Security is part of how I build, not a step added later. I've written the code that security tools flag and operated the systems those tools protect. That context shapes everything.
About
Background, trajectory, and how I think about software.
I'm Luis — a Software Security Engineer based in Trujillo, Perú, working remotely for a company in Lima. My background is in full-stack development, and over the past years I've moved toward application security, identity management, and cloud infrastructure.
This page is a brief summary of how I got here.
Studied Computer and Systems Engineering. Graduated in the top 10% of my class.
Internships and early professional work. Built web applications with Angular, React, Spring Boot, and AWS. Learned by shipping real products.
Enterprise B2B platforms. Event-driven architectures with Kafka. Backend services with Spring Boot, frontend with Angular.
Led a small team. Designed SSO integrations (SAML 2.0, Azure AD B2C). Managed AKS clusters and cloud infrastructure. Introduced security tooling into the development lifecycle.
Application security, identity management with Keycloak, vulnerability analysis with Snyk, perimeter security with Azure Front Door. Also teaching full-stack bootcamps on the side.
At eBIZ I'm deepening security work — identity flows with Keycloak, threat modeling, and pulling security tooling earlier into the development lifecycle. Increasingly absorbing architectural decisions across the platform.
Outside of work, I present papers in an NLP research group — recently SARC, zFLoRA, RPT — and I'm writing more deliberately in English, including this site.
I'd rather prevent a vulnerability in a design review than find it in a pentest.
- Secure by design
Push security into defaults and CI/CD, not into checklists after the fact.
- Identity is a boundary
Auth flows, token lifetimes, and session management deserve the same rigor as any critical system component.
- Threat models over assumptions
Map trust boundaries and failure paths before writing code. Assumptions compound.
- Clarity over cleverness
Small, auditable changes. Simple configurations. No elaborate abstractions.
- Observe everything
Logs, traces, and failure modes are security controls. If you can't observe it, you can't protect it.
- Review auth flows for trust boundaries, token handling, and least-privilege violations.
- Embed security in pipelines and defaults — not gates teams route around.
- Design identity integrations (OIDC, SAML, Keycloak) with production failure modes in mind.
- Work alongside developers as an engineer, not an auditor.