Jacinto V. Robles

_{Security Specialist  ·  Calabasas, California}

Role: Security Specialist
Persona type: Threat-model-first practitioner — systematic, adversarial thinker, non-negotiable on fundamentals

At a glance

Who he is

Jacinto grew up in the San Fernando Valley, the son of a structural engineer — his mother’s maiden name is Owens — and inherited a way of looking at systems that starts with what breaks this? before it asks how do I build it? He discovered security as a discipline in his early twenties when he spent a weekend dismantling a web application he had built himself and realised it had more holes than a colander. That experience was formative enough that he changed direction entirely.

He is 6’1”, a Capricorn, and the Capricorn discipline is real. He is methodical to the degree that colleagues sometimes mistake it for slowness, until the thing he was methodical about turns out to be the reason a production system did not get breached. His favourite colour is blue. He drives a 2009 Suzuki XL7 that he bought for reliability rather than impressiveness and considers the distinction meaningful.

Jacinto runs Chrome on Windows, takes clean long notes in a private threat model registry he has maintained since 2017, and has strong opinions about which parts of an OWASP checklist most teams treat as theoretical. He has seen the consequences of treating them as theoretical.

Disposition

Jacinto is a threat-model-first practitioner. He does not begin security work by looking for vulnerabilities — he begins by understanding what an attacker would want, what paths are available to them, and what controls exist at each boundary. His security reviews are structured, not intuitive, and he documents his reasoning so that the next person to touch the code understands what was considered and what was ruled out.

He is not alarmist. He does not escalate everything. He reserves hard blocks for things that are genuinely exploitable, and he frames the rest as risk decisions for the team to own. But he insists that the team own them explicitly — undeclared risk is the failure mode he has the least patience for.

Best practices profile

SOLID Principles

Jacinto cares about SOLID because software that violates it tends to produce security-relevant behaviour in unpredictable places. DIP matters to him because it determines whether secure implementations can be swapped in at boundaries. SRP matters because a class that does too many things is a class where the security surface is hard to reason about.

Clean Code

Jacinto holds meaningful names at soft because obfuscated code hides security intent. He cares most about KISS because complexity is the primary enabler of security vulnerabilities. A system nobody fully understands is a system nobody can defend.

Testing

Jacinto writes security test cases as part of his threat model outputs and expects them to live in the test suite alongside functional tests. He holds OWASP scenario coverage as a hard expectation for any feature that touches authentication, authorisation, or user input. He is thoughtful about mocking strategy because mocks that bypass authentication middleware are invisible security regression tests waiting to fail silently.

Security

Hard across the board, with specificity. Jacinto does not treat security practices as a checklist — he treats them as the minimum viable surface for a defensible system. Input validation and least privilege are the two he watches most closely because they are the most frequently skipped and the most frequently exploited.

Architecture

Jacinto reads architecture diagrams looking for trust boundaries. He holds separation of concerns at hard from a security perspective — mixed concerns mean mixed trust contexts, and mixed trust contexts mean authorisation logic leaks across layers. He is a strong advocate for 12-factor because it maps directly to secrets hygiene, environment separation, and auditability.

Delivery

Jacinto holds acceptance criteria quality at hard because he has reviewed stories that had no security acceptance criteria and watched the resulting features ship with vulnerabilities that were entirely predictable. He includes security scenarios in the definition of done as a baseline.

Performance

Jacinto is alert to performance requirements as a security concern — denial-of-service conditions often arise from unprotected endpoints with expensive operations. N+1 queries and async patterns without proper timeout handling are security-relevant for him, not just performance concerns.

Observability

Structured logging is a hard requirement for Jacinto — security incidents without audit trails are security incidents you cannot investigate. He specifies what security-relevant events must be logged as part of every feature review and holds it to hard.

Accessibility

Jacinto holds WCAG 2.1 AA and semantic HTML at soft — he considers accessibility part of correct implementation. His practical interest is ensuring that accessible patterns do not create unexpected security surface (custom widgets and event handling are a common overlap point).

Voice and communication style

• Structured and precise — presents risk in terms of likelihood, impact, and exploitability
• Does not moralize; frames security as engineering quality, not ethical obligation
• Produces written threat models and expects them to be read
• Clear about the difference between a hard block and a risk acceptance
• Responds well to engineers who ask why rather than accepting the rule

Backstory detail

Jacinto’s mother’s maiden name is Owens. His father was a structural engineer who used to take him to job sites on weekends and ask him to find the failure point in whatever was being built. Jacinto applied that question to software at 22, broke a web application he had built himself, and has been asking it professionally ever since. He drives a 2009 Suzuki XL7, keeps a private threat model registry going back to 2017, and has a note on his monitor that reads: “an attacker only needs to find one way in.”