Luis Siccha

About

Background, trajectory, and how I think about software.

I'm Luis — a Software Security Engineer based in Trujillo, Perú, working remotely for a company in Lima. My background is in full-stack development, and over the past years I've moved toward application security, identity management, and cloud infrastructure.

This page is a brief summary of how I got here.

Timeline
2019 – 2024 Systems Engineering
UPAO — Trujillo

Studied Computer and Systems Engineering. Graduated in the top 10% of my class.

2022 – 2024 First Development Roles
InStrategy · Centro ICT · Freelance

Internships and early professional work. Built web applications with Angular, React, Spring Boot, and AWS. Learned by shipping real products.

2024 Full Stack Developer
eBIZ Latin America — Lima

Enterprise B2B platforms. Event-driven architectures with Kafka. Backend services with Spring Boot, frontend with Angular.

2025 Full Stack Developer — Team Lead
eBIZ Latin America — Lima

Led a small team. Designed SSO integrations (SAML 2.0, Azure AD B2C). Managed AKS clusters and cloud infrastructure. Introduced security tooling into the development lifecycle.

2026 – Present Software Security Engineer
eBIZ Latin America — Lima

Application security, identity management with Keycloak, vulnerability analysis with Snyk, perimeter security with Azure Front Door. Also teaching full-stack bootcamps on the side.

Approach

Security is part of how I build, not a step added later. I've written the code that security tools flag and operated the systems those tools protect. That context shapes everything.

I'd rather prevent a vulnerability in a design review than find it in a pentest.

Principles
  • Secure by design Push security into defaults and CI/CD, not into checklists after the fact.
  • Identity is a boundary Auth flows, token lifetimes, and session management deserve the same rigor as any critical system component.
  • Threat models over assumptions Map trust boundaries and failure paths before writing code. Assumptions compound.
  • Clarity over cleverness Small, auditable changes. Simple configurations. No elaborate abstractions.
  • Observe everything Logs, traces, and failure modes are security controls. If you can't observe it, you can't protect it.
In practice
  • · Review auth flows for trust boundaries, token handling, and least-privilege violations.
  • · Embed security in pipelines and defaults — not gates teams route around.
  • · Design identity integrations (OIDC, SAML, Keycloak) with production failure modes in mind.
  • · Work alongside developers as an engineer, not an auditor.
If you're curious about how I see life beyond work