Skip to content
View hel-isa's full-sized avatar
3 followers · 9 following

Achievements

Achievement: QuickdrawAchievement: Pull Sharkx2Achievement: Pair ExtraordinaireAchievement: YOLO

Achievements

Achievement: QuickdrawAchievement: Pull Sharkx2Achievement: Pair ExtraordinaireAchievement: YOLO

Block or report hel-isa

Block user

Prevent this user from interacting with your repositories and sending you notifications. Learn more about blocking users.

You must be logged in to block users.

Maximum 250 characters. Please don’t include any personal information such as legal names or email addresses. Markdown is supported. This note will only be visible to you.
Report abuse

Contact GitHub support about this user’s behavior. Learn more about reporting abuse.

Report abuse
hel-isa/README.md

Hi, I'm Heloisa 👋

Application Security Engineer · DevSecOps · Cloud Security

I build and scale security programs that developers actually adopt — turning vulnerability management, SAST/SCA/DAST, and cloud posture into repeatable systems, and increasingly augmenting them with LLMs. 15+ years in software, the last 5 focused on AppSec and DevSecOps across government, finance, and insurance.

📍 Ottawa, Canada · 🇺🇸 Open to U.S. relocation · 🌐 EN / FR / PT

What I work on

  • Application Security — Secure SDLC, secure code review, OWASP Top 10, SAST / SCA / DAST tuning and triage
  • DevSecOps — CI/CD security controls, GitHub Actions, GitHub Advanced Security, pipeline integration
  • Cloud Security — Azure & AWS posture, CSPM, container/Kubernetes security
  • AI for Security — LLM-assisted vulnerability triage, code-review augmentation, security tooling

A few things I've shipped at work: replaced Nexpose with Qualys VMDR and grew asset coverage ~3,000 → 20,000+; migrated SAST from Veracode to Coverity/Polaris, cutting standard scan time from 4 hours to 20 minutes; built an internal ASPM platform and an executive Power BI security dashboard; and introduced LLM-assisted triage into the security program.

Featured projects

appsec-lens-aws — AppSec intelligence platform

Aggregates findings from CNAPP, GHAS, Polaris, and Sonatype IQ into a normalized model you can query, with summaries grounded in real records (no autonomous actions). The ASPM pattern, built for AWS. Python · FastAPI · PostgreSQL · MongoDB · AWS (ECS/RDS)

appsec-contextual-triage — Privacy-first AppSec triage (PoC)

Two-phase CI/CD triage gate: a deterministic check decides whether a flagged vulnerable sink is actually used, then a local LLM (Ollama) adds an explainable audit note — failing closed if the model is unavailable, so the AI never becomes the security control. Built for regulated environments where source code must stay local. Python · Ollama / local LLM · GitHub Actions · fail-secure design

security-gate — Reusable DevSecOps security gate

Drop-in GitHub Actions workflows for SAST, SCA, SBOM, and secret scanning, with a results dashboard and multi-team rollout docs. Security teams actually adopt it. GitHub Actions · SAST / SCA / SBOM · CI/CD · JavaScript dashboard

Tooling

Python · Azure · AWS · GitHub Actions · Qualys VMDR · Coverity / Black Duck · Docker · Kubernetes · Power BI

Certifications

SC-900 (Microsoft Security, Compliance & Identity) · AWS Certified Cloud Practitioner · Generative AI Certificate — in progress (uOttawa)

📫 LinkedIn

Pinned Loading

  1. appsec-contextual-triage appsec-contextual-triage Public

    Privacy-first AppSec triage PoC: deterministic CI/CD gate + local-LLM (Ollama) audit layer, fail-secure by design.

    Python

  2. appsec-metrics-sast appsec-metrics-sast Public

    Turns SAST output (SARIF from CodeQL/Semgrep) into normalized AppSec metrics — by severity, rule, file, and tool. Hexagonal architecture, AWS Lambda + S3.

    Python

  3. vuln-dashboard vuln-dashboard Public

    Git-friendly Power BI executive AppSec dashboard: tracks open risk, SLA compliance, MTTR, and overdue findings using PBIP/TMDL so report logic and the semantic model are reviewable as code.

  4. appsec-lens-aws appsec-lens-aws Public

    AppSec intelligence platform: aggregates CNAPP, GHAS, Polaris & Sonatype IQ findings into one normalized model you can query. FastAPI · AWS.

    Python

  5. secure-devsecops-ci-cd-pipeline secure-devsecops-ci-cd-pipeline Public

    End-to-end secure CI/CD pipeline: threat model, gitleaks, SBOM generation, Kubernetes network policies, Terraform.

    Python

  6. security-gate security-gate Public

    Reusable GitHub Actions security gate (SAST/SCA/SBOM/secrets) with a results dashboard and multi-team rollout docs.

    Python