Florianópolis, Santa Catarina, Brazil
I help organizations build security into software delivery—without slowing innovation. As a Principal Application Security Architect with 20+ years in software engineering and security, I specialize in designing and scaling application security programs that integrate seamlessly into modern engineering environments. At Volvo Group, I lead application security initiatives across global programs, embedding security into SDLC practices, CI/CD pipelines, and developer workflows. My focus is on making security actionable and adoptable—through automation, DevSecOps enablement, and close collaboration with engineering and product teams. My work spans: * Application security architecture and secure design * Threat modeling and vulnerability management at scale * DevSecOps transformation and security automation * Risk-based decision frameworks and governance * Building and enabling Security Champion programs * Pentesting applications and infrastructure I’ve worked across industries including financial services, where resilience and precision are critical, and have contributed to penetration testing, secure code reviews, and compliance-driven initiatives in complex, distributed environments. Beyond enterprise work, I contribute to open source projects such as Gitrob, Gammu, and Wireshark, where I developed the ISO 8583-1 financial message dissector—bridging deep protocol knowledge with real-world security applications. My broader background in embedded systems, electronics, and computer vision gives me a multidisciplinary perspective on modern security challenges. I’m particularly interested in roles and collaborations focused on scaling AppSec programs, DevSecOps transformation, and building security cultures that engineering teams actually embrace.
Principal Application Security Architect in Volvo Group's central global Application Security team, defining and operationalizing AppSec strategy, security architecture, and DevSecOps engineering processes across the enterprise (~4,000 applications). • Defined global Application Security strategy, standards, processes, and governance for the engineering organization • Set the security tooling strategy: evaluated, selected, and drove organization-wide adoption of SAST, DAST, SCA, container scanning, and ASPM • Architected the global implementation of Armorcode ASPM — the enterprise source of truth for vulnerability management • Developed CI/CD security pipeline templates adopted across the organization for automated security testing • Designed and implemented secure SDLC strategies using OWASP SAMM and DSOMM maturity models • Led and scaled a global Security Champions Program spanning development teams across 4 continents • Designed and implemented an Application Security education and awareness program (role-based training, security guilds, gamified recognition system) • Built custom security automation platforms: Phane (Terraform + Azure Functions microservice for AppSec provisioning) and ASTReviewer (Python CLI publishing AST findings as PR reviews) • Performed penetration testing and security code review of web, mobile, IoT, and cloud applications • Contributed to Purple Team strategy definition; supported SOC in forensic investigations • Migrated Black Duck SCA to fully declarative IaC deployment (Terraform + Kubernetes on Azure) • Supported solution teams in secure architecture design across on-premise, cloud, and hybrid platforms
Led the Application Security architecture workstream within Resumo, a global cybersecurity transformation program covering ~4,000 applications. Defined the strategy for application modernization and selected the technologies and approaches to scale security improvements across the organization. Served as technical lead and subject-matter expert, acting as the primary technical reference point for application teams during security transformation activities. • Led security transformation program achieving 89.95% coverage of internet-facing applications with all issues mitigated • Drove a three-step application security transformation model: (1) Application Security Testing and Vulnerability Management (SAST/SCA/DAST), (2) Security Reviews based on OWASP ASVS/MASVS, (3) Education and awareness for teams to embed security into their SDLC • Designed and delivered internal support tooling to accelerate security testing, review, and remediation workflows • Lead Architect in the global IFA Transformation project — web application, infrastructure, and cloud security analysis, risk management, and assessment • Coordinated the Log4J (Log4Shell) incident response across the organization • Coached application teams on ASVS-based security review practices and guided remediation efforts • Embedded security controls into engineering workflows and development processes
Consulting on Information Security for the financial industry. Design and implementation (C) of PCI compliant Embedded POS Systems (Ingenico/Verifone), Communication Protocols (Applied Cryptography, Financial Messaging) and Mobile/Web Applications (Java, Python). Design of embedded systems for home automation and digital marketing. Main clients: Gramercy Park Studios, Scopus, Epay Brasil, Epay US, Ecardes.
Application Security Architect for Talabat (Delivery Hero), one of the largest food delivery platforms in the Middle East. Provided security architecture, penetration testing, and security program design for a cloud-native microservices environment running on AWS and Kubernetes. • Performed web application penetration testing and security code auditing across the platform • Conducted threat modeling for critical application components and data flows • Hardened AWS cloud infrastructure and Kubernetes clusters • Architected the new Identity Provider (IdP) solution for the platform's authentication and authorization layer • Designed Application Security awareness strategy including a Security Champions program • Designed a complete Security Education, Training and Awareness (SETA) program based on gamification and recognition, implementing a security belts system
Application Security Engineer focused on introducing security tooling and practices into development teams' workflows, performing security assessments, and supporting vulnerability remediation across the organization. • Introduced SonarQube (SAST) and OWASP Dependency Check (SCA) as application security testing tools; supported teams to integrate them into their SDLC and CI/CD pipelines • Performed security reviews of applications in pre-release phase • Supported development teams to fix vulnerabilities and adopt secure coding practices • Coordinated the Log4J vulnerability report and initial response
Working in the Info Sec team, I was responsible for structuring the Information Security area in the company; shifting security left with DevSecOps approach; identifying risks; assessing the product and infrastructure, both in cloud and in the perimeter; bringing scalable solutions that aim the balance between security and productivity. Together with the core SRE team, I worked in projects that impacted security and performance of web applications and distributed systems, doing constant improvements of code and system design, automating tasks, implementing new architectural patterns and introducing methodologies that leverage software quality. Some of my attributions were: - Adding security tools in the CI/CD pipeline (SAST, code review, test coverage) - Design of solutions implementing API Gateway pattern for authentication with Micro-services - Educating and mentoring engineering teams on secure coding and threat analysis - Threat modeling - Penetration Testing of Web Application - Training teams against Social Engineering threats - Performing Social Engineering assessment on the Company - Audit and hardening of company's AWS Cloud Infra structure - Implementing and monitoring of Web Application Firewall - Started of LGPD regulation compliance project - Introduction of the Gerrit Code Review system and methodology to the company