Karl is available for hire
Hire KarlKarl Marx Thangappan
Verified Expert in Engineering
Security Architect and Developer
Location
London, United Kingdom
Toptal Member Since
November 4, 2022
Karl is a security architect and cloud engineer with 14+ years of experience in the IT industry. He specializes in product security and compliance, cybersecurity, DevSecOps, auditing, system automation, business continuity, and database management. Karl is also working as a security consultant and blog writer to share knowledge about AWS, Azure, GCP, database, and Oracle Apps DBA.
Information SecurityCloud SecuritySecurityAuthenticationMigrationVulnerability ManagementCloudIdentity & Access Management (IAM)Security ArchitectureDatabasesCybersecurityAmazon Web Services (AWS)DevSecOpsApplication SecurityCloud InfrastructureAccess ControlFuzz Testing (Fuzzing)GRCQualysguardCyberArkSoftware Asset Management (SAM)
Portfolio
Genesys
Information Security, CISSP, Cloud Security, Information Audits, Security, NIST...
Letshego Microfinance Bank
Amazon Web Services (AWS), Authentication, Azure, CISSP, Security...
Nedbank Group
Authentication, Database Security, Core Banking Systems...
Experience
Availability
Full-time
Preferred Environment
ISO 27001, Databases, Cloud Security, Vulnerability Management, CISSP, Information System Audits, Identity & Access Management (IAM), Amazon Web Services (AWS), DevSecOps, Azure, Access Control, Architecture
The most amazing...
...thing I've done is designing, deploying, and reviewing security for a cloud infrastructure solution.
Work Experience
Product Security and Compliance Manager
2021 - 2022
Genesys
- Managed end-to-end product security and compliance, worked in groups to ensure the product was secure across AWS and Azure SaaS offerings, implemented DevSecOps for 70 products, and updated application security policy.
- Used AWS, Azure, GCP, CyberArk, Jira, Aha!, and DevSecOps tools such as Prisma, Black Duck, Checkmarx, and Tenable on CD/CI pipeline for 60+ products to ensure compliance with SOC2, ISO, and PCI DSS.
- Reviewed security of a new product called HLA, AWS and Azure infrastructures, and development and operational stages.
- Collaborated with the engineering and development teams to ensure all the products complied with policy and security standards, including ISO, SOC2, HIPAA, UK Cyber Essentials, PCI, and GDPR.
- Designed and managed a privileged access management (PAM) product using CyberArk.
- Evaluated new security requirements, tools, and products and designed and mapped the PII data flow for each product.
- Designed infrastructure and managed and deployed products in the AWS environment while utilizing VPC, routing, security group, internet gateway, EC2 instance, CloudWatch, CloudTrail, and Security Hub.
- Collaborated with the product manager to ensure all the products were reviewed using threat modeling, pentest, third-party vulnerability, and static and dynamic code analysis.
- Presented a security roadmap each quarter to leadership.
- Published an intranet blog for security standards and best practices and updated the security policy and standards.
Technologies: Information Security, CISSP, Cloud Security, Information Audits, Security, NIST, Azure, Google Cloud Platform (GCP), Software Architecture, Vulnerability Assessment, Risk Management, Threat Modeling, Security Testing, Solution Architecture, PCI DSS, PCI Compliance, Amazon Web Services (AWS), HITRUST Certification, Authentication, Vulnerability Identification, APIs, Cloud, CyberArk, ISO 27001, Cybersecurity, Identity & Access Management (IAM), Security Engineering, Communication, API Gateways, Host-based Security Systems (HBSS), Data Center Migration, IT Systems Architecture, DevSecOps, Migration, Security Architecture, Software Development Lifecycle (SDLC), Middleware, Network Security, SecOps, Application Security, CISO, AWS DevOps, Amazon S3 (AWS S3), CI/CD Pipelines, Penetration Testing, Network Protocols, Networks, Security Analysis, Okta, Access Control, AWS IAM, HIPAA Compliance, Architecture, Splunk, Secure Containers, Containers, Container Orchestration, Kubernetes, Python, Disaster Recovery Plans (DRP), Rapid7, OWASP, .NET, SIEM, SOC 2, Compliance, Monitoring, IDS/IPS, Antivirus Software, Fuzz Testing, Blockchain & Cryptocurrency, Go, Single Sign-on (SSO), Vulnerability Management, Asset Management, Endpoint Security, Security Audits, Azure Key Vault, SharePoint, OAuth, SAML, OpenID, Automation, Azure Cloud Security, Cloud Infrastructure
Technical Consultant
2017 - 2021
Letshego Microfinance Bank
- Managed 11 countries' IT systems, security, and monitoring.
- Implemented PAM CyberArk for all 11 countries with system design and grouping of the admin and onboarding admin accounts.
- Migrated data to the cloud from the datacenter to AWS and Azure.
- Designed and implemented a self-service IAM system with complete workflow integration with the HR system and service desk.
- Implemented automation for batch jobs, automated the KYC verification and deployed end-to-end DR automation.
- Managed around 500+ systems for the application, database, and support system.
- Handled the internal IT audit and review of the external audit finding.
- Deployed the SOC and IDS system for security monitoring on all the systems.
Technologies: Amazon Web Services (AWS), Authentication, Azure, CISSP, Security, Cloud Security, C#.NET, Online Banking, Core Banking Systems, Know Your Customer (KYC), Databases, API Gateways, Oracle, Host-based Security Systems (HBSS), Data Center Migration, IT Audits, IT Systems Architecture, CyberArk, ISO 27001, PostgreSQL, Information Audits, Cybersecurity, Identity & Access Management (IAM), Security Engineering, Communication, Threat Modeling, DevSecOps, Migration, Security Architecture, Software Development Lifecycle (SDLC), Middleware, Network Security, SecOps, Application Security, CISO, AWS DevOps, Amazon S3 (AWS S3), CI/CD Pipelines, Penetration Testing, Network Protocols, Networks, Security Analysis, Access Control, AWS IAM, Architecture, Splunk, Disaster Recovery Plans (DRP), OWASP, .NET, SIEM, SOC 2, Compliance, Monitoring, IDS/IPS, Antivirus Software, Fuzz Testing, Single Sign-on (SSO), Vulnerability Management, Asset Management, Endpoint Security, Windows PowerShell, Security Audits, Azure Key Vault, SharePoint, OAuth, SAML, OpenID, GitHub Actions, Automation, Azure Cloud Security, Azure DevOps, Cloud Infrastructure
Solution Architect
2015 - 2017
Nedbank Group
- Developed the system design for new regions as per compliance requirements.
- Handled the security review of all the deployment and new systems.
- Managed vulnerabilities for core banking systems for the application and back-end database.
- Optimized the reporting system for faster and high reliance.
Technologies: Authentication, Database Security, Core Banking Systems, Disaster Recovery Plans (DRP), IT Automation, Data Centers, IT Audits, Migration, CISSP, Security Architecture, Software Development Lifecycle (SDLC), Middleware, Network Security, SecOps, Application Security, Network Protocols, Networks, Access Control, AWS IAM, Architecture, Splunk, OWASP, SOC 2, Compliance, Monitoring, Antivirus Software, Fuzz Testing, Single Sign-on (SSO), Vulnerability Management, Asset Management, Security Audits, Azure Key Vault, SharePoint, OAuth, SAML, OpenID, Automation, Azure Cloud Security, Azure DevOps, Cloud Infrastructure
Consultant
2012 - 2015
Bancabc
- Worked on data asset security, identifying and maintaining various data sources and ensuring the data classification was aligned with business requirements.
- Handled software development security, designing a system focused on building secure access control and auditing capability that involved integration between the core banking and independent credit verification system.
- Contributed to the security operation, designing, testing, and managing the automation of disaster recovery procedures and integrating with the application and infrastructure within MTD across all five geographies.
- Managed the security posture using the Center for Internet Security (CIS).
- Transformed the system security for identity verification and validation capabilities into government identity systems.
Technologies: Oracle, Core Banking Systems, IT Audits, Web Security, Cloud Security, Information Security, System Design, Database Security, Amazon Web Services (AWS), Migration, CISSP, Security Architecture, Software Development Lifecycle (SDLC), Middleware, Network Security, SecOps, Application Security, AWS DevOps, Amazon S3 (AWS S3), CI/CD Pipelines, Network Protocols, Networks, Access Control, AWS IAM, Architecture, Disaster Recovery Plans (DRP), OWASP, .NET, SIEM, SOC 2, Compliance, Monitoring, Single Sign-on (SSO), Vulnerability Management, Asset Management, Endpoint Security, Windows PowerShell, Security Audits, OAuth, Automation, Azure Cloud Security, Cloud Infrastructure
Experience
Privileged Access Management Product
Privileged access management (PAM) product is used for privileged access management in an enterprise for critical admin users. I designed and managed the development of PAM with a password vault, workflow user management, integration with LDAP, AWS, Azure, network tools, database tools so on for admin users.
Lead DevSecOps Engineer
I spearheaded a transformative project to fortify our development pipeline by integrating advanced security measures, streamlined automation, and enhanced collaboration tools. The project primarily focused on implementing static application security testing (SAST) and dependency check scans using Snyk while seamlessly integrating these processes with Jira for efficient issue tracking and resolution.
The journey began with a comprehensive analysis of our existing infrastructure and development practices. Recognizing the critical importance of security in modern software development, I initiated the adoption of Snyk to conduct SAST and dependency check scans. Leveraging its powerful capabilities, I developed custom scripts to automate the scanning process, ensuring a thorough examination of code for potential vulnerabilities and dependencies.
I also engineered a sophisticated script to parse and categorize scan results, creating separate Jira tickets for different projects and development teams based on severity and status.
I integrated Gitlab, Snyk, and Splunk, a centralized logging and analytics platform.
The journey began with a comprehensive analysis of our existing infrastructure and development practices. Recognizing the critical importance of security in modern software development, I initiated the adoption of Snyk to conduct SAST and dependency check scans. Leveraging its powerful capabilities, I developed custom scripts to automate the scanning process, ensuring a thorough examination of code for potential vulnerabilities and dependencies.
I also engineered a sophisticated script to parse and categorize scan results, creating separate Jira tickets for different projects and development teams based on severity and status.
I integrated Gitlab, Snyk, and Splunk, a centralized logging and analytics platform.
Ops Sec
CONTRIBUTIONS
• Managing operational security (Datadog, GCP security command center, and SonarQube).
• Implementing ISO 27001.
• Handling risk management.
• Contributing to multiple projects for the CI/CD pipeline integration of DevSecOps tools and vulnerability.
• Reviewing the code from SonarQube and performing manual testing from Burp Suite.
• Managing operational security (Datadog, GCP security command center, and SonarQube).
• Implementing ISO 27001.
• Handling risk management.
• Contributing to multiple projects for the CI/CD pipeline integration of DevSecOps tools and vulnerability.
• Reviewing the code from SonarQube and performing manual testing from Burp Suite.
Cloud Security
CONTRIBUTIONS
• Led the creation of policies for microservices, DevSecOps tooling standards, and security incident management.
• Integrated GCP Security Command Center with Jira for unified security incident management.
• Implemented Lacework for enhanced threat detection and compliance monitoring.
• Deployed SonarQube for SAST and container scanning to ensure code quality and vulnerability assessments.
• Managed third-party library scans with Graye to mitigate potential vulnerabilities.
• Implemented WAF technology with Reblaze for web application security.
• Managed log data using DataDog efficiently for enhanced monitoring and incident response.
• Demonstrated expertise in managing GRC and ISO27001 controls to ensure regulatory compliance.
• Led the creation of policies for microservices, DevSecOps tooling standards, and security incident management.
• Integrated GCP Security Command Center with Jira for unified security incident management.
• Implemented Lacework for enhanced threat detection and compliance monitoring.
• Deployed SonarQube for SAST and container scanning to ensure code quality and vulnerability assessments.
• Managed third-party library scans with Graye to mitigate potential vulnerabilities.
• Implemented WAF technology with Reblaze for web application security.
• Managed log data using DataDog efficiently for enhanced monitoring and incident response.
• Demonstrated expertise in managing GRC and ISO27001 controls to ensure regulatory compliance.
DevSecOps
Implemented DevSecOps with the CD/CI Jenkins pipeline. Deployed CheckMarx, Black Duck, OWASP ZAP, Nessus, and PrismaCloud as part of the SAST, DAST, container scan, network scan, and managing the vulnerability part of the BAU. Worked with the development team to ensure critical and high vulnerabilities were fixed.
AWS System Design
Designed the AWS system and services per the existing on-prem requirement and migrated the system to AWS, testing the functionality. Implemented the CIS benchmark stand, enabling the AWS monitoring services, CloudTrial, CloudWatch, Security Hub, and the web application firewall (WAF).
Risk-based Vulnerability Management
CONTRIBUTIONS
• Automating different sources of vulnerability (Qualys, DevSecOps scan, and cloud projects) into the Central repo.
• Mapping with client risk management.
• Prioritizing the vulnerability based on the risk assessment.
• Mapping with company policy violations.
• Mapping with control weakness.
• Automating with the Jira ticket system.
• Assigning to the asset owner and working with different teams to fix the vulnerabilities.
• Automating different sources of vulnerability (Qualys, DevSecOps scan, and cloud projects) into the Central repo.
• Mapping with client risk management.
• Prioritizing the vulnerability based on the risk assessment.
• Mapping with company policy violations.
• Mapping with control weakness.
• Automating with the Jira ticket system.
• Assigning to the asset owner and working with different teams to fix the vulnerabilities.
DevOps Pipeline Setup With GCP and GitHub
CONTRIBUTIONS
GitHub Repository Setup:
• Established a GitHub repository to host the project's source code and configurations.
• Managed access control to the repository, granting developer permissions.
CI/CD Pipeline Development:
• Implemented a robust CI/CD pipeline using GitHub Actions, enabling automatic builds and deployments.
• Configured distinct workflows for development, test, and production environments to ensure code quality and reliability.
GCP Cloud Integration:
• Seamlessly integrated the project with Google Cloud Platform services.
• Utilized GCP Cloud Run for containerized application deployment and scaling.
• Leveraged GCP Cloud Build for automating build processes and resource provisioning.
Workflow Automation:
• Engineered an approval workflow within GitHub to ensure controlled code promotion.
• Designed a system for code reviews and approvals before moving code changes between different environments.
GitHub Repository Setup:
• Established a GitHub repository to host the project's source code and configurations.
• Managed access control to the repository, granting developer permissions.
CI/CD Pipeline Development:
• Implemented a robust CI/CD pipeline using GitHub Actions, enabling automatic builds and deployments.
• Configured distinct workflows for development, test, and production environments to ensure code quality and reliability.
GCP Cloud Integration:
• Seamlessly integrated the project with Google Cloud Platform services.
• Utilized GCP Cloud Run for containerized application deployment and scaling.
• Leveraged GCP Cloud Build for automating build processes and resource provisioning.
Workflow Automation:
• Engineered an approval workflow within GitHub to ensure controlled code promotion.
• Designed a system for code reviews and approvals before moving code changes between different environments.
Certifications
MARCH 2022 - PRESENT
Certified Information System Security Professional (CISSP)
ISC2
NOVEMBER 2020 - PRESENT
Certified Ethical Hacker (CEH)
EC-Council
MAY 2020 - PRESENT
Stanford Advanced Computer Security Program
Stanford University
FEBRUARY 2020 - PRESENT
Certified Information System Auditor (CISA)
ISACA
JANUARY 2020 - PRESENT
AWS Certified Security Specialty
Amazon Web Services
DECEMBER 2019 - PRESENT
Azure Security Engineer Associate
Microsoft
Skills
Paradigms
DevSecOps, Fuzz Testing, Automation, Azure DevOps, Security Software Development, Penetration Testing, HIPAA Compliance, .NET Security Model
Platforms
Amazon Web Services (AWS), Azure, Kubernetes, SharePoint, Google Cloud Platform (GCP), Oracle, QualysGuard, Rapid7
Storage
Databases, PostgreSQL, Amazon S3 (AWS S3), Azure Cloud Services, Database Security, Data Centers
Industry Expertise
Cybersecurity, Network Security
Other
Information Security, Cloud Security, Vulnerability Management, CISSP, Identity & Access Management (IAM), Security, Authentication, Vulnerability Identification, Cloud, IT Security, IT Audits, IT Systems Architecture, Disaster Recovery Plans (DRP), Migration, Security Architecture, Software Development Lifecycle (SDLC), Middleware, Architecture, Compliance, Monitoring, ISO 27001, CyberArk, Information Audits, NIST, Software Architecture, Vulnerability Assessment, Risk Management, Threat Modeling, Security Testing, Solution Architecture, SecOps, Application Security, AWS DevOps, CI/CD Pipelines, Network Protocols, Networks, Security Analysis, Access Control, AWS Certified Solution Architect, Secure Containers, Containers, Container Orchestration, OWASP, SIEM, SOC 2, Single Sign-on (SSO), GitHub Actions, Asset Management, Endpoint Security, Security Audits, OAuth, Azure Cloud Security, Cloud Infrastructure, Security Management, Security Engineering, IT Governance, Business Continuity, Information Asset Protection, Information Gathering, Hacking, Cloud Computing, Cryptography, Information System Audits, Information Security Management Systems (ISMS), PCI DSS, PCI Compliance, HITRUST Certification, APIs, Online Banking, Core Banking Systems, Know Your Customer (KYC), API Gateways, Host-based Security Systems (HBSS), Data Center Migration, IT Automation, Web Security, System Design, Communication, CISO, Assets, Coding, Ethical Hacking, Information Systems, Acquisitions, Development, Implementation, Operations, IT Management, Web Applications, Wireless Networking, Okta, Security Assessment, Risk, GRC, IDS/IPS, Antivirus Software, Blockchain & Cryptocurrency, Web Application Firewall (WAF), Detection Engineering
Languages
Go, SAML, YAML, C#.NET, Python
Libraries/APIs
OpenID
Tools
AWS IAM, Splunk, Azure Key Vault, SonarQube, Jenkins, GitHub
Frameworks
.NET, Windows PowerShell
Collaboration That Works
How to Work with Toptal
Toptal matches you directly with global industry experts from our network in hours—not weeks or months.
1
Share your needs
Discuss your requirements and refine your scope in a call with a Toptal domain expert.
2
Choose your talent
Get a short list of expertly matched talent within 24 hours to review, interview, and choose from.
3
Start your risk-free talent trial
Work with your chosen talent on a trial basis for up to two weeks. Pay only if you decide to hire them.
Top talent is in high demand.
Start hiring