David Cervigni, Developer in London, United Kingdom
David is available for hire
Hire David

David Cervigni

Verified Expert  in Engineering

Web Security Developer

Location
London, United Kingdom
Toptal Member Since
May 14, 2022

David is an IT security consultant with 10+ years of experience in improving application security across the entire software development life cycle (SDLC). He is an expert in training teams on secure coding, including auditing, compliance, testing, code reviews, application security vulnerabilities remediation, threat modeling, maturity programs, DevSecOps, and SDL software development.

Availability

Part-time

Preferred Environment

OWASP, OWASP Top 10, Threat Modeling, Secure Coding, Web Security, Penetration Testing, Vulnerability Management, Vulnerability Assessment, Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST)

The most amazing...

...project I've worked on was an innovative CPU hardware design, which secured the company products with customized threat modeling techniques.

Work Experience

Software Security Architect

2020 - 2022
Alfresco (Acquired by Hyland Software)
  • Created a vibrant community around best security practices, including design, threat modeling, secure coding, and security testing.
  • Defined and assisted with Alfresco's software security program implementation across the SDLC. It was based on the OWASP SAMM framework that provides measurable results using evidence-based practices.
  • Led the secure software architecture design and threat modeling, and assisted the teams with vulnerability management escalations.
Technologies: OWASP, Threat Modeling, Vulnerability Management, Secure Coding, Penetration Testing, Compliance

Threat Modeling Facilitator

2019 - 2019
Arm
  • Acted as a global program SDL advisor and threat modeling facilitator to assist teams in delivering product threat models.
  • Contributed to the secure coding and threat modeling activities for OSS projects, using ARM Trusted Firmware.
  • Defined SDLC best practices and guidelines across the software development department.
Technologies: Threat Modeling

Consultant

2018 - 2019
IMQ Minded Security
  • Implemented the OWASP SAMM framework in the second biggest maritime company.
  • Defined and measured security-related activities throughout the organization and evaluated the existing software security practices.
  • Built a balanced software security assurance program in well-defined iterations.
  • Managed and coordinated a secure-coding training and a defensive security hackathon event.
  • Developed a threat modeling automation project and implemented reference architecture diagrams to test the threat modeling automation tool.
Technologies: OWASP Top 10, OWASP, Static Application Security Testing (SAST), HP Fortify

AppSec and SecDevOps Consultant

2018 - 2018
Photobox
  • Implemented a security champion program, which increased the end-to-end collaboration between AppSec and development teams, including security design, threat modeling processes, DevSecOps, and automation testing.
  • Spearheaded the secure development and coding training. It was designed to maximize the value of workshops and training sessions by being narrowly targeted to the development team's tech stack, processes, and security requirements.
  • Assisted teams in reviewing and remediating source code vulnerabilities.
  • Contributed to the Open Security Summit execution and outcome management.
  • Implemented processes in the SDLC to meet business security goals.
  • Headed the secure source code review of the most critical applications.
Technologies: Threat Modeling, OWASP, Secure Coding

CISO Advisor

2016 - 2016
Aviva
  • Reviewed systems to make sure they complied with specific enterprise security requirements.
  • Evaluated the API gateways, including requirements and vendors' security features for global adoption.
  • Assisted teams in achieving internal and external compliance.
Technologies: Threat Modeling, PCI DSS

DevSecOps Consultant

2016 - 2016
HSBC
  • Defined tools and their adoption across development teams and used DevOps principles to increase the security tools' automation and maturity level.
  • Managed adoption of security tools, including HCL AppScan, SecureAssist, and Contrast.
  • Promoted security awareness and static code analysis to developer teams globally.
Technologies: IBM Security AppScan

IT Security Consultant

2013 - 2015
Visa
  • Managed application security across Visa Europe digital assets and high-innovation projects, including PCI compliance assessment for application API security and code review for Java, .Net, Angular, and JavaScript.
  • Introduced security code training for internal development teams.
  • Defined a secure SDLC for all the development and DevOps teams.
  • Established secure coding standards that exceed the industry norm by adopting and improving OWASP and CERT coding practices.
  • Integrated technical assurance in Agile development and achieved measurable improvements in avoiding or detecting vulnerabilities early, which reduced maintenance costs.
  • Led the code review and security technical assurance for the V.me wallet's SDLC and Visa Europe's future of payments initiative.
Technologies: OWASP, HP Fortify

Senior J2EE Security Developer

2011 - 2013
Cornèr Bank
  • Designed and led the development of a secure two-factor authentication service infrastructure for e-banking websites.
  • Maintained the e-banking code, including security code review and remediation using OWASP, static code analysis, and built automation and integration using Hudson and Fortify's 360 servers.
  • Replaced RSA ClearTrust and separated login from the main Java application to enable SSO and enhance security.
Technologies: Java

Senior J2EE | Development Lead

2006 - 2006
SeatPagine Gialle
  • Implemented complex business logic for SEAT Pagine Gialle SpA's customer data batch processing, enabling millions of users to access detailed information and sophisticated search tools.
  • Managed the architecture definition and design.
  • Headed the inception and development of a scalable Java EJB application.
Technologies: Java, Hibernate

C/C++ Programmer

2001 - 2002
TeamSystem
  • Implemented a Linux distribution for software used by clients and accountants.
  • Created and maintained packages for a Linux distribution.
  • Developed the remote configuration and maintenance tools for a Linux distribution.
Technologies: Linux

Open Secure Coding Training Slides

https://drive.google.com/drive/folders/1frn1R2GTmz74DU9GP-RPqCw8yQByY-pE
Created and led the OWASP-based secure coding training as part of the AppSec security articles series. The training is divided into two 6-hour workdays and includes discussions and practical sessions.

Paradigms

Security Software Development, Penetration Testing

Platforms

Linux, Amazon Web Services (AWS)

Other

OWASP, OWASP Top 10, Threat Modeling, Vulnerability Management, Vulnerability Assessment, Static Application Security Testing (SAST), Programming, Security, Compliance, Secure Coding, Web Security, Dynamic Application Security Testing (DAST), PCI DSS

Languages

Java

Tools

HP Fortify, IBM Security AppScan

Frameworks

Hibernate

1999 - 2004

Master's Degree in Computer Science

University of Camerino - Camerino, Italy

DECEMBER 2018 - PRESENT

AWS Certified Security - Specialty

Amazon Web Services

Collaboration That Works

How to Work with Toptal

Toptal matches you directly with global industry experts from our network in hours—not weeks or months.

1

Share your needs

Discuss your requirements and refine your scope in a call with a Toptal domain expert.
2

Choose your talent

Get a short list of expertly matched talent within 24 hours to review, interview, and choose from.
3

Start your risk-free talent trial

Work with your chosen talent on a trial basis for up to two weeks. Pay only if you decide to hire them.

Top talent is in high demand.

Start hiring