I'm a Staff Cloud Security Engineer at Gitlab, owning efforts related to the securing of GitLab's SaaS infrastructure, alongside cloud and container technologies.
At the same time, I curate CloudSecList, a newsletter that highlights security-related news focused on the cloud native landscape, and CloudSecDocs, a website collecting technical notes/how-tos/cheatsheets related to cloud-native technologies. I'm also a member of CNCF sig-security, part of the committee tasked with creating the Certified Kubernetes Security Specialist (CKS) Certification, and maintainer of Cartography (from Lyft), a Python tool that consolidates infrastructure assets and the relationships between them in a graph view powered by a Neo4j database.
Previously, I was the Lead Cloud Security Engineer at Thought Machine, working on the architecture and implementation of best in class protective and detective security controls for Thought Machine's Vault: a complete retail banking platform, built from the ground up as a cloud native, service provider agnostic, container based solution. In particular, in this position, I focused on the security of the cloud environments, as well as of the Kubernetes clusters, hosting their core banking platform.
Before, I was a Senior Security Engineer at Mastercard, responsible for building and leading its Offensive Security Program, while managing a geographically distributed and agile team performing penetration testing and red teaming engagements to evaluate the security of Mastercard's networks. In addition, I was also responsible for providing security consultancy around the migration of the company to cloud native technologies, by ensuring the security and robustness of the new architecture, and the integration of containerization technologies (i.e., Docker and Kubernetes) within the main CI/CD pipeline.
Before Mastercard I was a Security Consultant at MWR Infosecurity (now F-Secure Consulting), working extensively on security assurance projects (with a specialisation in mobile applications), and looking after research for MWR's UK mobile practice. While at MWR, I was heavily involved in research surrounding mobile security: I created Needle (the iOS Security Testing Framework) and the "Offensive iOS Exploitation" training, which I delivered at international security conferences.
I hold a Master's Degree in Engineering of Computing Systems from the Politecnico di Milano University, and international certifications such as CISSP CCSP, CNCF CKS, AWS CSA, GCP Associate Cloud Engineer, Microsoft Certified Azure Fundamentals, HashiCorp Infrastructure Automation & Security Automation Certifications (Terraform & Vault), and OSCP.
I published and presented at several security conferences including KubeCon, Black Hat, AppSec, DEEPSEC, BSides, ACSAC, CCS, and NATO's CYCON.
Currently Working On
Please refer to the "Projects & Publications" page for a short list of what I'm currently working on in my spare time.