Timo Pagel

Lead Security Architect

• Regular analysis, guidance, conduction of threat modeling including risk assessment and architecture management for microservices and cloud architectures
• Lead Application Security Program manager incl. periodical assessment and refinement based on OWASP SAMM and OWASP DSOMM with reporting to CEO, CISO, CTO
• Auditing, assessments, and penetration testing of complex IT Systems like access control concepts, OAuth, multi factor authentication, kubernetes, and Java microservices, version control system platform, webserver
• Consulting on secure coding practices and security-related code review
• Consulting and implementation of Kubernetes security, including container security, distroless containers, patching, Network Policies, Network Encryption/Service Mesh, Ingress/Egress Traffic Filtering, securityContext, Secrets Management, and Data Storage
• Cloud native security consultation, e.g. Kubernetes, secrets management, network policies, service mesh, ingress/egress traffic filter, securityContext, data at rest
• Consulting related security in multi cloud (Azure, AWS, GCP)
• Consulting related security in AWS, e.g. basic controls like budget alerting, CloudTrail, MFA, HSM, GuardDuty, Secrets-Management, VPC, VPN
• Hardening of applications and cloud native components, based on industry standards like CIS Benchmarks
• Integration of security tests with Fossa/SAST, SonarQube/SAST, secureCodeBox/DAST, Trivy/SCA, Dependency-Track/SCA, DefectDojo/Vulnerability Management, including process implementation and training
• Responsibility for development and operation of the ClusterImageScanner (Container Security Scans) in a team, with deployment in Kubernetes using tools such as ArgoCD, Argo Workflows, Bash, Python, Git, Go, Helm, kubectl, S3, Slack, syft/SBOM, and Terraform
• Integration of Software Bill of Materials (SBOMs) into CI and upload to Dependency-Track
• Development of Secure Software Development Guidelines and Instructions, including Incident Response, adhering to common standards such as BSI IT-Grundschutz and ISO 27001
• Conduction of incident response
• Maintaining good security culture
• Security training for developers and internal security experts

DevSecOps Consultant and Trainer

• Development of concepts to integrate security into the development lifecycle
• Periodical assessment of the application security and review/adjustment of the application security program with OWASP DSOMM
• Conduction, guidance and training of threat modelings for complex IT systems like OAuth, MFA, Webserver, Kubernetes, and Java/JavaScript microservices
• Conception and implementation of continuous security tests with SCA/Dependency Track, DAST/secureCodeBox, and Vulnerability Management/DefectDojo
• Security training of developers internal security experts
• Hardening (incl. Secure By Default) of applications and cloud native components, based on industry standards like CIS Benchmarks (e.g. CentOS, Nginx)
• Build- and deployment with ansible

Security Architect

• Integration of a lightweight application security program
• Identification of threats and implementation of countermeasures in multiple JavaScript-based projects
• Web Application and Cloud Security Training
• Security consultation in Azure cloud environments, e.g. Azure Entra ID, Azure App Service

Security Strategist

• Development of an Application Security Program (application security maturity model with 3 levels)
• Lead development of "OWASP Metric Analyzer and Collector" to collect AppSec Program related metrics
• Web- and Cloud-Security training for internal security experts

CTO

• Java
• Container
• Build-Pipeline with Jenkins
• Vulnerability Management

Conduction of Security Trainings

DevSecOps Engineer

Work Student

Web Developer

Web Developer (Work Student)

• ennit interactive GmbH: Development of hotel booking systems in PHP
• QSC AG: Development of architecture metric dashboards in PHP
• P& M Agentur Software & Consulting GmbH: OT device software for trucks in C and JavaScript

System Administrator

• Administration of high availability server systems with Ubuntu
• Postfix, Postfix, KVM, XEN, bash, Apache2, DBMS, Jboss, PHP

University Lecturer

• Application Security for Bachelor at University of Applied Sciences Kiel
• IT Infrastructure at Wirtschaftsakademie Schleswig-Holstein
• Application Security for Master at University of Applied Sciences Wedel
• Application Security for Master at University of Applied Sciences Luebeck

Security Architect

• Consultation on the initiation of an application security program
• Conduction of threat modelings for the internal platform in Azure Cloud
• Penetration testing of web applications
• Creation of a dynamic test based asset inventory
• Conception of a plan and implementation of SAST/Veracode