Sign in Subscribe

About Me

About Me

I'm Yafes, an Application Security Engineer based in the San Francisco Bay Area.

I've spent 15+ years helping organizations build security into their software—from architecting enterprise security programs to diving deep into code reviews and penetration testing. My career has taken me from building Turkey's first internet portal in the early 2000s to leading application security for global SaaS platforms.

What Drives Me

I've always been drawn to understanding how things work at their core. When I was in high school, I wrote a file manager in Pascal that mimicked Norton Commander, complete with TSR (Terminate and Stay Resident) programs using timer and keyboard interrupts. That curiosity—wanting to know what happens beneath the surface—never left me.

Today, that same mindset shapes how I approach security: I don't just scan for vulnerabilities, I dig into the architecture, the code, the assumptions that developers make. Good security comes from understanding systems deeply, not from running tools and generating reports.

I'm also sharpening my offensive security skills through bug bounty programs. The attacker's perspective directly informs defensive architecture—you build better defenses when you understand how systems actually get compromised.

My Approach

I believe security should enable development, not block it. Throughout my career, I've focused on building developer-first security solutions—automated scanning in CI/CD pipelines, self-service security testing, and training programs that turn engineers into security advocates.

I'm particularly focused on the intersection of application security and privacy. Security protects systems; privacy protects people. Building applications that do both well—data minimization, consent management, privacy-preserving logging—is where I'm investing my learning.

At my core, I'm still a builder. I write code in Go, Python, JavaScript, Swift, and Kotlin. I design systems and databases—some with 60+ schemas and complex relationships. I run my own infrastructure—including a self-hosted Gitea instance for all my source code—because I enjoy understanding every layer of the stack. When I left my last role, I didn't just study for certifications—I built a full-stack application from scratch using modern technologies and zero-trust architecture principles.

Background

My journey started as a programmer. I built enterprise systems for hospitals and companies using Visual FoxPro, Delphi, and Oracle—designing complete database architectures from scratch. Then I moved into system administration at Ada-NET, the largest ISP in Ankara (Turkey's capital), where I managed email, proxy, web servers, and dial-up infrastructure. I helped build Mynet, Turkey's first internet portal, then joined Turkcell—the country's largest mobile operator—where I grew from system administrator to security architect over 16 years.

At Turkcell, I led security for Turkey's first 3G network deployment, managed vulnerability programs across 40,000 servers, and built application security practices for hundreds of developers. I also directed the company's first PCI DSS certification and designed security infrastructure serving tens of millions of mobile customers.

I brought that experience to SugarCRM, where I rebuilt their application security program, reduced critical vulnerability remediation time by over 90%, and implemented AI-assisted security tooling for their engineering organization.

Currently

I'm building StokumNET—the name comes from Turkish: "Stokum" means "my stock" or "my inventory," and "Net" means "clear" or "exact." Together: My inventory is exact. It's a multi-tenant inventory management platform, and building it has been an exercise in practicing what I preach about secure development.

This blog, y.mo.la, is where I document what I'm learning and share knowledge with the security community. The "Y" stands for Yafes, and mo.la is a platform I'm building for the future—including "sec.mo.la"/"security.mo.la", which will eventually serve as a hub for security news, vulnerabilities, and best practices.

Current Interests

Beyond application security, I'm exploring systems-level security: Linux kernel internals, SELinux, and Yocto for embedded systems. I'm also diving into network traffic analysis—I have some project ideas brewing in that space.

These aren't just academic interests. Understanding security at the kernel and network level changes how you think about application defense.

Beyond Work

I'm a chess player—not the kind who memorizes openings, but someone who enjoys working through complex positions. I won chess championships in high school and university, and later won a CTF competition during SANS training. That problem-solving mindset translates directly to security work, where the interesting challenges rarely have textbook solutions.

I also played table tennis competitively for over a decade as an amateur, finishing 7th in a tournament in Istanbul with professional table tennis players—with a bit of luck on my side. 😄

I spent over a decade as a volunteer instructor, teaching Linux, Application Security, Mobile Device Security, and Penetration Testing at Turkcell Akademi, universities and conferences. I've been using Linux since 1997, starting with Slackware, and I still enjoy compiling from source when the situation calls for it.

I also have a soft spot for data recovery and digital forensics—there's something satisfying about bringing order to chaos and recovering what seemed lost.

Let's Connect

I'm based in Los Gatos, California. I'm currently exploring opportunities in Application Security, Privacy Engineering, and Security Architecture.

LinkedIn: linkedin.com/in/yafes