Karl Marx Thangappan
Verified Expert in Engineering
Security Architect and Developer
London, United Kingdom
Toptal member since November 4, 2022
Karl is a security architect and cloud engineer with 14+ years of experience in the IT industry. He specializes in product security and compliance, cybersecurity, DevSecOps, auditing, system automation, business continuity, and database management. Karl is also working as a security consultant and blog writer to share knowledge about AWS, Azure, GCP, database, and Oracle Apps DBA.
Portfolio
Experience
- Core Banking Systems - 10 years
- Information Security - 9 years
- Cloud Security - 7 years
- Cybersecurity - 7 years
- ISO 27001 - 5 years
- DevSecOps - 5 years
- CISSP - 1 year
Availability
Preferred Environment
ISO 27001, Databases, Cloud Security, Vulnerability Management, CISSP, Information System Audits, Identity & Access Management (IAM), Amazon Web Services (AWS), DevSecOps, Azure, Access Control, Architecture
The most amazing...
...thing I've done is designing, deploying, and reviewing security for a cloud infrastructure solution.
Work Experience
Product Security and Compliance Manager
Genesys
- Managed end-to-end product security and compliance, worked in groups to ensure the product was secure across AWS and Azure SaaS offerings, implemented DevSecOps for 70 products, and updated application security policy.
- Worked on AWS, Azure, GCP, CyberArk, Jira, Aha!, and DevSecOps tools such as Prisma, Black Duck, Checkmarx, and Tenable on CD/CI pipeline for 60+ products to ensure compliance with SOC2, ISO, and PCI DSS.
- Reviewed security of a new product called HLA, AWS and Azure infrastructures, and development and operational stages.
- Collaborated with the engineering and development teams to ensure all the products complied with policy and security standards, including ISO, SOC2, HIPAA, UK Cyber Essentials, PCI, and GDPR.
- Designed and implemented a PAM solution with CyberArk, applying RBAC, just-in-time access, and least privilege principles. Enforced security policies for on-premise and cloud environments for consistent access control and minimal privilege abuse.
- Evaluated new security requirements, tools, and products and designed and mapped the PII data flow for each product.
- Designed infrastructure and managed and deployed products in the AWS environment while utilizing VPC, routing, security group, internet gateway, EC2 instance, CloudWatch, CloudTrail, and Security Hub.
- Collaborated with the product manager to ensure all the products were reviewed using threat modeling, pentest, 3rd-party vulnerability, and static and dynamic code analysis.
- Presented a security roadmap each quarter to leadership. Published an intranet blog for security standards and best practices and updated the security policy and standards.
- Designed and implemented OneLogin for enterprise Identity and Access Management (IAM), optimizing secure access and identity governance across the organization.
Technical Consultant
Letshego Microfinance Bank
- Managed 11 countries' IT systems, security, and monitoring.
- Implemented PAM CyberArk for all 11 countries with system design and grouping of the admin and onboarding admin accounts.
- Migrated data to the cloud from the datacenter to AWS and Azure.
- Developed and implemented a self-service IAM system with seamless workflow integration into the HR system (SAGE) and service desk.
- Designed and managed Joiner, Mover, and Leaver processes, ensuring division- and role-based access tailored to specific organizational needs.
- Integrated the SAGE system to automate identity and access management for each employee’s lifecycle event.
- Created a self-service portal for users to request roles, with an approval process before automatic assignment.
- Ensured streamlined user experience and adherence to security policies while minimizing manual intervention through automation and regular audits.
- Established a comprehensive audit process, allowing business owners to attest to users and their roles every six months, ensuring compliance and security.
- Handled the internal IT audit and review of the external audit findings. Deployed the SOC and IDS systems for security monitoring on all the systems.
Solution Architect
Nedbank Group
- Developed the system design for new regions as per compliance requirements.
- Handled the security review of all the deployment and new systems.
- Managed vulnerabilities for core banking systems for the application and back-end database.
- Optimized the reporting system for faster and high reliance.
Consultant
Bancabc
- Worked on data asset security, identifying and maintaining various data sources and ensuring the data classification was aligned with business requirements.
- Handled software development security, designing a system focused on building secure access control and auditing capability that involved integration between the core banking and independent credit verification system.
- Contributed to security operations, designing, testing, and managing the automation of disaster recovery procedures, as well as integrating them with the application and infrastructure within MTD across all five geographies.
- Managed the security posture using the Center for Internet Security (CIS).
- Transformed the system security for identity verification and validation capabilities into government identity systems.
- Implemented Entra ID for IAM, enhancing security through risk-based login management and policy deployment. Streamlined access controls and enforced policies to ensure secure authentication and compliance across the organization.
Experience
Privileged Access Management Product
https://swotpam.com/• Seamlessly integrated with LDAP, AWS, Azure, network tools, and databases, providing uniform management across hybrid and multi-cloud environments.
• Enabled just-in-time (JIT) access and enforced role-based access control (RBAC), adhering to least privilege principles to minimize over-privileged access.
• Automated workflows for privileged user requests, including multi-step approvals, provisioning, and revocation, with full audit trails.
• Implemented policy enforcement and compliance monitoring, aligning with regulatory standards such as SOX, GDPR, NIST, and ISO.
• Integrated multi-factor authentication (MFA) to strengthen security and provided real-time session monitoring and recording for privileged user activities.
• Designed the solution for scalability, supporting enterprise growth while ensuring robust security for both on-premise and cloud environments.
Lead DevSecOps Engineer
The journey began with a comprehensive analysis of our existing infrastructure and development practices. Recognizing the critical importance of security in modern software development, I initiated the adoption of Snyk to conduct SAST and dependency check scans. Leveraging its powerful capabilities, I developed custom scripts to automate the scanning process, ensuring a thorough examination of code for potential vulnerabilities and dependencies.
I also engineered a sophisticated script to parse and categorize scan results, creating separate Jira tickets for different projects and development teams based on severity and status.
I integrated Gitlab, Snyk, and Splunk, a centralized logging and analytics platform.
Lead Operation Security
• Spearheaded the implementation of ISO 27001 standards, ensuring alignment with regulatory and security frameworks.
• Led risk management initiatives, identifying and mitigating potential threats to minimize vulnerabilities.
• Played a key role in multiple projects focused on integrating DevSecOps tools into the CI/CD pipeline, driving continuous improvement in security and development practices.
• Conducted thorough code reviews utilizing SonarQube, alongside executing manual security testing with Burp Suite to identify and resolve vulnerabilities.
Cloud Security
• Integrated GCP Security Command Center with Jira for unified security incident management.
• Implemented Lacework for enhanced threat detection and compliance monitoring.
• Deployed SonarQube for SAST and container scanning to ensure code quality and vulnerability assessments.
• Managed third-party library scans with Graye to mitigate potential vulnerabilities.
• Implemented WAF technology with Reblaze for web application security.
• Managed log data using DataDog efficiently for enhanced monitoring and incident response.
• Demonstrated expertise in managing GRC and ISO27001 controls to ensure regulatory compliance.
DevSecOps
• Deployed CheckMarx, Black Duck, OWASP ZAP, Nessus, and PrismaCloud as part of the SAST, DAST, container scan, network scan, and managing the vulnerability part of the BAU.
• Worked with the development team to ensure critical and high vulnerabilities were fixed.
AWS System Design
• Implemented CIS Benchmark standards to enhance security posture and enabled comprehensive monitoring through AWS services such as CloudTrail, CloudWatch, Security Hub, and the Web Application Firewall (WAF).
Risk-based Vulnerability Management
• Mapping with client risk management.
• Prioritizing the vulnerability based on the risk assessment.
• Mapping with company policy violations.
• Mapping with control weakness.
• Automating with the Jira ticket system.
• Assigning to the asset owner and working with different teams to fix the vulnerabilities.
DevOps Pipeline Setup With GCP and GitHub
• Established a GitHub repository to host the project's source code and configurations.
• Managed access control to the repository, granting developer permissions.
CI/CD Pipeline Development:
• Implemented a robust CI/CD pipeline using GitHub Actions, enabling automatic builds and deployments.
• Configured distinct workflows for development, test, and production environments to ensure code quality and reliability.
GCP Cloud Integration:
• Seamlessly integrated the project with Google Cloud Platform services.
• Utilized GCP Cloud Run for containerized application deployment and scaling.
• Leveraged GCP Cloud Build for automating build processes and resource provisioning.
Workflow Automation:
• Engineered an approval workflow within GitHub to ensure controlled code promotion.
• Designed a system for code reviews and approvals before moving code changes between different environments.
Certifications
Certified Information System Security Professional (CISSP)
ISC2
Certified Ethical Hacker (CEH)
EC-Council
Stanford Advanced Computer Security Program
Stanford University
Certified Information System Auditor (CISA)
ISACA
AWS Certified Security Specialty
Amazon Web Services
Azure Security Engineer Associate
Microsoft
Skills
Libraries/APIs
OpenID
Tools
AWS IAM, Splunk, Azure Key Vault, SonarQube, Jenkins, GitHub, Terraform
Frameworks
OAuth 2, .NET, Windows PowerShell
Paradigms
DevSecOps, Fuzz Testing, Automation, Azure DevOps, B2B, B2C, Security Software Development, Penetration Testing, HIPAA Compliance, .NET Security Model, DevOps
Platforms
Amazon Web Services (AWS), Azure, Kubernetes, SharePoint, Google Cloud Platform (GCP), Oracle, QualysGuard, Rapid7
Storage
Databases, PostgreSQL, Amazon S3 (AWS S3), Azure Cloud Services, Database Security, Data Centers
Industry Expertise
Cybersecurity, Network Security
Languages
Go, SAML, YAML, C#.NET, Python
Other
Information Security, Cloud Security, Vulnerability Management, CISSP, Identity & Access Management (IAM), Security, Authentication, Vulnerability Identification, Cloud, IT Security, IT Audits, IT Systems Architecture, Disaster Recovery Plans (DRP), Migration, Security Architecture, Software Development Lifecycle (SDLC), Middleware, Architecture, Compliance, Monitoring, Privileged Access Management (PAM), ISO 27001, CyberArk, Information Audits, NIST, Software Architecture, Vulnerability Assessment, Risk Management, Threat Modeling, Security Testing, Solution Architecture, SecOps, Application Security, AWS DevOps, CI/CD Pipelines, Network Protocols, Networks, Security Analysis, Access Control, AWS Certified Solution Architect, Secure Containers, Containers, Container Orchestration, OWASP, SIEM, SOC 2, Single Sign-on (SSO), GitHub Actions, Asset Management, Endpoint Security, Security Audits, OAuth, Azure Cloud Security, Cloud Infrastructure, Active Directory (AD), OpenID Connect (OIDC), SAML 2.0, Cloud Architecture, Security Management, Security Engineering, IT Governance, Business Continuity, Information Asset Protection, Information Gathering, Hacking, Cloud Computing, Cryptography, Information System Audits, Information Security Management Systems (ISMS), PCI DSS, PCI Compliance, HITRUST Certification, APIs, Online Banking, Core Banking Systems, Know Your Customer (KYC), API Gateways, Host-based Security Systems (HBSS), Data Center Migration, IT Automation, Web Security, System Design, Communication, CISO, Assets, Coding, Ethical Hacking, Information Systems, Acquisitions, Development, Implementation, Operations, IT Management, Web Applications, Wireless Networking, Okta, Security Assessment, Risk, GRC, IDS/IPS, Antivirus Software, Blockchain & Cryptocurrency, Web Application Firewall (WAF), Detection Engineering, Product Security
How to Work with Toptal
Toptal matches you directly with global industry experts from our network in hours—not weeks or months.
Share your needs
Choose your talent
Start your risk-free talent trial
Top talent is in high demand.
Start hiring