Portfolio · Application Security & DevSecOps

Lucas Henrique Grifoni

This page is my technical portfolio — a single place for projects and initiatives that show how I design, build, and ship security in real delivery pipelines: automation, visibility, and outcomes you can trace from code to production.

The work below reflects my execution and point of view — security as an accelerator for teams, not a late-stage gate. Security as an accelerator and business partner — not a blocker.

See My Projects GitHub Profile

Why I Build This

About

After years working across financial services, aviation, telecom, and healthcare, I kept running into the same structural problems: security added at the end, findings without context, tools that generated noise instead of clarity, and teams with no practical path to improve.

I started building the tools I wished had existed. Not platforms designed for enterprise sales cycles, but practical, open-source tooling built for teams that actually need to ship secure software without a dedicated security department for every service.

Each project here came from a real problem I encountered or observed directly. The goal is always the same: reduce friction, increase visibility, and make security something teams want to integrate, not avoid.

Experiences

Roles that shaped how I build AppSec & DevSecOps

A concise walk through organizations where I embedded security in delivery—from pipeline automation and cloud-native workloads to governance, enablement, and measurable risk reduction.

GOL Linhas Aéreas

Application Security Specialist

Brazil · Remote

Present
  • Lead Application Security and DevSecOps initiatives across software delivery workflows in a regulated aviation environment, helping embed security into CI/CD pipelines, APIs, containers, and cloud-native applications without compromising delivery speed. Partner closely with engineering, architecture, and delivery teams to drive secure design reviews, threat modeling sessions, and risk-based remediation strategies for critical systems and digital products. Strengthen the overall security posture by improving pipeline security coverage, standardizing security controls, and expanding the use of automated validation across development workflows.
  • Support governance and technical decision-making through security guidelines, control adoption, and practical recommendations aligned with business and operational needs. Actively improve remediation efficiency by helping teams prioritize vulnerabilities based on risk, exploitability, and business impact rather than severity alone. Contribute to a more scalable security culture through developer enablement, security-by-design practices, and continuous improvement of AppSec and DevSecOps maturity across software delivery environments.

B3 Digitas

DevSecOps Engineer

Brazil · Remote

Past role
  • Led DevSecOps and security engineering initiatives for digital financial products in highly regulated, fast-moving, and innovation-driven environments. Embedded security controls into CI/CD workflows, infrastructure pipelines, and application delivery processes through automation, secure development practices, and control orchestration. Worked across cloud, APIs, containers, and delivery architecture to improve resilience, reduce operational security gaps, and strengthen engineering confidence in secure releases.
  • Supported teams in adopting more mature DevSecOps patterns by integrating validation gates, secure configuration practices, and pipeline-focused security checks into day-to-day delivery. Partnered with technical stakeholders to align security initiatives with product velocity, compliance expectations, and platform reliability goals. Helped build a stronger security foundation by turning security into an operational enabler rather than a late-stage blocker.

Ignít

Application Security Specialist

Europe · Remote

Past role
  • Designed and strengthened Application Security and DevSecOps practices across the software lifecycle in distributed engineering environments with cross-functional and remote collaboration. Conducted threat modeling, secure code reviews, and offensive and defensive validations for web, mobile, and API applications, helping identify design weaknesses and implementation risks earlier in the lifecycle. Supported the evolution of secure development maturity by combining technical assessments with governance, measurement, enablement, and compliance-aligned improvements.
  • Worked closely with engineering teams to make security practices more practical, repeatable, and better integrated into delivery routines. Helped teams improve remediation quality and decision-making through clearer prioritization, better technical guidance, and stronger alignment between security and delivery outcomes. Contributed to the development of a more measurable and sustainable AppSec posture across products and engineering workflows.

Algar Telecom

Application Security Specialist

Brazil · Remote

Past role
  • Led Application Security strategy and implementation across development, architecture, and operations teams in a large-scale telecommunications environment with broad technical complexity and delivery demands. Integrated SAST, DAST, SCA, and IAST into CI/CD workflows while promoting Security by Design and Shift Left practices across software development and solution architecture discussions. Worked to improve engineering maturity by defining standards, supporting control adoption, and guiding teams on how to build and operate applications more securely from the start.
  • Partnered with technical teams to reduce application risk, increase security visibility, and make vulnerability management more actionable and sustainable. Supported secure delivery by bringing security reviews, tooling, and governance closer to engineering execution. Helped establish stronger foundations for continuous security adoption across multiple teams and delivery streams.

Trademaster

Application Security Engineer

Brazil · Remote

Past role
  • Advanced secure software development practices and application security improvements across product delivery environments, helping teams strengthen security posture without introducing unnecessary delivery friction. Improved pipeline validation, secure coding practices, and risk mitigation initiatives across engineering workflows by bringing more consistency to how security controls were applied and monitored. Worked closely with development teams to encourage more secure delivery patterns through technical guidance, control implementation, and practical security recommendations.
  • Supported the maturation of AppSec routines by helping teams identify weaknesses earlier and respond more effectively to remediation needs. Contributed to a more structured security approach across the lifecycle, balancing implementation quality, speed, and risk reduction. Helped reinforce the idea of security as part of product engineering rather than a separate afterthought.

Avanade

Senior Application Security Engineer

Brazil · Remote

Past role
  • Led secure development and application security initiatives across enterprise environments, partnering with engineering teams throughout different delivery phases to improve software resilience and reduce exposure. Conducted security reviews, application validation activities, and risk-oriented assessments to help identify weaknesses in design, implementation, and operational security controls. Worked with technical teams to improve the security quality of applications through practical guidance, engineering-focused recommendations, and stronger alignment between security expectations and development execution.
  • Supported governance and delivery improvements by helping standardize security practices and make remediation efforts more effective and scalable. Acted as a bridge between technical security requirements and real-world software delivery constraints. Helped strengthen enterprise security posture through a combination of technical depth, delivery awareness, and continuous improvement initiatives.

KPMG

Mid-Level Cybersecurity Consultant

Brazil · Remote

Past role
  • Delivered cybersecurity assessments focused on governance, risk, compliance, and technical security controls across different client environments and business contexts. Partnered with both technical and business teams to evaluate security posture, identify process and control gaps, and improve alignment between risk findings and remediation priorities. Translated assessment results into structured improvement plans, helping organizations move from point-in-time findings to more sustainable risk reduction actions.
  • Contributed to security maturity improvements by connecting technical observations with governance expectations, compliance frameworks, and operational realities. Supported clients in understanding not only what the risks were, but also how to address them in a more organized and business-aware way. Strengthened consulting and analytical capabilities through exposure to diverse environments, stakeholder profiles, and security challenges.

Mosyle

Security Researcher I

Brazil · Remote

Past role
  • Contributed to security research, technical analysis, and malware-focused investigations across Apple ecosystems, with emphasis on understanding behaviors, patterns, and technical security implications in MacOS and iOS-related contexts. Supported vulnerability analysis and broader technical research activities, helping strengthen the foundation of security assessment, reverse-engineering thinking, and investigative methodology. Worked on analytical activities that improved internal understanding of threats, system behavior, and defensive opportunities.
  • Strengthened internal security knowledge through structured technical investigation, research support, and security-oriented analysis across specialized environments. Built stronger fundamentals in research-driven security work by combining curiosity, technical depth, and analytical discipline. This role helped shape a more investigative and detail-oriented approach that continued to influence later work in Application Security and DevSecOps.

Open Source & Products

What I'm Building

AppSec Express

in development

Application security and DevSecOps services that integrate directly into your SDLC without slowing delivery.

What it is

AppSec Express is a specialized service offering that brings application security and DevSecOps engineering directly into teams that need it without the overhead of building an internal program from scratch.

I offer SAST, SCA, IaC security, secrets detection, threat modeling, secure code review, CI/CD security integration, and vulnerability management as a structured engagement, not a one-time audit.

Why I built it

Most companies either can't afford enterprise security platforms or don't have the headcount to operationalize them. AppSec Express exists to close that gap with high-quality execution and measurable outcomes.

My goal is to transform security into a delivery accelerator with clear priorities, verifiable results, and a path for teams to own it long-term.

Problems it solves

  • Teams shipping without any security controls in the pipeline
  • No structured process for threat modeling or secure code review
  • Vulnerability findings with no prioritization or remediation path
  • Security treated as a gate at the end instead of a control at the start
SAST SCA Threat Modeling CI/CD Security Checkmarx Snyk GitHub Actions Azure DevOps
View Repository

AppSec Control Center

in development

Unified vulnerability lifecycle platform that normalizes findings, deduplicates, prioritizes, and produces audit-ready reports.

What it is

AppSec Control Center ingests findings from multiple security scanners — SAST, SCA, DAST, secrets, IaC — and normalizes them into a single, consistent vulnerability lifecycle.

It deduplicates findings across tools, applies consistent severity and status logic, and produces structured, audit-ready reports that teams and leadership can actually act on.

Why I built it

Most teams using three or four scanners end up with fragmented findings, duplicate alerts, inconsistent severity scores, and no single view of their actual risk posture.

I built AppSec Control Center to replace the spreadsheet-and-Jira workflow that most AppSec engineers fall back on. The focus is operational clarity: from raw scanner output to verified, tracked, remediated findings.

Problems it solves

  • No unified view across SAST, SCA, DAST, and secrets findings
  • Duplicate vulnerabilities across tools creating noise and confusion
  • Inconsistent severity ratings between different scanners
  • No audit trail from scan to remediation
Python FastAPI PostgreSQL Docker Checkmarx AST Snyk Trivy GHAS
View Repository

App Suite Modeling

in development

Multi-methodology threat modeling platform with CLI, API, and visual interface.

What it is

App Suite Modeling is a threat modeling platform that supports STRIDE, LINDDUN, NIST, and OCTAVE Allegro methodologies through a unified interface available via CLI, REST API, and a web UI.

It structures the threat modeling process so that teams can execute sessions consistently, track threats across releases, and integrate modeling outputs directly into their SDLC.

Why I built it

Threat modeling is one of the most valuable security activities and also one of the most inconsistently executed. Most teams either skip it or run ad-hoc sessions with no structure, no output format, and no traceability.

I wanted a tool that any engineer could pick up, not just security specialists. CLI-first so it fits into existing workflows. Multi-methodology so teams can choose the framework that fits their context.

Problems it solves

  • No accessible threat modeling tooling for non-security engineers
  • Sessions run ad-hoc with no consistent output or traceability
  • Methodology lock-in or tools that support only STRIDE
  • No path to integrate threat modeling outputs into CI/CD
Python FastAPI CLI STRIDE LINDDUN OCTAVE Allegro NIST Docker
View Repository

CTF Platform

in development

Defensive AppSec and DevSecOps CTF with 112+ challenges organized by severity and domain.

What it is

A monorepo CTF platform built specifically for defensive application security and DevSecOps training. Challenges cover SAST findings, SCA vulnerabilities, secrets exposure, IaC misconfigurations, container security, and CI/CD attack vectors.

Each challenge is self-contained, tagged by severity tier and domain, and designed to mirror real findings that engineers encounter in actual codebases and pipelines.

Why I built it

Existing CTF platforms are almost exclusively offensive: exploitation, reverse engineering, binary. They don't address the defensive skills an AppSec or DevSecOps engineer needs daily.

I built this platform to fill that gap with challenges grounded in real-world scenarios: misconfigurations developers actually write, dependency issues that slip through reviews, and pipeline weaknesses that are easy to overlook.

Problems it solves

  • No practical defensive CTF content for AppSec/DevSecOps engineers
  • Training materials that are too theoretical without hands-on context
  • No structured progression from low to critical severity
  • No coverage of pipeline and IaC security scenarios
Docker Python SAST SCA IaC Security Secrets Detection Container Security CI/CD Security
View Repository

AppSec & DevSecOps Training Labs

available

Ready-to-use hands-on labs covering the full AppSec and DevSecOps stack. Clone it, run it.

What it is

A repository of self-contained training labs covering the core AppSec and DevSecOps domains: SAST, SCA, IaC security, secrets detection, container security, threat modeling, and CI/CD security controls.

Each lab includes setup instructions, a vulnerable or misconfigured target environment, guided exercises, and expected outcomes. No external platform required — everything runs locally.

Why I built it

Most AppSec training either lives behind a paid platform or is so disconnected from real tooling that engineers cannot apply it directly to their pipelines.

I wanted something you could fork today and use tomorrow in an internal training session, a Security Champions workshop, or personal practice — without any dependencies beyond Docker.

Problems it solves

  • Existing training requires expensive platform subscriptions
  • Labs don't reflect real pipeline and tooling environments
  • No practical material for Security Champions programs
  • Security training disconnected from engineering workflows
Docker GitHub Actions Checkmarx Snyk Trivy Terraform Python Bash
View Repository

Stack

Capabilities across AppSec & delivery

Technologies, platforms, and security practices I have worked with throughout my career across Application Security, DevSecOps, cloud security, and secure software delivery supporting the implementation of scalable controls, stronger engineering standards, and more resilient development pipelines.

SAST / SCA / DAST · Security tooling

Checkmarx ASTSnykVeracodeSonarQubeFortifyGHASTrivySemgrepBlack DuckOWASP Dependency-CheckGitleaksTruffleHogGitGuardianDetect Secrets

Cloud · IaC · Containers · Platform security

AzureAWSGCPTerraformBicepARMHelmDockerKubernetesAquaSysdigFalcoOPAConftestAzure PolicyTFLintGuardDutySecurity HubAzure Defender for CloudKey VaultSecurity Command CenterIAMWorkload Identity

CI/CD · Pipelines · DevSecOps enablement

GitHub ActionsAzure DevOpsGitLab CI/CDJenkinsAWS CodePipelineBreak-build security gatesPolicy gatesAutomated security validationPipeline governanceRelease protectionSecrets scanning in pipelineArtifact validation

AppSec practices · Secure SDLC

Threat ModelingSTRIDELINDDUNOCTAVESecure Code ReviewSecurity ChampionsVulnerability ManagementSecurity by DesignShift LeftSecure SDLCOWASP Top 10OWASP ASVSOWASP MASVSOWASP SAMMDeveloper enablementFalse positive validationRemediation guidanceBusiness risk–based security

Standards · Governance · Compliance

ISO 27001NISTPCI DSSCIS ControlsSANS Top 20Policy as CodeGovernanceRisk managementCompliance alignmentSecure engineering standards

Programming · Automation · Engineering

PythonJavaScriptTypeScriptJavaCC++BashPowerShellYAMLJSONREST APIsAutomation & secure integrations