QASL · Test Security — Application Security Forensic

AppSec Engineer · Senior

Application Security Engineer Application Security Engineer

Equipos que necesitan llevar la AppSec del PDF de hallazgos al dictamen defendible. Teams that need to move AppSec from a findings PDF to a defensible verdict.

SAST · Semgrep policy-based + reglas customSAST · policy-based Semgrep + custom rules
SCA · Trivy + CycloneDX SBOM + CVE/CVSS/EPSSSCA · Trivy + CycloneDX SBOM + CVE/CVSS/EPSS
DAST · OWASP ZAP baseline + full scan en CIDAST · OWASP ZAP baseline + full scan in CI
Threat modeling · OWASP ASVS 4.0 reviewThreat modeling · OWASP ASVS 4.0 review
Reportes pericial-grade · CFQI dictamen + ExecutiveAudit-grade reports · CFQI verdict + Executive

Conversar en LinkedIn → Connect on LinkedIn →

DevSecOps Lead

DevSecOps Lead DevSecOps Lead

Equipos que están metiendo seguridad en pipelines CI/CD con quality gates reales. Teams shifting security into CI/CD pipelines with real quality gates.

Security gates en GitHub Actions / GitLab CISecurity gates in GitHub Actions / GitLab CI
SBOM CycloneDX · supply-chain complianceCycloneDX SBOM · supply-chain compliance
IaC scanning · Checkov · Terraform/K8s/CFNIaC scanning · Checkov · Terraform/K8s/CFN
Container security · Trivy + Docker hardeningContainer security · Trivy + Docker hardening
Policy as Code · NIST SP 800-218 SSDF alignmentPolicy as Code · NIST SP 800-218 SSDF alignment

Conversar en LinkedIn → Connect on LinkedIn →

Security Champion · Pentest QA

Pentest QA & Mobile Security Pentest QA & Mobile Security

Equipos con apps web/móviles bajo regulación que necesitan red-team interno y mobile SAST. Teams with regulated web/mobile apps that need internal red-team and mobile SAST.

Pentest manual + automatizado · OWASP ZAP avanzadoManual + automated pentest · advanced OWASP ZAP
Mobile SAST · MobSF Android (APK) + iOS (IPA)Mobile SAST · MobSF Android (APK) + iOS (IPA)
Secrets detection · gitleaks pre-commit + historySecrets detection · gitleaks pre-commit + history
OWASP Top 10 2021 · 10/10 coberturaOWASP Top 10 2021 · 10/10 coverage
Compliance PCI-DSS · ISO 27001 · ISO 13485Compliance PCI-DSS · ISO 27001 · ISO 13485

Conversar en LinkedIn → Connect on LinkedIn →

QA Tech Lead
especializado en Application Security forense. QA Tech Lead
specialized in forensic Application Security.

Un scanner sin interpretación es ruido.
Una vulnerabilidad sin grado
es opinión. A scanner without interpretation is noise.
A vulnerability without a grade
is opinion.

CFQI · Code Forensic Quality Index