Timo Pagel has been in the IT industry for over twentyfive years. After a career as a system administrator and web developer, he advises customers as a DevSecOps architect and trainer. He is integrating security into the development lifecycle. For example with security test automation for software and infrastructure and assessment of complex applications in the cloud. In his spare time, he teaches "Web and Application Security" at various universities of applied sciences.
Certifications and Qualifications
Certifications and Trainings
Certified Cloud Security Professional
Certified Ethical Hacker
Participant of the iSAQB module "AGILA - Agile Softwarearchitektur" (Agile Software Architecture), 06.05.2019-08.05.2019
Volunteering
Leader: OWASP DevSecOps Maturity Model - https://dsomm.owasp.org
Contributor and Sponsor: OWASP secureCodeBox - https://www.securecodebox.io/
Member of the local OWASP Germany Board - https://owasp.org/www-chapter-germany/
EDUCATION AND EXPERIENCE
Experience
Lead Security Architect
SDA SE Open Industry Solutions
(
Hamburg, Germany
)
2018 - 2024
Development and maintenance of an application security program
Regular analysis, guidance, conduction of threat modeling including risk assessment and architecture management for microservices and cloud architectures
Lead Application Security Program manager incl. periodical assessment and refinement based on OWASP SAMM and OWASP DSOMM with reporting to CEO, CISO, CTO
Auditing, assessments, and penetration testing of complex IT Systems like access control concepts, OAuth, multi factor authentication, kubernetes, and Java microservices, version control system platform, webserver
Consulting on secure coding practices and security-related code review
Consulting and implementation of Kubernetes security, including container security, distroless containers, patching, Network Policies, Network Encryption/Service Mesh, Ingress/Egress Traffic Filtering, securityContext, Secrets Management, and Data Storage
Cloud native security consultation, e.g. Kubernetes, secrets management, network policies, service mesh, ingress/egress traffic filter, securityContext, data at rest
Consulting related security in multi cloud (Azure, AWS, GCP)
Consulting related security in AWS, e.g. basic controls like budget alerting, CloudTrail, MFA, HSM, GuardDuty, Secrets-Management, VPC, VPN
Hardening of applications and cloud native components, based on industry standards like CIS Benchmarks
Integration of security tests with Fossa/SAST, SonarQube/SAST, secureCodeBox/DAST, Trivy/SCA, Dependency-Track/SCA, DefectDojo/Vulnerability Management, including process implementation and training
Responsibility for development and operation of the ClusterImageScanner (Container Security Scans) in a team, with deployment in Kubernetes using tools such as ArgoCD, Argo Workflows, Bash, Python, Git, Go, Helm, kubectl, S3, Slack, syft/SBOM, and Terraform
Integration of Software Bill of Materials (SBOMs) into CI and upload to Dependency-Track
Development of Secure Software Development Guidelines and Instructions, including Incident Response, adhering to common standards such as BSI IT-Grundschutz and ISO 27001
Conduction of incident response
Maintaining good security culture
Security training for developers and internal security experts
DevSecOps Consultant and Trainer
Signal Iduna
(
Hamburg, Germany
)
2017 - Present
Integration of security into the software development lifecycle
Development of concepts to integrate security into the development lifecycle
Periodical assessment of the application security and review/adjustment of the application security program with OWASP DSOMM
Conduction, guidance and training of threat modelings for complex IT systems like OAuth, MFA, Webserver, Kubernetes, and Java/JavaScript microservices
Conception and implementation of continuous security tests with SCA/Dependency Track, DAST/secureCodeBox, and Vulnerability Management/DefectDojo
Security training of developers internal security experts
Hardening (incl. Secure By Default) of applications and cloud native components, based on industry standards like CIS Benchmarks (e.g. CentOS, Nginx)
Build- and deployment with ansible
Security Architect
NDA, Energy Economics
(
Switzerland
)
2019 -
Introduction of a lightweight application security program
Integration of a lightweight application security program
Identification of threats and implementation of countermeasures in multiple JavaScript-based projects
Web Application and Cloud Security Training
Security consultation in Azure cloud environments, e.g. Azure Entra ID, Azure App Service
Development of an application security program based on OWASP DevSecOps Maturity Model
Development of an Application Security Program (application security maturity model with 3 levels)
Lead development of "OWASP Metric Analyzer and Collector" to collect AppSec Program related metrics
Web- and Cloud-Security training for internal security experts
CTO
FHUNii Media UG & Co KG
(
Kiel, Germany
)
2015 - 2018
Creation of a 360 Degrees Online Event Management Platform
Java
Container
Build-Pipeline with Jenkins
Vulnerability Management
Conduction of Security Trainings
Various Organizations
2016 - Present
Delivering of security knowledge with topics like Container Security, Cloud Security, OWASP Top Ten, OWASP API Top Ten, Secure Coding, Open Policy Agent, Kubernetes Security, Secure Coding
DevSecOps Engineer
NDA
(
Kiel, Germany
)
2016 - 2018
Evaluation and implementation of DevOps strategies to enhance the security of webapplications
Work Student
Iteratec GmbH
(
Hamburg, Germany
)
2014 - 2014
Evaluation and implementation of dynamic security tests (DAST) as a prototype for SecureCodeBox.io in Java
Web Developer
Lengalia
(
Hamburg, Germany
)
2012 - 2013
Lead development and maintenance of a web vocabulary trainer in PHP and JavaScript
Web Developer (Work Student)
(
Germany
)
2010 - 2014
Development in PHP, JavaScript and C++
ennit interactive GmbH: Development of hotel booking systems in PHP
QSC AG: Development of architecture metric dashboards in PHP
P& M Agentur Software & Consulting GmbH: OT device software for trucks in C and JavaScript