Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
An introduction to AppSec?
Search
Jérémy Courtial
October 23, 2018
Programming
0
47
An introduction to AppSec?
What is Application Security? Why it's important and how it can be implemented in tech teams?
Jérémy Courtial
October 23, 2018
Tweet
Share
More Decks by Jérémy Courtial
See All by Jérémy Courtial
sudo give the cloud
mrartichaut
0
27
Secure by design: introduction to threat modeling
mrartichaut
0
53
Taming secrets with Vault
mrartichaut
0
87
Lead Tech: Empowering the team
mrartichaut
0
48
Web Platform Security
mrartichaut
0
48
go doSomeThing()
mrartichaut
0
53
Practical Cryptography : Data Encryption
mrartichaut
0
62
Practical Cryptography : Password Hashing
mrartichaut
1
74
HTTP/2 : One connection to rule them all
mrartichaut
1
62
Other Decks in Programming
See All in Programming
AIフル活用時代だからこそ学んでおきたい働き方の心得
shinoyu
0
140
AI Schema Enrichment for your Oracle AI Database
thatjeffsmith
0
310
組織で育むオブザーバビリティ
ryota_hnk
0
180
CSC307 Lecture 05
javiergs
PRO
0
500
16年目のピクシブ百科事典を支える最新の技術基盤 / The Modern Tech Stack Powering Pixiv Encyclopedia in its 16th Year
ahuglajbclajep
5
1k
dchart: charts from deck markup
ajstarks
3
990
Apache Iceberg V3 and migration to V3
tomtanaka
0
160
そのAIレビュー、レビューしてますか? / Are you reviewing those AI reviews?
rkaga
6
4.6k
FOSDEM 2026: STUNMESH-go: Building P2P WireGuard Mesh Without Self-Hosted Infrastructure
tjjh89017
0
170
なぜSQLはAIぽく見えるのか/why does SQL look AI like
florets1
0
470
AIによる高速開発をどう制御するか? ガードレール設置で開発速度と品質を両立させたチームの事例
tonkotsuboy_com
7
2.4k
AIエージェントのキホンから学ぶ「エージェンティックコーディング」実践入門
masahiro_nishimi
5
470
Featured
See All Featured
Groundhog Day: Seeking Process in Gaming for Health
codingconduct
0
94
Digital Projects Gone Horribly Wrong (And the UX Pros Who Still Save the Day) - Dean Schuster
uxyall
0
370
ラッコキーワード サービス紹介資料
rakko
1
2.3M
Become a Pro
speakerdeck
PRO
31
5.8k
Design of three-dimensional binary manipulators for pick-and-place task avoiding obstacles (IECON2024)
konakalab
0
350
Evolving SEO for Evolving Search Engines
ryanjones
0
130
Bioeconomy Workshop: Dr. Julius Ecuru, Opportunities for a Bioeconomy in West Africa
akademiya2063
PRO
1
54
How To Stay Up To Date on Web Technology
chriscoyier
791
250k
What does AI have to do with Human Rights?
axbom
PRO
0
2k
How to optimise 3,500 product descriptions for ecommerce in one day using ChatGPT
katarinadahlin
PRO
0
3.4k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
32
2.1k
My Coaching Mixtape
mlcsv
0
48
Transcript
An introduction to AppSec Jérémy Courtial Software Security Architect @JeremyCourtial
AppSec?
Application Secucirty?
It’s not just about firewall
Combination of 3 bugs leading to privilege escalation https://newsroom.fb.com/news/2018/09/security-update/
Unpatched Apache Struts with critical Remote Execution vulnerability. (Plus lake
of defence in depth?)
« Application security encompasses measures taken to improve the security
of an application often by finding, fixing and preventing security vulnerabilities. » Wikipedia
It not just about finding & fixing It’s how applications
are made
Security is not a feature It’s a property like performance
and reliability
Security should be addressed at each step of the development
lifecycle
Design Implementation Vetification Release Security requirements Training Architecture reviews Threat
modelling Documentation Secure coding Code reviews Static analysis Dynamic analysis Pen testing Secure environnement Monitoring Incident Response Requirements & trainings
Requirements & trainings Use HSTS Must be HTTPS-only Have anti-CSRF
mechanism See Spring-Security ? Security checklists
Design Feedbacks-oriented meeting before any major changes enters development. Identifying
subjects that need closer follow-ups. Ensuring best practices. Architecture reviews
Impl. Static analysis Code analysis: Looks for common vulnerabilities pattern
in code. Composition analysis: Looks for vulnerable dependencies.
Impl. Static analysis Code analysis Composition analysis
Verification Dynamic analysis Looks for common vulnerabilities in live applications.
OWASP ZAP
Release Secure environment Up-to-date infrastructure (« patch, patch, patch… »)
Host hardening: system, Docker, k8s, etc. Protected and segmented networks
Who ?
None
Security champions One per team/platform Infuses security in daily activities
Security owner Owns the threat model Leads structural projects Harmonises
practices Leans on champions
Security team Varies skills: - DevSec - Pen testing -
Network & system - Compliance - …
How ?
Don’t be a faceless gate
Support Help Devs to produce more secure apps! Tools, guidance,
feedback, even code!
Partnership Communicate goals, roadmaps, challenges, etc. We all want to
ship ours (secure) products Shared responsibility
Get out of the way: automate, automate! Setup meaningful and
actionable alerts DevOps: ride the wave
Security is impor Last challenge: awareness
openrday.oodrive.fr Come talk about dev, security, etc.
Thank you!
mrartichaut
shinoyu
thatjeffsmith
ryota_hnk
javiergs
ahuglajbclajep
ajstarks
tomtanaka
rkaga
tjjh89017
florets1
tonkotsuboy_com
masahiro_nishimi
codingconduct
uxyall
rakko
speakerdeck
konakalab
ryanjones
akademiya2063
chriscoyier
axbom
katarinadahlin
garrettdimon
mlcsv
