Hi, I'm Davy.
I'm an application security professional specialising in web application penetration testing, threat modelling, and embedding security across the software development lifecycle. I hold the Certified Information Systems Security Professional (CISSP) and Offensive Security Certified Professional (OSCP) certifications.
I've worked in application security at global enterprises across shipping, healthcare, and financial services, owning security strategy, building tooling pipelines, and chairing Security Champions programmes. I'm currently a Senior Application Security Engineer at Holland & Barrett.
Outside of my day job I run JustAppSec, a resource for developers and security teams to help with threat modelling, security research, and practical training.
Skills & Expertise
Programme Leadership
- AppSec Strategy & Roadmap Ownership
- Security Champions Programmes
- Developer Security Training
- Incident Response
- Executive & Board Reporting
- Client-facing Security Compliance
AI Security
- Generative AI Security Review
- AI-generated Code Auditing
- Prompt Injection Testing
- LLM Safety Guardrails
- AI Knowledge Base Development
- Automated Threat Model Pipelines
Threat Modelling
- Attack Path Mapping
- Trust Boundary Analysis
- Data Flow Diagrams
- STRIDE & MITRE ATT&CK
- Risk Ranking & Contextual CVSS
- Architecture Risk Analysis
Secure SDLC & DevSecOps
- Security Gates in CI/CD Pipelines
- SAST: SonarQube, Semgrep, CodeQL
- SCA: Black Duck, Snyk, OWASP Dep-Check, Dependabot
- Secrets: TruffleHog, GitHub Secret Scanning
- Container: AquaSec, Trivy, Scout Suite
- ASOC & Centralised Vuln Management
Penetration Testing
- Web Application Penetration Testing
- OWASP WSTG & ASVS Methodologies
- Burp Suite Pro & Enterprise (DAST)
- Metasploit, Empire, BloodHound
- Nuclei, ffuf, sqlmap, Amass
- Red & Purple Team Exercises
Cloud & Infrastructure
- AWS Security Architecture
- Azure Security
- Infrastructure as Code Security
- Container Security
- Nessus, Qualys, OpenVAS, Nmap
- IAM & Secrets Management
Experience
Senior Security Engineer - Application Security
Oct 2025 - Present
Supporting Europe's leading health and wellness retailer with in-depth application security expertise, technical testing, and continuous improvement across web, mobile, and e-commerce platforms. Applying AI-assisted tooling and analysis to accelerate vulnerability discovery, triage, and developer guidance - helping engineering teams move faster without compromising on security.
Nov 2022 - Present
Started justappsec.com in 2022 and incorporated JustAppSec Limited in 2025. As director I own the full business - strategy, product, operations, and commercial decisions. I set the direction, manage the P&L, develop the content and tooling, and am accountable for everything the company produces.
Application Security Manager
Mar 2023 - Oct 2025 · 2 yrs 7 mos
Led end-to-end application security for Unily's enterprise SaaS intranet platform, serving global brands including Shell, Johnson & Johnson, McDonald's, Best Buy, and Cardinal Health. Owned the AppSec strategy, and vulnerability management programme. Heavily involved in generative AI security, reviewing AI-generated code, establishing safety guardrails, and building AI-powered security knowledge bases for engineering teams.
Senior Security Engineer - Application Security
Mar 2022 - Mar 2023 · 1 yr
Senior engineer in the 'Cyber Security - Secure by Design' team at the world's largest shipping company ($30bn, 100,000 employees, 130 countries). Chaired the Security Champions programme with 150+ members, running workshops, guest speaker events, and gamified security training. Led threat modelling sessions and drove enterprise-wide adoption of SAST, DAST, and SCA tooling in development pipelines.
Application Security Specialist
Atradius Crédito y Caucón S.A. de Seguros y Reaseguros (Atradius)
Mar 2020 - Mar 2022 · 2 yrs
Owner of application security across the group, reporting directly to the Head of Security. Atradius provides trade credit insurance on ~$600bn of global trade with 240m+ company credit records. Led the Application Security Enhancements project delivering WAF protection, centralised vulnerability management, and full SAST/DAST/IAST/SCA/Container Security toolchain integration into DevOps pipelines. Owned penetration testing, red-team exercises, and the group's Secure Development Policy.
Business Systems Manager
Oct 2006 - Mar 2020 · 13 yrs 5 mos
EMEA Business Systems and Privacy Manager at Freeman - the global leader in experiential marketing and live events. Architected and implemented multi-subscription AWS infrastructure across EMEA and the US, built Python microservices for enterprise-scale system integrations, and led ERP and financial systems across acquisitions and reorganisations. Served as the company's GDPR/DPA 2018 point of contact, managing data protection impact assessments and privacy compliance across the region.
Certifications
CISSP
Certified Information Systems Security Professional
Globally recognised certification demonstrating expertise in designing, implementing, and managing cybersecurity programmes across 8 security domains.
Jun 2025
Verify ↗OSCP
Offensive Security Certified Professional
Hands-on penetration testing certification requiring real-world exploitation of multiple systems in a timed lab environment. One of the most respected offensive security credentials.
Feb 2019
Verify ↗GDPR Practitioner
EU General Data Protection Regulation Practitioner
Practitioner-level certification demonstrating in-depth understanding of GDPR compliance requirements and data protection by design.
Aug 2017
Verify ↗Hands-on Practice
JustAppSec - Practical Application Security
You can see some examples of my work at justappsec.com, including threat modelling tools, research, and training.