David is available for hire
Hire DavidDavid Cervigni
Verified Expert in Engineering
Web Security Developer
Location
London, United Kingdom
Toptal Member Since
May 14, 2022
David is an IT security consultant with 10+ years of experience in improving application security across the entire software development life cycle (SDLC). He is an expert in training teams on secure coding, including auditing, compliance, testing, code reviews, application security vulnerabilities remediation, threat modeling, maturity programs, DevSecOps, and SDL software development.
Portfolio
Alfresco (Acquired by Hyland Software)
OWASP, Threat Modeling, Vulnerability Management, Secure Coding...
Arm
Threat Modeling
IMQ Minded Security
OWASP Top 10, OWASP, Static Application Security Testing (SAST), HP Fortify
Experience
Availability
Part-time
Preferred Environment
OWASP, OWASP Top 10, Threat Modeling, Secure Coding, Web Security, Penetration Testing, Vulnerability Management, Vulnerability Assessment, Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST)
The most amazing...
...project I've worked on was an innovative CPU hardware design, which secured the company products with customized threat modeling techniques.
Work Experience
Software Security Architect
2020 - 2022
Alfresco (Acquired by Hyland Software)
- Created a vibrant community around best security practices, including design, threat modeling, secure coding, and security testing.
- Defined and assisted with Alfresco's software security program implementation across the SDLC. It was based on the OWASP SAMM framework that provides measurable results using evidence-based practices.
- Led the secure software architecture design and threat modeling, and assisted the teams with vulnerability management escalations.
Technologies: OWASP, Threat Modeling, Vulnerability Management, Secure Coding, Penetration Testing, Compliance
Threat Modeling Facilitator
2019 - 2019
Arm
- Acted as a global program SDL advisor and threat modeling facilitator to assist teams in delivering product threat models.
- Contributed to the secure coding and threat modeling activities for OSS projects, using ARM Trusted Firmware.
- Defined SDLC best practices and guidelines across the software development department.
Technologies: Threat Modeling
Consultant
2018 - 2019
IMQ Minded Security
- Implemented the OWASP SAMM framework in the second biggest maritime company.
- Defined and measured security-related activities throughout the organization and evaluated the existing software security practices.
- Built a balanced software security assurance program in well-defined iterations.
- Managed and coordinated a secure-coding training and a defensive security hackathon event.
- Developed a threat modeling automation project and implemented reference architecture diagrams to test the threat modeling automation tool.
Technologies: OWASP Top 10, OWASP, Static Application Security Testing (SAST), HP Fortify
AppSec and SecDevOps Consultant
2018 - 2018
Photobox
- Implemented a security champion program, which increased the end-to-end collaboration between AppSec and development teams, including security design, threat modeling processes, DevSecOps, and automation testing.
- Spearheaded the secure development and coding training. It was designed to maximize the value of workshops and training sessions by being narrowly targeted to the development team's tech stack, processes, and security requirements.
- Assisted teams in reviewing and remediating source code vulnerabilities.
- Contributed to the Open Security Summit execution and outcome management.
- Implemented processes in the SDLC to meet business security goals.
- Headed the secure source code review of the most critical applications.
Technologies: Threat Modeling, OWASP, Secure Coding
CISO Advisor
2016 - 2016
Aviva
- Reviewed systems to make sure they complied with specific enterprise security requirements.
- Evaluated the API gateways, including requirements and vendors' security features for global adoption.
- Assisted teams in achieving internal and external compliance.
Technologies: Threat Modeling, PCI DSS
DevSecOps Consultant
2016 - 2016
HSBC
- Defined tools and their adoption across development teams and used DevOps principles to increase the security tools' automation and maturity level.
- Managed adoption of security tools, including HCL AppScan, SecureAssist, and Contrast.
- Promoted security awareness and static code analysis to developer teams globally.
Technologies: IBM Security AppScan
IT Security Consultant
2013 - 2015
Visa
- Managed application security across Visa Europe digital assets and high-innovation projects, including PCI compliance assessment for application API security and code review for Java, .Net, Angular, and JavaScript.
- Introduced security code training for internal development teams.
- Defined a secure SDLC for all the development and DevOps teams.
- Established secure coding standards that exceed the industry norm by adopting and improving OWASP and CERT coding practices.
- Integrated technical assurance in Agile development and achieved measurable improvements in avoiding or detecting vulnerabilities early, which reduced maintenance costs.
- Led the code review and security technical assurance for the V.me wallet's SDLC and Visa Europe's future of payments initiative.
Technologies: OWASP, HP Fortify
Senior J2EE Security Developer
2011 - 2013
Cornèr Bank
- Designed and led the development of a secure two-factor authentication service infrastructure for e-banking websites.
- Maintained the e-banking code, including security code review and remediation using OWASP, static code analysis, and built automation and integration using Hudson and Fortify's 360 servers.
- Replaced RSA ClearTrust and separated login from the main Java application to enable SSO and enhance security.
Technologies: Java
Senior J2EE | Development Lead
2006 - 2006
SeatPagine Gialle
- Implemented complex business logic for SEAT Pagine Gialle SpA's customer data batch processing, enabling millions of users to access detailed information and sophisticated search tools.
- Managed the architecture definition and design.
- Headed the inception and development of a scalable Java EJB application.
Technologies: Java, Hibernate
C/C++ Programmer
2001 - 2002
TeamSystem
- Implemented a Linux distribution for software used by clients and accountants.
- Created and maintained packages for a Linux distribution.
- Developed the remote configuration and maintenance tools for a Linux distribution.
Technologies: Linux
Experience
Open Secure Coding Training Slides
https://drive.google.com/drive/folders/1frn1R2GTmz74DU9GP-RPqCw8yQByY-pECreated and led the OWASP-based secure coding training as part of the AppSec security articles series. The training is divided into two 6-hour workdays and includes discussions and practical sessions.
Education
1999 - 2004
Master's Degree in Computer Science
University of Camerino - Camerino, Italy
Certifications
DECEMBER 2018 - PRESENT
AWS Certified Security - Specialty
Amazon Web Services
Skills
Tools
HP Fortify, IBM Security AppScan
Platforms
Linux, Amazon Web Services (AWS)
Paradigms
Security Software Development, Penetration Testing
Languages
Java
Frameworks
Hibernate
Other
OWASP, OWASP Top 10, Threat Modeling, Vulnerability Management, Vulnerability Assessment, Static Application Security Testing (SAST), Programming, Security, Compliance, Secure Coding, Web Security, Dynamic Application Security Testing (DAST), PCI DSS
Collaboration That Works
How to Work with Toptal
Toptal matches you directly with global industry experts from our network in hours—not weeks or months.
1
Share your needs
Discuss your requirements and refine your scope in a call with a Toptal domain expert.
2
Choose your talent
Get a short list of expertly matched talent within 24 hours to review, interview, and choose from.
3
Start your risk-free talent trial
Work with your chosen talent on a trial basis for up to two weeks. Pay only if you decide to hire them.
Top talent is in high demand.
Start hiring