Verified Expert in Engineering
Web Security Developer
David is an IT security consultant with 10+ years of experience in improving application security across the entire software development life cycle (SDLC). He is an expert in training teams on secure coding, including auditing, compliance, testing, code reviews, application security vulnerabilities remediation, threat modeling, maturity programs, DevSecOps, and SDL software development.
OWASP, OWASP Top 10, Threat Modeling, Secure Coding, Web Security, Penetration Testing, Vulnerability Management, Vulnerability Assessment, Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST)
The most amazing...
...project I've worked on was an innovative CPU hardware design, which secured the company products with customized threat modeling techniques.
Software Security Architect
Alfresco (Acquired by Hyland Software)
- Created a vibrant community around best security practices, including design, threat modeling, secure coding, and security testing.
- Defined and assisted with Alfresco's software security program implementation across the SDLC. It was based on the OWASP SAMM framework that provides measurable results using evidence-based practices.
- Led the secure software architecture design and threat modeling, and assisted the teams with vulnerability management escalations.
Threat Modeling Facilitator
- Acted as a global program SDL advisor and threat modeling facilitator to assist teams in delivering product threat models.
- Contributed to the secure coding and threat modeling activities for OSS projects, using ARM Trusted Firmware.
- Defined SDLC best practices and guidelines across the software development department.
IMQ Minded Security
- Implemented the OWASP SAMM framework in the second biggest maritime company.
- Defined and measured security-related activities throughout the organization and evaluated the existing software security practices.
- Built a balanced software security assurance program in well-defined iterations.
- Managed and coordinated a secure-coding training and a defensive security hackathon event.
- Developed a threat modeling automation project and implemented reference architecture diagrams to test the threat modeling automation tool.
AppSec and SecDevOps Consultant
- Implemented a security champion program, which increased the end-to-end collaboration between AppSec and development teams, including security design, threat modeling processes, DevSecOps, and automation testing.
- Spearheaded the secure development and coding training. It was designed to maximize the value of workshops and training sessions by being narrowly targeted to the development team's tech stack, processes, and security requirements.
- Assisted teams in reviewing and remediating source code vulnerabilities.
- Contributed to the Open Security Summit execution and outcome management.
- Implemented processes in the SDLC to meet business security goals.
- Headed the secure source code review of the most critical applications.
- Reviewed systems to make sure they complied with specific enterprise security requirements.
- Evaluated the API gateways, including requirements and vendors' security features for global adoption.
- Assisted teams in achieving internal and external compliance.
- Defined tools and their adoption across development teams and used DevOps principles to increase the security tools' automation and maturity level.
- Managed adoption of security tools, including HCL AppScan, SecureAssist, and Contrast.
- Promoted security awareness and static code analysis to developer teams globally.
IT Security Consultant
- Introduced security code training for internal development teams.
- Defined a secure SDLC for all the development and DevOps teams.
- Established secure coding standards that exceed the industry norm by adopting and improving OWASP and CERT coding practices.
- Integrated technical assurance in Agile development and achieved measurable improvements in avoiding or detecting vulnerabilities early, which reduced maintenance costs.
- Led the code review and security technical assurance for the V.me wallet's SDLC and Visa Europe's future of payments initiative.
Senior J2EE Security Developer
- Designed and led the development of a secure two-factor authentication service infrastructure for e-banking websites.
- Maintained the e-banking code, including security code review and remediation using OWASP, static code analysis, and built automation and integration using Hudson and Fortify's 360 servers.
- Replaced RSA ClearTrust and separated login from the main Java application to enable SSO and enhance security.
Senior J2EE | Development Lead
- Implemented complex business logic for SEAT Pagine Gialle SpA's customer data batch processing, enabling millions of users to access detailed information and sophisticated search tools.
- Managed the architecture definition and design.
- Headed the inception and development of a scalable Java EJB application.
- Implemented a Linux distribution for software used by clients and accountants.
- Created and maintained packages for a Linux distribution.
- Developed the remote configuration and maintenance tools for a Linux distribution.
Open Secure Coding Training Slideshttps://drive.google.com/drive/folders/1frn1R2GTmz74DU9GP-RPqCw8yQByY-pE
Security Software Development, Penetration Testing
Linux, Amazon Web Services (AWS)
OWASP, OWASP Top 10, Threat Modeling, Vulnerability Management, Vulnerability Assessment, Static Application Security Testing (SAST), Programming, Security, Compliance, Secure Coding, Web Security, Dynamic Application Security Testing (DAST), PCI DSS
HP Fortify, IBM Security AppScan
Master's Degree in Computer Science
University of Camerino - Camerino, Italy
AWS Certified Security - Specialty
Amazon Web Services
How to Work with Toptal
Toptal matches you directly with global industry experts from our network in hours—not weeks or months.
Share your needs
Choose your talent
Start your risk-free talent trial
Top talent is in high demand.Start hiring