Heitor RamalhoDevSecOps
Information Security Specialist | Leader in Vulnerability Management, AppSec, DevSecOps, Pentesting and Cyber Security Architecture. I have been working in cyber security for a long time. In the first 10 years I was focused on Linux and Windows Server Security and in the last years I have focused on participating directly with Cyber Security Architecture, also in Pentesting and Bug Bounty projects. I went through countless projects in Application Security and DevSecOps. The whole company and all departments need to prepare for Shift-Left. To raise its level of cybersecurity maturity, it always brought a managerial vision through the data provided, building knowledge in the stages of planning, delivery, security design, development, testing, validation, deployment and maintenance. Having worked with vehicle technologies, IoT and blockchain/bitcoin, I assembled materials alongside great leaders, bringing best cryptography practices and SASE architecture convergence.
Tech stack
Security (13)
GitHub (9)
Ubuntu Linux (7)
IT Security (7)
Leadership (3)
Cyber Security (3)
Architecture (3)
PCI Compliance (2)
Microsoft SQL Server (2)
DevOps (2)
Continuous Integration (CI) (2)
Continuous Delivery (CD) (2)
Azure DevOps (2)
Jenkins (1)
Java (1)
Spring (1)
Postman (1)
Management (1)
Android (1)
Python (1)
AngularJS (1)
Design (1)
Scrum (1)
MySQL (1)
Kubernetes (1)
Azure (1)
Ansible (1)
Maven (1)
JavaScript (1)
APIs (1)
Experience
Professor Cyber SecurityCECyber
08/2022 - 07/2023

- Temas Desenvolvimento Seguro, Security Champions, OWASP Top 10, Veracode Security Labs, Pentesting, Security Architecture e DevSecOps

Security
Architecture
Lead Cyber Security and AppSec ArchitectGol Linhas Aereas
07/2022 - 11/2022

- Security Architecture and Vulnerability Leadership - APIs Azure, AngularJS, NodeJS, .NET Core, ASP.NET, C and Apps Flutter, Swift, Kotlin, Java for Android; - Scrum and Kanban – Azure DevOps and Jira; - Azure DevOps CI/CD Pipeline Management; - Cloud Security - Azure DevOps, WAF Imperva; - IaC Security - Docker, Vault and K8S Secrets; - Red Team with automation – BURP and Python; - Threat Modeling – Checkmarx AST SAST, SCA, IAST and SonarQube QualityGate; - Participated and executed more than 20 PoCs using Veracode, GitLab, AWS, Github, Azure, Harness, CircleCI technologies; - Security Champion Webinars for Architects and Engineers; - Weekly forecasts for Management – PowerBI and Excel; - Training customers and employees on OWASP / ASVS – Confluence cyber solutions; - Management of 5 senior specialists; - Responsible for checking RFPs; - RFC analysis;

Security
Cyber Security
GitHub
Microsoft SQL Server
Tech Lead - EncryptionBradesco
06/2022 - 09/2022

- Cloud Architecture and Cryptography – LEAP Project with change from Azure On-premises to Azure DevOps; - Encryptions – AES, mTLS, TLS, etc; - Fortnightly forecasts and approvals of CIS Frameworks Cryptography among others - Confluence; - Participated and executed more than 5 PoCs using Red Hat Cloud technologies – OpenShift and Kubernetes; - Scrum – Jira; - IaC Security - K8S Vaults and Secrets; - Management of 5 senior specialists; - Co-Responsible for checking the best cryptocurrencies on the market;

Scrum
DevOps
Kubernetes
Management
Security
Architecture
Azure
Head of Cyber SecurityACCT
11/2021 - 01/2022

- Security Architecture and Vulnerability Leadership – GraphQL and GraphQL APIs, ReactJS, TypeScript, JavaScript and NodeJs; - GitLab CI/CD Pipeline Management; - Security-Review (security code review) of 60+ PRs/MRs and 100k lines - Encryption, Tokenization and API Security; - Cloud Security – GitLab IAM, PAM Google Cloud, VTEX Security, VTEX IO; - Threat Modeling – SonarQube QualityGate, OWASP Top 10 2021, 3D Secure (3DS), ASVS and mASVS; - Fortnightly forecasts of releases for the Board – Notion; - Compliance - LGPD and GDPR; - Security Champion Webinars for Architects and Engineers; - Training customers and employees on SSDLC and DevSecOps cyber solutions; - Management of 6 Squads and senior specialists; - Responsible for checking RFPs;

JavaScript
Encryption
Management
TypeScript
Security
Leadership
APIs
Architecture
GraphQL
Vulnerabilities Owner Next AppSec (Prime IT Services)Banco Next
10/2020 - 10/2021

- Security Architecture and Vulnerability Leadership - APIs Spring Boot, Maven, Java 9 / 10 / 11, Java EE, JBeans, Spring Security, Salesforce, Tomcat, Apache, Microsoft IIS and Apps Flutter, Swift, Kotlin, Java for Android; - Bamboo CI/CD Pipeline Management with Python automation, shell and cmd batch; - Cloud Security - Azure DevOps, OpenShift and Kubernetes K8S; - Encryption - JWT, JWE, mTLS; - Red Team with automation – Python, BURP, Postman and Marca; - Threat Modeling - Fortify SAST - WorkBench FPRs, Aqua Trivy, Postman API and Splunk; - Participated and executed more than 5 PoCs using Antivirius Symantec Cloud, DataDog and Grafana technologies; - Security Champion Webinars for Architects and Engineers; - Fortnightly forecasts for Core and App releases for the Board – Excel and Confluence; - Training customers and employees on OWASP / ASVS – Confluence cyber solutions; - Scrum and Kanban – Jira and Notes; - Security Design and API Security – CA Gateway API;

Leadership
Security
Azure DevOps
DevOps
Continuous Integration (CI)
Continuous Delivery (CD)
Microsoft SQL Server
GitHub
Senior Information Security Analyst (BRQ Solucoes em Informatica S/A)Banco Itaú
04/2020 - 10/2020

- Security Architecture and Vulnerability Management – Java EE, Java Spring Security, .NET Core 3.0 C#, Cobol, AngularJS, ReactJS, Oracle, Python, Java for Android and Objective-C; - Threat Modeling - Bag of Holding (BoH) Postman API, CloudXS, Threadfix, Fortify SAST - WorkBench FPRs, Fortify DAST WebInspect, SD Elements and SonarQube; - CI/CD Pipeline Management Jenkins, GitLab, Pipepper with bash shell automation, cmd and Power shell; - Participated and executed more than 4 PoCs using new versions of BoH, Fortify SAST and DAST; - Security Champion Webinars and weekly Forecasts on Governance and Cyber AppSec – Grafana and Dynamic Excel; - Training for customers, employees and FAQ about OWASP Top 10 cyber solutions – Jira and Confluence; - Scrum – Jira; - Cloud Security - AWS EKS, EC2, S3, ElasticSearch, Route 53, IBM RTC and FICO; - Proprietary Security Design - Itaú Máximo RDPs; - Management of 450 Squads-Acronyms App; - Responsible for checking RFPs; - RFC analysis;

Android
Python
AngularJS
Java
Design
Security
Architecture
Jenkins
Spring
Postman
Information Technology Security Specialist (Yaman Tecnologia Ltda)SulAmérica Seguros Saúde
10/2019 - 01/2020

- Participated and executed more than 5 PoCs using technologies like Kenna Security and new versions of Jenkins; - Jenkins CI/CD Pipeline Management with Groovy; - Red Team with automation – BURP, Postman and SonarQube; - Weekly Vulnerability Webinars and Forecasts - Veracode SAST/DAST; - Project Architecture – Ansible, Java EE, Servlets, Spring, Maven, Hibernate, JBoss WildFly and MySQL; - Training customers and employees on information security solutions; - Kanban - Microsoft Office Planner; - Responsible for checking RFPs; - RFC analysis;

MySQL
Java
Management
Maven
Security
Architecture
Jenkins
Spring
Ansible
Postman
Worldwide Information Security ManagerCryptoblock IT Security
01/2018 - 09/2019

- Risk management audit, digital law through the company's terms and conditions and privacy policy; - Beginning of research with Marco Civil, Privacy Policy of Google Terms, Verizon, AT&T and T-Mobile as a reference for terms to include in Apps and Applications in the area of software development for necessary compliance meeting the maximum data privacy, encryption and protection; - All projects focused on implementations, research, parameterization of IT Security; - Follow up, indicators, reports from the Freshdesk, Jira and Wrike tools; - Validation, application of patches to Linux and Windows, backups, Windows Server Group policy and Active directory; - Knowledge of PCI, OWASP, HP Web Inspection and study of watchguard, barracuda, forcepoint websense security (wsg) tools. - Basic BURP, nmap and wireshark; - Access control with elevation and two-step verification, BitLocker data encryption, backups and files, Kaspersky Passwords and Keepass password lock.

PCI Compliance
Security
Cyber Security
Leadership
IT Security ConsultantInterlab Distribuidora De Produtos Cientificos
04/2011 - 12/2017

- Monitoring and updating of BRMA Firewall; - Planning, recovery of RedHat IBM RAID5 data and monitoring of pfSense firewall implementation with shell scripts and iptables; - Updating, patching and monitoring IBM server with Red Hat Linux DB2 database; - Encryption, administration of certificates and digital signatures, management and governance of similar security information on the market to protect phishing and sniffers; - Analysis and reporting of malware, viruses, spyware, adware, ransomware with Sophos UTM watchguard and access control; - Analysis, security planning and application risks for server and IT business continuity; - In addition to the implementation of security systems, network maintenance and technical assistance to the company's computers and programs in all types of IT problems, Networks, Server, Linux Red Hat Server, IBM AIX, Linux Ubuntu Server, consulting and directing the Web implementations and HTML and Acrobat Javascript development on internal forms.

GitHub
Security
IT Security
Ubuntu Linux
Education
Cyber DefenseFIAP
02/2021 - 02/2023
Sistemas para InternetCentro Universitário Senac
02/2013 - 02/2016
Sistemas para InternetCentro Universitário Senac
02/2013 - 02/2016
Technician in Data ProcessingColégio Módulo Paulista
02/1999 - 02/2001