Selected work

A cloud-native healthcare platform handling sensitive data needed stronger defense-in-depth, safer ingress, and better operational visibility without slowing delivery.

• ▸Architected layered network security: Azure Application Gateway with WAF in prevention mode, Azure Firewall, and geo-restrictions to block known-malicious regions.
• ▸Enforced TLS 1.3 end-to-end and centralized secrets in Azure Key Vault, injected at runtime into 27 Azure Container Apps workloads.
• ▸Designed RBAC and managed-identity flows so no microservice held long-lived credentials.
• ▸Stored structured operational data in SQL Server VMs and PHI in Azure Blob Storage with encryption at rest and audit logging.
• ▸Configured secure ingress over isolated custom ports, keeping inter-service channels internal while controlling external exposure.

Production platform aligned with HIPAA expectations for PHI handling, with auditable controls at network, identity, and data layers.

Engineering teams needed fast, reliable releases without allowing insecure code, vulnerable containers, or uncontrolled production deployments into sensitive environments.

• ▸Built Azure DevOps pipelines that gate every PR with SonarCloud (SAST), Checkmarx (dependency scanning), and ACR + Microsoft Defender image vulnerability scans.
• ▸Enforced PR/build validation, branch policies, and required reviewers so insecure changes cannot reach main.
• ▸Implemented automated rollbacks plus Logic Apps notifications on failed builds for rapid incident response.
• ▸Provisioned the underlying Azure infrastructure with Terraform for repeatable, reviewable, drift-free deployments.
• ▸Added an event-driven outbox via Azure Service Bus so deployments could decouple cleanly from message processing.

Every release went through SAST, SCA, and image vulnerability gates; failed builds rolled back automatically and on-call was alerted in seconds.

Engineering workflows needed lightweight AI tools for automation, decision support, and secure experimentation with LLM-powered assistants.

• ▸Built Streamlit apps integrating LLM APIs (ChatGPT-style models) for chatbots and content automation.
• ▸Used systematic prompt engineering with structured outputs (JSON schemas, few-shot exemplars) to make LLM responses reliable enough for downstream automation.
• ▸Productized the apps with secure config handling and clean deployment paths.
• ▸This very portfolio site extends that work: a FastAPI app with Groq-powered DevSecOps tools, local RAG embeddings, a portfolio chatbot, IaC scanning, Kubernetes hardening, pipeline generation, STRIDE threat modeling, and security control gap analysis.

Demonstrated how AI can support secure engineering workflows through grounded chat, structured outputs, automation, and DevSecOps-focused review tools.