Vernon Simões

Senior Application Security Engineer | DevSecOps | SSDLC | GRC

Vila Velha, Espírito Santo, Brazil

Download PDF

Professional Summary

Application Security Engineer focused on helping engineering teams build secure, resilient and scalable applications. Experience across AppSec, DevSecOps, secure SDLC (SSDLC), penetration testing, vulnerability management and security automation. I work closely with product, development and infrastructure teams to support secure design decisions, threat modeling, remediation and governance of risks and controls. Comfortable acting as a bridge between security, SRE, DevSecOps and development in large, fast-moving organizations, with a strong focus on reducing risk without slowing delivery. Open to global, remote opportunities in mature or growing security programs.

Experience

Senior Application Security Analyst

Bradesco Seguros Feb 2023 – Present Vila Velha, Brazil (Remote)

Driving application security initiatives across multiple squads, embedding security into the software development lifecycle and partnering with product and engineering teams.

  • Lead AppSec and SSDLC initiatives including threat modeling, secure development practices and continuous improvements to security processes.
  • Guide developers on secure coding and remediation approaches, translating complex findings into practical, actionable steps.
  • Improve SAST and DAST processes, reducing false positives and increasing signal-to-noise ratio in automated pipelines.
  • Collaborate with cross-functional teams (risk, SRE, DevSecOps, infrastructure) to validate vulnerabilities and support secure design decisions.
  • Contribute to vulnerability management workflows, risk analysis and mitigation plans for on-premise and cloud environments.
  • Deliver workshops and internal training sessions to strengthen security awareness and build a security-first engineering culture.
  • Align security requirements and controls with business goals, industry standards and regulatory expectations.

Cybersecurity Consultant (AppSec, GRC and ITGC)

Mazars Brazil Aug 2022 – Feb 2023 São Paulo, Brazil

Worked on application and infrastructure security assessments combined with GRC and IT General Controls (ITGC) engagements for clients in different industries.

  • Performed penetration tests and technical security assessments on applications and infrastructure, identifying risks and proposing remediation.
  • Acted on GRC and ITGC projects, reviewing IT general controls, performing risk assessments and documenting evidence for audits.
  • Developed and refined security policies, standards and procedures aligned with regulatory requirements and industry frameworks.
  • Collaborated with engineering teams to implement secure coding practices, threat modeling and security risk evaluations.
  • Used tools such as Burp Suite, Nmap and Metasploit to identify and validate common web and infrastructure vulnerabilities.
  • Delivered clear, actionable security recommendations and supported clients in prioritizing security improvements.

Cybersecurity Consultant

KPMG Brazil Oct 2021 – Aug 2022 São Paulo, Brazil

Conducted penetration tests and security assessments for enterprise clients, supporting GRC and compliance efforts.

  • Executed pentests and security assessments on applications and systems, focusing on risk and business impact.
  • Contributed to security GRC initiatives by helping design and improve security policies, standards and controls.
  • Produced technical and management reports, translating vulnerabilities into understandable risks for stakeholders.
  • Worked closely with clients to address security issues and define realistic, improvement-focused action plans.

Lawyer

Santos Simões Advogados 2016 – 2021 Vitória, Brazil

Legal consulting with an emphasis on digital crimes, financial crimes, due diligence and asset investigation.

  • Supported clients in complex investigations involving technology, privacy and regulatory risk.

Education

Postgraduate Degree in Software Architecture

FIAP Feb 2023 – Sep 2025

Focus on software architecture, microservices, distributed systems and secure-by-design patterns.

Undergraduate Degree in Cyber Defense

FIAP Feb 2021 – 2023

Program focused on cybersecurity, offensive security, defensive strategies and incident response.

Master's Degree in Fundamental Rights and Guarantees

FDV (Faculdade de Direito de Vitória) 2016 – 2017

Research on fundamental rights, privacy and legal aspects of risk.

Bachelor of Law

FDV (Faculdade de Direito de Vitória) 2011 – 2015

Law degree with exposure to financial regulation and compliance.

Skills

Application Security & SSDLC

  • Secure SDLC (SSDLC), security requirements and design reviews
  • Threat modeling for web, APIs, microservices and cloud workloads
  • Secure coding guidance and architecture hardening
  • Vulnerability management and remediation workflows
  • Web and API security, WAF tuning

DevSecOps, CI/CD & Automation

  • Integration of SAST, DAST and SCA in CI/CD pipelines
  • False positive reduction and tuning of security tools
  • Security automation and scripting (Python, Shell)
  • Collaboration with SRE and platform teams to embed controls

GRC, ITGC & Governance

  • GRC projects and IT General Controls (ITGC) assessments
  • Risk assessment, controls design and evidence for audits
  • Security policies, standards and procedures
  • Alignment with regulatory requirements and industry frameworks

Cloud, Monitoring & Tools

  • Familiarity with AWS, Azure and GCP
  • Experience with security and monitoring dashboards (e.g., Grafana, Prometheus, BI)
  • {"Offensive security tools"=>"Burp Suite, Nmap, Metasploit"}
  • Git, HTTP, REST APIs and Linux

Certifications