Alejandro Saenz

Staff Product Security Engineer

• Lead strategic security initiatives across multiple product teams and engineering organizations
• Architect and implement enterprise-scale security frameworks and automation solutions
• Drive security culture transformation through mentoring, training, and cross-functional collaboration

Senior Product Security Engineer

• Designed and developed Snyk Autofactory, an automation framework written in TypeScript and implemented using the Serverless framework. This application seamlessly imports GitHub repositories from over 130 GitHub organizations into Snyk. Additionally, Snyk Autofactory collects Snyk security metrics, automatically archives Snyk projects associated with archived GitHub repositories, and synchronizes Snyk organizations with GitHub organizations. It utilizes AWS services such as Lambda and ECS for efficient execution.
• Designed and developed the Product Security Metrics Framework (Multivac), empowering security engineers to swiftly develop custom security metrics and seamlessly deploy them on AWS using services such as Lambda and ECS. Additionally, facilitated the creation of security metric dashboards with Snowflake, Tableau, or Domo.
• Regularly mentor new and current teammates on a weekly basis, providing guidance and support in software development, product security processes, and design reviews. This ensures that any questions are addressed promptly and assists in enhancing their understanding of the subject matter.

Product Security Engineer

• Led the security review process for Segment’s Data Purge feature providing clients the ability to protect the privacy and security of customer data and adhere to legislation and privacy regulations. This required organizing and performing multiple threat models in addition to managing security engineers.
• Upgraded an existing application called Data Inventory to be self-service bridging the gap between data store ownership and engineering teams. The Data Inventory project consisted of a Retool application, a Slack bot, and a security metrics cron job. Each of the components were built with Node.Js. Data Inventory won the “Dino Stomp” award in 2021 during Twilio Segment’s R&D demo day competition. Furthermore, Data Inventory was demoed at the Twilio wide engineering operations review.
• Assisted in the Threat Model Coverage strategic project where the team and I designed and developed a security metrics framework to determine coverage across Twilio.
• Assisted in the Singular Security Review (SSR) strategic project where the team and I designed a singular point of entry for all security reviews. SSR compoiled engineering intake and automatically associated the required security teams to the review. Furthermore, SSR utilized a custom JIRA workflow which required collaboration with the internal JIRA development team.
• Took over Snyk liaison responsibilities for Twilio which required regular interfaces with the Snyk team, assisting engineering with utilizing Snyk, and designing and developing custom Snyk tooling such as building out robust Snyk security metrics.
• Assisted the Product Security team with operational work such as maintaining and triaging Bugcrowd submissions. This includes validating, triaging, and assigning submissions to the proper engineering team.
• Demoed around dozen times at the internal Information Security demo days.

Senior Application Security Engineer

• Provides web application static code analysis and dynamic penetration testing
• Develop application security assessment reporting standards and templates
• Research and develop internal security tools to optimize team performance
• Provide application security training including brown bags, lectures, and hands-on laboratories
• Lead and assist technical interviews for software developer and security candidates
• Lead developer of Bulwark an organizational asset and vulnerability management tool

Senior Software Developer

• A software development team lead responsible for assuring functional execution of sprint goals
• Engineer and develop backend implementations, utilizing a microservice architecture, using Node.JS with the Loopback framework.
• Engineer and develop front-end implementations using Angular 4 with typescript
• Develop and maintain a web application coding assignment to assist with candidate interviews
• Lead and assist technical interviews for software developer candidate
• Perform quarterly static and dynamic web application security assessments
• Develop application security assessment reporting standards and templates
• Assist with developer security training

Application Security Consultant

• Engineer and develop front-end implementations of internal tools, including with microservice architectures, using TypeScript, AngularJS, and the latest version of Angular
• Engineer and develop front-end implementations for a cloud-based IDE using Monaco Editor
• Perform secure code reviews, web penetration testing, and SDLC consulting
• R&D for both offensive and defensive security techniques
• Contribute to open source security projects and collaborate with the broader application security community
• Contribute to training presentations and coding tutorials for colleagues

Software Engineer

• Played an integral part in the success of the scrum team by developing and delivering user stories
• Developed a Single Page Application using Java, AngularJS, Bootstrap CSS, and HTML5
• Provided support for major software development reviews including initial requirements review and preliminary/incremental/critical design reviews
• Provided support for scrum effort estimation and story points for software release development
• Assisted with CDRL development on multiple documents including design, development, and peer reviews with a systems engineering team

DevSecCon 2024: From Novice to Catalyst: Scaling Security tools with Metrics

Ten Years of Bug Bounty Programs: Updates to Twilio's Approach

Bulwark Featured in TL;DR Sec Newsletter

Absolute Appsec Ep. #247

Virginia Commonwealth University