John Rockefeller2001

Senior DevOps/DevSecOps Engineer

Joint stock company Alfa Insurance

Pentest Engineer - Cybersecurity

• Security analysis of IT infrastructure elements
• Penetration testing
• Security analysis of the company's wireless networks
• Advanced web application security assessment
• Participation in the development of DevSecOps processes
• Vulnerability remediation management
• Using scanners (Nessus, nucleic acids, testssl)
• Conducting SAST analyses
• Using GitLab (pipeline)
• Working with vulnerability management platforms (Hive, ApiAry, DefectDojo)
• Knowledge of OWASP, CWE, and MITRE ATT&CK testing methodologies
• Fulfilling established SLA obligations

Management Company "First" (formerly “Sber Asset Management”)

Head of direction DevOps

• Development of information security requirements for commercially commissioned and newly created information systems in accordance with the requirements of Russian legislation.
• Creation from scratch of the cluster architecture scheme in k8s (security claster), development of the business logic of the full-cycle application build system, taking into account security scans and passing the Quality Gate.
• Setting up automatic saving of scan results in MySQL database for statistics in front of auditors.
• Deployment of the k8s (security) cluster, its support and administration.
• Development and implementation of the CI/CD pipeline with security from scratch:

Git->Checkout->Dependencies (Nexus)->Build->API Testing->Regression Testing->Load Testing->Security Testing (SAST/DAST/SCA)->Security Quality Gate->Pull Image (Nexus)->Deploy (dev/staging/prod)->Monitoring.

• Formation of proposals for the further development of the information security system and the DevSecOps process
• Development of the Secure Development Lifecycle (SSDLC)
• Implementation of QualityGate in the SDLC process to automate application vulnerability testing.
• Implementation of IaC (Terraform, Ansible) from scratch: automation of infrastructure deployment and environment management.
• Working with AppSec tools (SAST, DAST, RASP, SCA) and their implementation in the SDLC process
• Participation in architectural councils, coordination of changes in the interaction of microservices with automated systems.
• RBAC administration: role creation, grant and audit of access rights/technical access rights.
• Development of project and working documentation.
• Monitoring the installation of the latest software security updates
• Analyzing the security of the company's external web applications (personal account, website), internal networks, and external perimeter
• Consultations of the Company's employees on information security issues
• Market analysis and selection of technical solutions for fulfilling information security tasks
• Implementation of Best practices to ensure the security of Docker containers.
• Creating a PD search process in test and dev circuits from scratch. This process showed database administrators where depersonalization of data did not occur, or failed with an error. The process I implemented covered 90% of all unsecured databases in the test and dev circuits.
• Development of applications for internal use on Go.
• Leadership of a team of 2 people at the junior level, training them to the middle level in the field of third-party pipeline development and support for the DevOps pipeline at Jenkins.
• Development of pipeline(s) for the Jenkins SDLC pipeline. Scaling it to all teams at the DEV, TEST, UAT, PROD levels.

AliExpress

Information Security Engineer (DevOps) AI Department

• Redesign of the architecture of internal applications/services for kubernetes. Strengthening its fault tolerance.
• Kubernetes cluster administration and management using Terraform and Ansible.
• Development of pipeline(s) for Gitlab CI projects for process automation.
• Infrastructure upgrade and support, via Terraform, Ansible.
• Cloud infrastructure administration (Yandex Cloud, AWS).
• Kafka access control, synchronization of changes in Confluence.
• Collection and monitoring of service metrics through Prometheus and Grafana tools.
• Development of internal/external applications in GO/Python/PHP.
• Setting up centralized updates of various dependencies of language packs.
• Implementation of IaC (Terraform, Ansible) to automate infrastructure deployment.
• Administration of PostgreSQL, MySQL, and MSSQL databases and development of a role-based access model for them.
• Creation of helm charts and ansible roles.
• Support for the centralized logging process (ELK/EFK, VictoriaMetrics).
• Work with data via the RabbitMQ data bus.
• Work with AI to speed up writing pipeline/Terraform/Ansible codes.
• Creation of the process of automatic deployment of virtual machines.
• Development of design and working documentation for the following processes: SDLC, CI/CD.
• The introduction of new vulnerability scanning tools (SAST, SCA, Secret Scanning) into the process and their implementation into the SDLC process.

-Integration of Gitlab CI SAST, SCA, Secret Scanning scanning processes with Defect Dojo. In Defect Dojo, the vulnerabilities found are broken down into teams.

• Participation in architectural councils on the release of new microservices and their integration with our infrastructure.
• Support of the database backup process.
• Implementation of Best practices for the assembly/operation of Docker containers.
• Development and support of current SDLC and Patch Management processes;
• Implementation of QualityGate in the SDLC process to automate vulnerability testing of applications together with the security team. We managed to implement them for 95% of all the company's projects.

09.03.01 in Informatics and Computer Science, profile Computer software and automated systems – Moscow State Technological University "Stankin" (2019 – 2023)

Professional retraining courses in Information Security – GeekBrains Faculty of Information Security (2020 – 2022)