Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
An introduction to AppSec?
Search
Jérémy Courtial
October 23, 2018
Programming
52
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
An introduction to AppSec?
What is Application Security? Why it's important and how it can be implemented in tech teams?
Jérémy Courtial
October 23, 2018
More Decks by Jérémy Courtial
See All by Jérémy Courtial
sudo give the cloud
mrartichaut
0
30
Secure by design: introduction to threat modeling
mrartichaut
0
58
Taming secrets with Vault
mrartichaut
0
92
Lead Tech: Empowering the team
mrartichaut
0
52
Web Platform Security
mrartichaut
0
54
go doSomeThing()
mrartichaut
0
57
Practical Cryptography : Data Encryption
mrartichaut
0
70
Practical Cryptography : Password Hashing
mrartichaut
1
79
HTTP/2 : One connection to rule them all
mrartichaut
1
67
Other Decks in Programming
See All in Programming
エージェンティックRAGにAWSで入門しよう!
har1101
8
1.4k
Observability in Practice:Grafana 與 Edge Device SRE 的那些事
blueswen
0
160
Spring Security 実践 ─ GraphQL APIで実務に役立つ 認証・認可 を学ぶ
wagyu
0
220
Technical Debt: Understanding it Rightly, Engaging it Rightly #LaravelLiveJP
shogogg
0
220
Dataformのリポジトリを立ち上げるときにまずやること / dataform-day0-2026
snhryt
0
150
軽量Java基盤の設計 DIコンテナに頼らない、長期保守と1秒起動の実現 JJUG CCC 2026 Spring
macha64
0
500
Language Server 使ってる? 〜VSCode と Zed の場合〜 / Are you using a Language Server? ~For VS Code and Zed~
handlename
0
780
脅威をエンジニアリングの糧にして――現場編 / Turning Threats into Engineering Fuel — Field Edition
nrslib
0
270
Spec Driven Development | AI Summit Lisbon
danielsogl
PRO
0
180
ローカルLLMでどこまでコードが書けるか -拡張版 / How much code can be written on a local LLM Extended
kishida
8
2.8k
「AIで開発し、AIを届ける」をEvalでつなぐ 〜AIネイティブに始めるプロダクト開発の実践〜 / Connecting "Develop with AI, deliver AI" with Eval
rkaga
4
4.9k
Skillsは効率化、Agentsは"自分の拡張"——Builder時代のエージェント編成(CC Night 2026)
wemra
1
120
Featured
See All Featured
Facilitating Awesome Meetings
lara
57
7k
Side Projects
sachag
455
43k
Applied NLP in the Age of Generative AI
inesmontani
PRO
4
2.3k
How To Speak Unicorn (iThemes Webinar)
marktimemedia
1
480
A Soul's Torment
seathinner
6
2.9k
Navigating Team Friction
lara
192
16k
Leveraging LLMs for student feedback in introductory data science courses - posit::conf(2025)
minecr
1
280
Kristin Tynski - Automating Marketing Tasks With AI
techseoconnect
PRO
0
270
Paper Plane
katiecoart
PRO
1
51k
Faster Mobile Websites
deanohume
310
31k
Have SEOs Ruined the Internet? - User Awareness of SEO in 2025
akashhashmi
0
370
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
128
56k
Transcript
An introduction to AppSec Jérémy Courtial Software Security Architect @JeremyCourtial
AppSec?
Application Secucirty?
It’s not just about firewall
Combination of 3 bugs leading to privilege escalation https://newsroom.fb.com/news/2018/09/security-update/
Unpatched Apache Struts with critical Remote Execution vulnerability. (Plus lake
of defence in depth?)
« Application security encompasses measures taken to improve the security
of an application often by finding, fixing and preventing security vulnerabilities. » Wikipedia
It not just about finding & fixing It’s how applications
are made
Security is not a feature It’s a property like performance
and reliability
Security should be addressed at each step of the development
lifecycle
Design Implementation Vetification Release Security requirements Training Architecture reviews Threat
modelling Documentation Secure coding Code reviews Static analysis Dynamic analysis Pen testing Secure environnement Monitoring Incident Response Requirements & trainings
Requirements & trainings Use HSTS Must be HTTPS-only Have anti-CSRF
mechanism See Spring-Security ? Security checklists
Design Feedbacks-oriented meeting before any major changes enters development. Identifying
subjects that need closer follow-ups. Ensuring best practices. Architecture reviews
Impl. Static analysis Code analysis: Looks for common vulnerabilities pattern
in code. Composition analysis: Looks for vulnerable dependencies.
Impl. Static analysis Code analysis Composition analysis
Verification Dynamic analysis Looks for common vulnerabilities in live applications.
OWASP ZAP
Release Secure environment Up-to-date infrastructure (« patch, patch, patch… »)
Host hardening: system, Docker, k8s, etc. Protected and segmented networks
Who ?
None
Security champions One per team/platform Infuses security in daily activities
Security owner Owns the threat model Leads structural projects Harmonises
practices Leans on champions
Security team Varies skills: - DevSec - Pen testing -
Network & system - Compliance - …
How ?
Don’t be a faceless gate
Support Help Devs to produce more secure apps! Tools, guidance,
feedback, even code!
Partnership Communicate goals, roadmaps, challenges, etc. We all want to
ship ours (secure) products Shared responsibility
Get out of the way: automate, automate! Setup meaningful and
actionable alerts DevOps: ride the wave
Security is impor Last challenge: awareness
openrday.oodrive.fr Come talk about dev, security, etc.
Thank you!
mrartichaut
har1101
blueswen
wagyu
shogogg
snhryt
macha64
handlename
nrslib
danielsogl
kishida
rkaga
wemra
lara
sachag
inesmontani
marktimemedia
seathinner
minecr
techseoconnect
katiecoart
deanohume
akashhashmi
aki_iinuma
