David Cervigni
Verified Expert in Engineering
Web Security Developer
London, United Kingdom
Toptal member since May 14, 2022
David is an IT security consultant with 10+ years of experience in improving application security across the entire software development life cycle (SDLC). He is an expert in training teams on secure coding, including auditing, compliance, testing, code reviews, application security vulnerabilities remediation, threat modeling, maturity programs, DevSecOps, and SDL software development.
Portfolio
Experience
Availability
Preferred Environment
OWASP, OWASP Top 10, Threat Modeling, Secure Coding, Web Security, Penetration Testing, Vulnerability Management, Vulnerability Assessment, Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST)
The most amazing...
...project I've worked on was an innovative CPU hardware design, which secured the company products with customized threat modeling techniques.
Work Experience
Software Security Architect
Alfresco (Acquired by Hyland Software)
- Created a vibrant community around best security practices, including design, threat modeling, secure coding, and security testing.
- Defined and assisted with Alfresco's software security program implementation across the SDLC. It was based on the OWASP SAMM framework that provides measurable results using evidence-based practices.
- Led the secure software architecture design and threat modeling, and assisted the teams with vulnerability management escalations.
Threat Modeling Facilitator
Arm
- Acted as a global program SDL advisor and threat modeling facilitator to assist teams in delivering product threat models.
- Contributed to the secure coding and threat modeling activities for OSS projects, using ARM Trusted Firmware.
- Defined SDLC best practices and guidelines across the software development department.
Consultant
IMQ Minded Security
- Implemented the OWASP SAMM framework in the second biggest maritime company.
- Defined and measured security-related activities throughout the organization and evaluated the existing software security practices.
- Built a balanced software security assurance program in well-defined iterations.
- Managed and coordinated a secure-coding training and a defensive security hackathon event.
- Developed a threat modeling automation project and implemented reference architecture diagrams to test the threat modeling automation tool.
AppSec and SecDevOps Consultant
Photobox
- Implemented a security champion program, which increased the end-to-end collaboration between AppSec and development teams, including security design, threat modeling processes, DevSecOps, and automation testing.
- Spearheaded the secure development and coding training. It was designed to maximize the value of workshops and training sessions by being narrowly targeted to the development team's tech stack, processes, and security requirements.
- Assisted teams in reviewing and remediating source code vulnerabilities.
- Contributed to the Open Security Summit execution and outcome management.
- Implemented processes in the SDLC to meet business security goals.
- Headed the secure source code review of the most critical applications.
CISO Advisor
Aviva
- Reviewed systems to make sure they complied with specific enterprise security requirements.
- Evaluated the API gateways, including requirements and vendors' security features for global adoption.
- Assisted teams in achieving internal and external compliance.
DevSecOps Consultant
HSBC
- Defined tools and their adoption across development teams and used DevOps principles to increase the security tools' automation and maturity level.
- Managed adoption of security tools, including HCL AppScan, SecureAssist, and Contrast.
- Promoted security awareness and static code analysis to developer teams globally.
IT Security Consultant
Visa
- Managed application security across Visa Europe digital assets and high-innovation projects, including PCI compliance assessment for application API security and code review for Java, .Net, Angular, and JavaScript.
- Introduced security code training for internal development teams.
- Defined a secure SDLC for all the development and DevOps teams.
- Established secure coding standards that exceed the industry norm by adopting and improving OWASP and CERT coding practices.
- Integrated technical assurance in Agile development and achieved measurable improvements in avoiding or detecting vulnerabilities early, which reduced maintenance costs.
- Led the code review and security technical assurance for the V.me wallet's SDLC and Visa Europe's future of payments initiative.
Senior J2EE Security Developer
Cornèr Bank
- Designed and led the development of a secure two-factor authentication service infrastructure for e-banking websites.
- Maintained the e-banking code, including security code review and remediation using OWASP, static code analysis, and built automation and integration using Hudson and Fortify's 360 servers.
- Replaced RSA ClearTrust and separated login from the main Java application to enable SSO and enhance security.
Senior J2EE | Development Lead
SeatPagine Gialle
- Implemented complex business logic for SEAT Pagine Gialle SpA's customer data batch processing, enabling millions of users to access detailed information and sophisticated search tools.
- Managed the architecture definition and design.
- Headed the inception and development of a scalable Java EJB application.
C/C++ Programmer
TeamSystem
- Implemented a Linux distribution for software used by clients and accountants.
- Created and maintained packages for a Linux distribution.
- Developed the remote configuration and maintenance tools for a Linux distribution.
Experience
Open Secure Coding Training Slides
https://drive.google.com/drive/folders/1frn1R2GTmz74DU9GP-RPqCw8yQByY-pEEducation
Master's Degree in Computer Science
University of Camerino - Camerino, Italy
Certifications
AWS Certified Security - Specialty
Amazon Web Services
Skills
Tools
HP Fortify, IBM Security AppScan
Paradigms
Security Software Development, Penetration Testing
Platforms
Linux, Amazon Web Services (AWS)
Languages
Java
Frameworks
Hibernate
Other
OWASP, OWASP Top 10, Threat Modeling, Vulerability Management, Vulnerability Assessment, Static Application Security Testing (SAST), Programming, Security, Compliance, Secure Coding, Web Security, Dynamic Application Security Testing (DAST), PCI DSS
How to Work with Toptal
Toptal matches you directly with global industry experts from our network in hours—not weeks or months.
Share your needs
Choose your talent
Start your risk-free talent trial
Top talent is in high demand.
Start hiring