B.S. IT Security — UANL, 2015–2019
02
Experience
Dec 2022
— Present
Driscoll's Inc
Full-time · Remote
Sr. Application Security Engineer
  • Led the application security program across SDLC and CI/CD pipelines, integrating SAST, SCA, and DAST tooling with automated security gating
  • Implemented Ox Security (ASPM) to centralize, prioritize, and drive risk-based remediation of critical and high-severity findings
  • Conducted security assessments of AI/LLM-integrated applications against OWASP LLM Top 10 — prompt injection, insecure output handling, model API trust boundaries
  • Performed manual web and API security testing; built Python automation via REST and GraphQL APIs to correlate security risk
  • Implemented Doppler for centralized secrets management across cloud environments
  • Triaged and managed infrastructure vulnerabilities using Rapid7 InsightVM / Nexpose
AWSGCPOx SecurityWizDopplerRapid7BurpsuiteSnykSonarqubeStackHawkTerraformDockerPythonGitHub Actions
May 2023
Santander US
Freelance · Remote
Ext. AppSec Tester
  • Conducted DAST and SAST testing for web applications and APIs
  • Used Apiiro (ASPM) to triage, validate, and manage security findings
  • Performed risk-based validation to reduce false positives; collaborated with dev teams on remediation workflows
ApiiroBurpsuiteFortifyHCL AppScanJira
Nov 2022
— May 2023
Dave
Freelance · Remote
Ext. Security Tester
  • Built automation for DevSecOps vulnerability workflows
  • Assisted with execution and reporting of penetration tests
  • Created YARA rules and SOAR automation
BurpsuiteChronicle SIEMChronicle SOARPythonDefectDojo
Apr 2022
— Aug 2023
Least Authority
Freelance · Remote
Ext. Security Researcher
  • Performed manual code reviews of blockchain and Web3 applications
  • Reviewed code in Solidity, TypeScript, Rust, Go, Clarity, and Python
  • Conducted security design reviews of protocol architectures and researched emerging Web3 attack vectors
SolidityRustGoTypeScriptClarityPython
Aug 2021
— Oct 2022
3Pillar Global
Full-time · Remote
DevSecOps Analyst
  • Monitored cloud alerts and incidents; developed remediation plans for cloud vulnerabilities
  • Automated container vulnerability scan processing; built internal API and portal for vulnerability data
  • Implemented third-party vulnerability management program; conducted SAST and DAST testing
AWSAlert LogicTerraformDockerSonarqubePythonTypeScript
Aug 2020
— Aug 2021
Axosnet
Full-time · Monterrey
InfoSec Consultant
  • Developed ISO 27001-aligned security policies and delivered security awareness training
  • Monitored and responded to AWS security alerts; conducted cloud audits and web app pentests
AWSISO 27001BurpsuiteProwlerPacu
Jun 2019
— Aug 2020
Purple Security
Full-time · Monterrey
InfoSec Consultant
  • Conducted network and web application penetration tests using OSSTMM and PTES methodologies
  • Executed red team exercises using MITRE ATT&CK; developed custom exploitation scripts
Kali LinuxMetasploitBurpsuiteBloodHoundPythonBash
Dec 2017
— May 2019
FEMSA
Internship · Monterrey
Incident Responder
  • Responded to security incidents using SIEM and firewall tools
  • Built internal vulnerability tracking database; assisted with threat hunting and EDR evaluations
Palo AltoExabeam SIEMLinuxSQL
03
Skills
AppSec & Testing
  • Application Security Programs
  • Penetration Testing (Web / API)
  • SAST · DAST · SCA
  • ASPM & Risk-Based Remediation
  • Threat Modeling
  • OWASP / LLM Top 10
DevSecOps & Cloud
  • CI/CD Security (GHA, GitLab, Jenkins)
  • Secrets Management (Doppler)
  • AWS & GCP Security
  • Terraform · Docker · Kubernetes
  • Vulnerability Management
  • Security Automation
Security Tools
  • Ox Security · Apiiro · Wiz
  • Burpsuite · Snyk · Sonarqube
  • Rapid7 InsightVM · StackHawk
  • Fortify · HCL AppScan
  • DefectDojo · GH Advanced Security
Programming
  • Python
  • JavaScript / TypeScript
  • Go & Rust
  • Solidity
  • Bash
Domains
  • Cloud Security
  • API Security
  • Blockchain / Web3 Security
  • Red Teaming (MITRE ATT&CK)
  • ISO 27001 / Governance
Soft Skills
  • Cross-team Collaboration
  • Security Enablement
  • Program Ownership
  • Technical Communication
  • Risk Assessment
04
Certifications
2021
CompTIA Security+ ce
2021
CompTIA PenTest+ ce
2021
ISO 27001 Lead Auditor
2022
AWS Solutions Architect Associate
2022
Google Cloud Associate Cloud Engineer
2022
HashiCorp Terraform Associate
2022
ITIL Foundation v4
2015–19
B.S. IT Security — UANL