Donovan Francesco
Verified Expert in Engineering
DevSecOps and Security Architecture Developer
Johannesburg, Gauteng, South Africa
Toptal member since May 18, 2021
Donovan is a senior DevSecOps specialist with over 21 years of experience in the IT industry. He is an AWS, GCP, and Azure services expert, specializing in Infrastructure-as-code (IaC) using Terraform, Ansible, Chef, and Puppet to drive automation and security standards in CI/CD pipelines. Donovan is a veteran of solving complex problems, and with his unique security background, he architects solutions using industry best practices.
Portfolio
Experience
Availability
Preferred Environment
Terraform, Kubernetes, Google Cloud Platform (GCP), Azure, Amazon Web Services (AWS), DevSecOps, DevOps Engineer, Networks, Continuous Integration (CI), Continuous Delivery (CD)
The most amazing...
...experience was architecting, building, and deploying an OpenStack cluster with Ceph as back-end storage to run more than 5,000 customer workloads.
Work Experience
AWS DevOps Engineer
Prometheus Technologies Ltd
- Built the entire infrastructure as code in AWS using Terraform and Terraform Cloud. This consisted of over 20 modules and was dynamic enough to deploy multiple environments without complexity.
- Authored Helm3 templates which were more than 10 individual projects that deployed to the AWS EKS clusters using Argo CD as the pipeline.
- Created Terraform Cloud manifests with encrypted secrets alongside AWS Secrets Manager to use the Kubernetes CSI driver that exposes secrets at runtime.
- Developed and deployed both Confluent Kafka Terraform modules as well as Atlas MongoDB using AWS PrivateLink for best practices and security concerns.
Senior Systems and DevOps Engineer
Mas
- Wrote Terraform modules to deploy the customer's stack into Azure, which included migration from native Kubernetes to AKS.
- Wrote helm charts to deploy the customer's in-house software and combined Argo CD to deploy.
- Utilized GitHub Actions to trigger CI/CD pipelines to build and test, do SAST scanning and smoke tests, and enable the promotion of code to upper environments.
- Enabled Terraform's consumption of Azure services, including AKS, Keyvault, Azure Active Directory, Azure DNS, VNet peering, VPN peering, and ACR.
- Deployed Prometheus, Thanos, Grafana, Loki, Tempo, and Alertmanager for telemetry and monitoring.
Senior Systems and DevOps Engineer
MAS S.A.
- Implemented DRY (Don't Repeat Yourself) methodology, which improved the time to deliver/deploy by more than 60%. Implemented quality gates based on code smells, code complexity, code vulnerability, and security hotspots.
- Deployed Kubernetes to bare metal using Ansible (Kubespray) and Terraform to maintain the state of the deployments and version control.
- Updated and modernized their GitLab CI/CD pipelines to include Snyk open source to identify potential risks.
- Implemented Anchore image scanners to help identify and mitigate container vulnerabilities.
- Improved the size of Docker image from 2 GB down to 500 MB by adding fewer layers in their deployment.
- Implemented the Grafana stack with Loki, Tempo, and Jaeger. This drove the time to resolution down by more than 40% because there was a single point to discover bugs, issues, or resource contention.
- Used Argo CD with Helm 3 to ensure CI/CD configuration was automated, and deployment was zero-touch. Implemented versioning which made it easier to roll back.
- Integrated the ELK stack with a machine learning module to alert on anomalies.
- Ensured the Kafka message bus was durable and could back up the topics and queues.
DevOps and Kubernetes Engineer
Pano AI, Inc
- Built the infrastructure using Terraform to comply with Google best practices and ISO 27001k, PCI, and DSS compliance.
- Implemented Terraform Cloud with workload identity and short-lived service accounts in conjunction with Terraform workspaces to provide encrypted variables and encrypted, remote state.
- Implemented GitHub Actions to build, test, and conduct static code analysis with SonarQube for code smells, complexity, and coverage.
- Used Jaeger tracing with Grafana Tempo and Grafana Loki for event monitoring.
- Used Terraform workspaces to create development, staging, and production environments.
- Rewrote existing Terraform code, made the IaC idempotent and integrated it with Terraform Cloud.
- Improved the Continuous Deployment pipelines with Helm 3 for packaging and version release process.
- Implemented custom metrics using Stackdriver to autoscale infrastructure based on application load or load balancer HTTP requests.
- Implemented Argo CD to ensure the Helm deployments were versioned and reflected in source control.
- Implemented Infracost into the pipelines, which gave us a workflow of how much resources would cost if Terraform was applied.
Site Reliability Engineer
Toptal Client
- Ensured all relevant applications were PCI compliant. This included documentation, application flow, architectural diagrams, and system architecture. This spanned between Windows Server and Linux.
- Built environments based on Cloud Adoption Framework for Terraform, including VNet, VNet peering, resource groups, DNS records, AKS, firewall policies, identity management, app service plan deployment, and Azure DevOps.
- Wrote custom modules in TypeScript and C# to integrate into their new CRM and planning tool built in-house.
- Conducted penetration testing exercises. Wrote fuzzing and reverse shell exploitation. Used Kali Linux with Metasploit and OWASP ZAP to intercept web calls and manipulate payloads.
- Implemented the Istio service mesh for east-west security controls, including using OPA (Open Policy Agent) inside AKS.
- Managed and maintained F5, checkpoint appliances, and virtual devices.
- Implemented DRY (Don't Repeat Yourself) methodology, which improved the time to deliver/deploy by more than 60%. Implemented quality gates based on code smells, complexity, vulnerability, and security hotspots.
- Implemented Anchore image scanners to help identify and mitigate container vulnerabilities.
- Implemented the Grafana stack with Loki, Tempo, and Jaeger. This drove the time to resolution down by more than 40% because there was a single point to discover bugs, issues, or resource contention.
- Used Argo CD with Helm 3 to ensure CI/CD configuration was automated, and deployment was zero-touch. Implemented versioning which made it easier to roll back changes.
VP Infrastructure Engineer
Yoyo Group
- Oversaw the Yoyowallet platform with more than 5 million users. Completed the technical design and implementation with my teams.
- Implemented AWS patterns using Terraform for our IaC. Applied extensive experience in AWS networking, security, and deployment methodology.
- Advocated and sponsored the GitHub Action migration of more than 700 repositories.
- Implemented security and dependencies scanning using Nessus, OWASP ZAP, SonarQube, Tekton CI, Argo CD, and EKS to store clean images in ECR.
- Deployed services using Terraform, utilizing ECS, RDS, EC2, NLB, ALB, target, and auto-scaling groups DynamoDB and EKS.
- Oversaw the security and architectural design for compliance with various ISO and SOC2 requirements.
- Implemented the Istio service mesh to apply security between the east-west traffic using OPA and OPA for Kubernetes.
- Integrated AWS Cognito with 3rd-party IDPs, such as SAML or OpenID Connect OIDC with servers Auth0 and Okta.
- Managed and maintained client-facing F5 appliances, patching, and web application firewall (WAF) and protected the Azure Virtual Network (VNet) peering and AWS VPCs.
- Implemented the Grafana stack with Loki, Tempo, and Jaeger. This drove the time to resolution down by more than 40% because there was a single point to discover bugs, issues, or resource contention.
AWS DevOps
Toptal Client
- Implemented DRY (Don't Repeat Yourself) methodology, which improved the time to deliver/deploy by more than 60%. Implemented quality gates based on code smells, complexity, vulnerability, and security hotspots.
- Built the entire infrastructure using Terragrunt and Terraform, deploying many AWS technologies to support 10,000 concurrent users per second.
- Used Argo CD with Helm 3 to ensure CI/CD configuration was automated, and deployment was zero-touch. Implemented versioning which made it easier to roll back changes.
- Deployed the Atlantis PR workflow using AWS Fargate.
- Implemented the Grafana stack with Loki, Tempo, and Jaeger. This drove the time to resolution down by more than 40% because there was a single point to discover bugs, issues, or resource contention.
- Utilized AWS Lambda to transform log output into Loki.
- Integrated the ELK stack with a machine learning module to alert on anomalies.
- Implemented Anchore image scanners to help identify and mitigate container vulnerabilities.
- Added Infracost to their GitHub Actions to show how much a terraform plan would cost to deploy.
- Performed cost analysis and introduced FinOps using Optscale.
Senior DevOps Engineer
Toptal Client
- Implemented DRY (Don't Repeat Yourself) methodology, which improved the time to deliver/deploy by more than 60%. Implemented quality gates based on code smells, complexity, vulnerability, and security hotspots.
- Tested and deployed node pools for EKS 1.16 and upgraded EKS to 1.21.
- Migrated the customer from self-managed Redis and MongoDB to AWS Redis cache and Amazon DocumentDB. This was a significant milestone in achieving proper high availability.
- Mitigated risk by implementing AWS Secrets Manager with the CSI driver into EKS. This meant no password or API key was passed unencrypted.
- Documented DevOps and DevSecOps best practices and design patterns using a hybrid AWS and OSS model, where I introduced Prometheus, Grafana, Thanos, and Loki for visualization.
- Implemented the Grafana stack with Loki, Tempo, and Jaeger. This drove the time to resolution down by more than 40% because there was a single point to discover bugs, issues, or resource contention.
- Used Argo CD with Helm 3 to ensure CI/CD configuration was automated, and deployment was zero-touch. Implemented versioning which made it easier to roll back changes.
- Integrated the ELK stack with a machine learning module to alert on anomalies.
Director of DevSecOps and Security Architecture
DotModus
- Served as the principal technical lead for DevSecOps and security architecture at a global media company running on Azure. Managed architecting and designing security best practices and frameworks to increase the security posture.
- Approved design patterns as a Technical Design Authority (TDA) member. Ensured design patterns and frameworks were used to guide the development process and governing standards.
- Implemented a secure software delivery lifecycle framework. Educated developers to adhere to industry best practices and design patterns approved by the technical design forum.
- Identified critical common vulnerabilities and exposures (CVE) and designed policies and procedures to minimize the blast radius.
- Implemented honeypot environments and Chaos Monkey red team drills to adhere to SLAs and keep the engineering team's skills up-to-date.
- Implemented system auditing to adhere to ISO2007+, NIST CSF, and PCI DSS compliance. Provided evidence to external auditors based on our customers' requirements.
- Gathered technical and business requirements to develop roadmaps that complied with security governance standards.
- Adhered to and enforced legislative policies, including but not limited to GDPR, PII, HIPAA, and POPIA acts to encrypt data in flight and at rest.
- Implemented an Istio service mesh across multiple clusters. In addition, I have used AWS Cognito with Google IdP, Auth0, and Okta for third-party JSON Web Token (JWT) claims.
- Completed penetration testing exercises. Wrote fuzzing and reverse shell exploitation. Used Lali Linux with Metasploit and OWASP ZAP to intercept web calls and manipulate payloads. Using Burp Suite Pro in conjunction with OWASP ZAP.
Principal Technical Lead, Platform Engineering and Security
Dimension Data
- Led a team of highly skilled engineers over two different business units. Conducted the strategic planning and execution of critical projects and defined reporting line structures and overall management of business units.
- Designed and implemented security policies and frameworks to increase compliance for external auditing companies based on customer requirements. Educated executive leadership on ISO2007+, NIST CSF, and PCI DSS compliance.
- Introduced concepts, such as honeypots, including low-interaction honeypots. This type of honeypot is elementary to construct, but it might look "phony" to a hacker. It runs a narrow set of services that exemplify the most prevalent attack vectors.
- Designed and implemented demarcated zones, such as high-interaction honeypots. This honeypot employs virtual machines to ensure that potentially compromised systems are isolated.
- Designed and implemented pure honeypots, which are time-consuming and challenging to build and manage but are authentic targets. Based on their purpose, there are two categories of honeypots: research and production.
- Owned and drove security tracing throughout the delivery lifecycle of software or supporting systems, including business policies and processes, tooling, technology, and compliance with enterprise security standards.
- Adhered to and enforced legislative policies, including but not limited to GDPR, PII, HIPAA, and POPIA acts to encrypt data in flight and at rest.
- Deployed, operated, and implemented the Istio service mesh inside Kubernetes.
- Managed and maintained customer equipment, including VMware patching, customizing, and storage area networks connected through fiber channels on EMC arrays.
- Provided diagrams and integration diagrams to depict various customer-specific designs clearly. All support, maintenance, and monitoring with infrastructure as code was authored by me for a few clients.
Principal Technical Lead, OSS
Dimension Data
- Led a team of highly skilled engineers, managing large budgets and strategic planning to execute critical projects for the business. Drove projects using the Agile methodology and presented live demos to the executives.
- Managed the network monitoring team, which had more than 65,000 endpoints, led the architecture and engineering team from the front and trained the engineers.
- Oversaw security for the EMEA region and the architecture and solution design with Cisco to deploy and automate the network using SDN securely.
- Managed the network security architecture, platform security architecture, cloud, application, middleware security architecture, and identity access management architecture. This included on-premise and migrations to AWS and GCP with SSO.
- Leveraged design thinking concepts to architect and build bespoke customer solutions with legacy systems and industrialization of modern go-to-market services, leveraging public cloud technologies.
- Adhered to and enforced legislative policies, including but not limited to GDPR, PII, HIPAA, and POPIA acts to encrypt data in flight and at rest.
- Worked on VMware patch and security updates. Maintained system diagrams and documentation of the architecture. Handled Windows and Windows server updates and customizations and IIS load balancing, along with terminal services load balancing.
Cloud Architect, Infrastructure and Security
Dimension Data
- Built the first public cloud platform for Africa using OpenStack and Ansible for deployment. Used Prometheus for scraping agents, APIs for monitoring, and Grafana as a visualization platform.
- Operated a public cloud for over 1,000 customers while being responsible for this cluster's architecture, running, and maintenance.
- Learned much from this exercise on designing our automation using Ansible and Jenkins with some custom code to call the OpenStack APIs and deploy VMs on behalf of the customer.
- Architected a cloud migration strategy and solutions, focusing on security. Supported cross-functional teams to investigate, analyze, and make recommendations to leadership on current strategy or operational issues.
- Utilized critical thinking and skills when working with users and groups at all levels to obtain requirements. Approached issues with an analytical mindset and thinking of the big-picture solutions.
- Designed security architecture elements to mitigate threats as they emerge.
- Conducted penetration testing exercises. Wrote fuzzing and reverse shell exploitation. Used Kali Linux with Metasploit and OWASP ZAP to intercept web calls and manipulate payloads. Used Burp Suite Pro in conjunction with OWASP ZAP.
- Worked on Windows and Windows server automation to roll out CI/CD pipelines. Handled VMware cluster management and support. Built the system architecture design using AD FS and single sign-on.
Senior Cloud Support Engineer
Amazon Web Services (AWS)
- Served as a subject matter expert for Linux and RDS. Part of the senior support team assisting customers in migrating workloads from on-premise to the public cloud.
- Assisted large customers with their AWS infrastructure as a key resource.
- Became an SME in EC2 and RDS. This was one of my highlights while working at AWS, and it opened my ambition to investigate other hyperscalers.
Executive Manager, Systems
DNS Solutions ZA
- Managed the deployment of multiple OpenStack environments to present the customer with infrastructure as a service for developers to deploy their code via an automation pipeline using Jenkins.
- Used Puppet out of habit but found the DSL and parallelism problematic. I switched to Ansible in favor of Puppet for high-velocity automation and ease of use.
- Trained and mentored our mid-level engineers and helped architect a multi-datacenter solution for resiliency.
Senior Systems Manager
Open Network Holdings
- Contracted to build a computing platform that handled various workloads; this was before the cloud wave happened. Automated infrastructure and networking deployments.
- Acted as an integral part of the team and trained and mentored juniors reporting to me. Built our own CI/CD platform on the back of Jenkins, automated building and packaging code, and used Puppet to deploy artifacts.
- Used different technologies, such as OpenStack, Ceph, InfiniBand HPC networking, GlusterFS, Perl and Bash scripting, KVM virtualization, Splunk, and centralized system logging.
- Introduced a SDLC process and system to get code out. The artifact would go through multiple stages to check for vulnerabilities, code coverage and general app hygiene.
Network Security Manager
ECN Telecommunications
- Built the core infrastructure the company used to support VoIP to their customers. The implementation spanned multiple regions, and I was solely responsible for the automation and security of the system.
- Implemented Puppet as a tool to automate more than 400 remote servers.
- Ensured the network was secured using various white hat principles and tooling to patch the platform against malicious attacks.
- Implemented FCAPS. The five levels are fault-management (F), configuration level (C), accounting level (A), performance level (P), and security level (S).
- Supported development and submissions of budgetary and investment plans.
- Designed security architecture elements to mitigate threats as they emerge.
- Penetration testing exercises. Wrote fuzzing and reverse shell exploitation. Used Kali Linux with Metasploit and OWASP ZAP to intercept web calls and manipulate payloads. Using Burp Suite Pro in conjunction with OWASP ZAP.
IT Manager
M & D Laminates
- Built a hub-and-spoke network allowing multiple branches to connect and use internal business applications. Trained and supported junior engineers and shared knowledge regarding system architecture and network design.
- Used different technologies, from Linux servers that managed incoming sessions and firewalling to email and web hosting linked to the Microsoft Active Directory.
- Improved remote work for the company, which allowed the business to accelerate its vision.
- Supported development and submissions of budgetary and investment plans.
- Designed security architecture elements to mitigate threats as they emerge.
Linux and Windows Engineer
Networks Online
- Contributed to supporting and maintaining onsite client solutions. Supported bespoke customer requirements.
- Attended to roughly 40 clients, remotely and onsite, ranging from network, VLAN, and segmentation to DBA administration and domain controller policies.
- Configured and maintained a large-scale VPN deployment with webpage caching.
Linux and Windows Engineer
SA Feed
- Managed all IT administration and configuration and a few Linux servers that provided website hosting, firewalling, and secure access to network-provided storage.
- Used technologies, such as iptables firewall, Samba domain controller, Qmail, Windows support, PC hardware support, Apache web servers, Squid proxy servers, and Bind8 (DNS).
- Managed all IT operations of the company, increasing accessibility to business-critical services, and improving the user experience.
- Supported cross-functional teams to investigate, analyze, and make recommendations to leadership on the strategy or operational issues.
Experience
Venture-backed Startup
https://pano.aiKubernetes on Bare Metal
https://maseurope.comSRE and Automation
https://sandhills.comMigration of EC2 Services to EKS
https://www.azrieli.com/Terraform Automation from AWS CloudFormation
https://www.tetrascience.com/Professional Services – Migration to AWS and Microservices
https://yoyowallet.comPerimeter and API Defense
http://www.dentsu.comI worked across multiple teams to keep the project flowing with the least friction and managed budgets and resources, including writing the actual code to get the project over the line for a third-party client. I introduced automation for white-listing ingress and blacklisting egress to known bad actors and established path-based routing to enforce security policies between logical zones of clusters.
Network Security Inside a Service Mesh
https://www.dotmodus.com/Federated Identity with SSO
https://www.dotmodus.com/Mobile Bank App Deployment
https://www.dotmodus.com/Federated GraphQL Security
https://www.dotmodus.com/Migratation Services to Amazon EKS
https://www.dimensiondata.com/On-premise Migration to Public Cloud
https://www.dimensiondata.com/Education
High School Diploma in Computer Science
ACE Christian Academy - Johannesburg, South Africa
Certifications
Red Hat Certified Engineer (RHCE)
Red Hat
Red Hat Certified System Administrator (RHCA)
Red Hat
Sair Linux and GNU Certification
INTEC Education Group
Skills
Libraries/APIs
Node.js
Tools
Terraform, Ansible, Git, Cron, Helm, Nagios, AWS ELB, Grafana, Subversion (SVN), RabbitMQ, MQTT, Amazon Simple Queue Service (SQS), Amazon CloudWatch, AWS Fargate, Jenkins, CircleCI, Azure Kubernetes Service (AKS), GitHub, GitLab CI/CD, Amazon EKS, Squid Proxy Server, NGINX, Amazon Elastic Container Service (ECS), AWS CloudFormation, Amazon Virtual Private Cloud (VPC), AWS IAM, Logging, Confluence, Istio, Kubernetes HorizontalPodAutoscaler (HPA)
Languages
Bash Script, Bash, Python 3, Python, SQL, PHP, TypeScript, Java, Go
Paradigms
DevSecOps, DevOps, Azure DevOps, Continuous Integration (CI), Continuous Development (CD), Continuous Delivery (CD), Microservices Architecture
Platforms
Kubernetes, Google Cloud Platform (GCP), Azure, Amazon Web Services (AWS), Docker, Apache Kafka, Linux, Azure IaaS, AWS NLB, OpenShift, Rancher, Amazon EC2, AWS Lambda, AWS IoT
Storage
Google Cloud, MongoDB, MySQL, Google Cloud Storage, Data Centers, IIS SQL Server, Elasticsearch, Amazon Aurora, Databases, Amazon S3 (AWS S3), PostgreSQL, Datadog, Redis
Industry Expertise
Cybersecurity, Network Security
Frameworks
Windows PowerShell, .NET, Ruby on Rails (RoR)
Other
DevOps Engineer, CI/CD Pipelines, Site Reliability Engineering (SRE), System Administration, Cloud Services, Networking, Virtualization, Monitoring, Cloud Security, Shell Scripting, HAProxy, Infrastructure as Code (IaC), User Stories, VM Engineering, Azure Virtual Machines, Firewalls, AWS DevOps, Configuration Management, Application Security, Web Security, Security, Identity & Access Management (IAM), Architecture, Load Balancers, Cloud, Agile DevOps, Amazon RDS, K3s, TCP/IP, Proxies, WebSockets, Argo CD, Containers, Cloud Infrastructure, Stackdriver, Prometheus, GitHub Actions, Containerization, Networks, Cloudflare, AWS Certified DevOps Engineer, Policy as code (PaC)
How to Work with Toptal
Toptal matches you directly with global industry experts from our network in hours—not weeks or months.
Share your needs
Choose your talent
Start your risk-free talent trial
Top talent is in high demand.
Start hiring