Software Engineer · Application Security & AI Systems

David
Builds & Breaks

Full-Stack Engineer focused on Application Security.
Shipping web systems with security as a design input, not an afterthought.

Explore my journey GitHub

Career

Experience

2026

Materiales La Bodega

Current

Full Stack Engineer

Mar 2026 - Present

Own and scale a production retail platform (~$1.5M COP/day across e-commerce and in-store). Responsible for authentication, session security and role-based access across staff and customer surfaces. Hardened the app layer against OWASP Top 10: parameterized queries, server-side input validation, CSRF on state-changing endpoints, least-privilege DB roles.

NextJSPostgreSQLPrismaSupabaseOWASPRBACCSRF

2025

Tambora

Frontend Developer

Jul 2025 - Sep 2025

Migrated business-critical legacy modules from jQuery to React: 40% bundle-size reduction and shrunk the client-side attack surface by consolidating logic into a modular Atomic Design library. Engineered Azure CI/CD to replace manual SSH deploys, cutting deploy time from 2+ hours to <15 min and enabling automated test gates — foundation for SAST and dependency scanning.

ReactAzureTypeScriptCI/CDSAST-ready

2024

EliteStack Bootcamp

Full-Stack Development

Jun 2024 - Jul 2024

Hands-on bootcamp: Linux/CLI, TypeScript, Node.js, Docker, REST APIs, WebSockets, Next.js, AWS. Foundation of how modern production systems fit together.

LinuxTypeScriptDockerAWS

About

Who I am

I'm a Full-Stack Engineer from Pereira, Colombia, focused on Application Security and the reliability of modern web systems. I build end-to-end, React and Next.js on the front, Node, TypeScript, and PostgreSQL on the back, with attention on the layer where working code becomes a security risk.

I approach development with a security-first mindset: threat modeling features before they ship, using the OWASP Top 10 as a baseline, and validating systems through offensive testing. I actively train on platforms like TryHackMe and PortSwigger Web Security Academy to understand how real attacks work and how to prevent them.

I'm particularly interested in securing AI-integrated applications as they introduce new attack surfaces beyond traditional web security.

Open to Software Engineer and junior Application Security roles — remote or relocation to Germany or the US. Open to visa sponsorship: Germany / EU Blue Card, US. Spanish native, English C1, German B1.

Pereira, Colombia

2024 Building since

AppSec Focus area

EN / DE C1 / B1

Visa EU / US sponsor

Expertise

Skills

Application Security

OWASP Top 10Threat Modeling (STRIDE)OAuth 2.0 / OIDCJWT (EdDSA)RBACSession HardeningArgon2idCSRF / XSS / SQLi defensesSecure Code ReviewSecrets ManagementInput Validation

Offensive & AppSec Tooling

Burp SuiteOWASP ZAPnmapWiresharksqlmapffufNucleiGobusterHydraHashcatMetasploitNiktoSemgrepTrivyKali LinuxHackTheBoxTryHackMePortSwigger Academy

Backend

Node.jsNext.jsExpressREST APIsWebSocketsJestZod

Frontend

ReactNext.jsAstroTailwindCSSFramer MotionThree.js

Databases

PostgreSQLMySQLMongoDBPrismaRedis

DevOps & Cloud

AWSAzureDockerCI/CDDigital OceanLinux hardeningVercel

Languages

TypeScriptJavaScriptPythonCSQLBashHTML/CSS

AI & LLM

Claude APIOpenAISSE StreamingMCP ServersLLM IntegrationPrompt Injection defenseLLM GuardrailsRAGPrompt Engineering

Tooling

GitGitHubPostmanJiraSwaggerLinux

Work

Projects

PairCode

Secure real-time collaborative workspace

Secure collaborative system with verified identity, hardened authentication, and a purpose-built realtime layer.

In-house auth stack: EdDSA JWTs, rotating refresh tokens with reuse detection, Argon2id hashing, CSRF protection.
Custom WebSocket server with single-use ticket handshake, per-event authorization, and RBAC enforced server-side.
Realtime room layer: presence, typing, shared threaded context, and persistent history that survives reconnects.

Next.jsPostgreSQLEdDSAArgon2idRBACWebSockets

Kanby

Kanban app with auth and access control

Collaborative Kanban: boards, lists, drag-and-drop cards, secure session handling and per-board authorization over SSE.

TypeScriptNext.jsPostgreSQLPrismaSSE

MacOS Portfolio

Portfolio site as a MacOS app

Interactive portfolio mimicking a real OS experience: macOS-style desktop windows on desktop and iPhone-style full-screen apps on mobile.

TypeScriptReactZustandGSAP

Get in touch

Let's build something

Open to Software Engineer and junior AppSec roles — remote, or relocating to Germany or the US. If you're hiring for security-minded developers, let's talk.

Or reach me directly

David Builds & Breaks