Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
An introduction to AppSec?
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Jérémy Courtial
October 23, 2018
Programming
0
47
An introduction to AppSec?
What is Application Security? Why it's important and how it can be implemented in tech teams?
Jérémy Courtial
October 23, 2018
Tweet
Share
More Decks by Jérémy Courtial
See All by Jérémy Courtial
sudo give the cloud
mrartichaut
0
27
Secure by design: introduction to threat modeling
mrartichaut
0
53
Taming secrets with Vault
mrartichaut
0
87
Lead Tech: Empowering the team
mrartichaut
0
48
Web Platform Security
mrartichaut
0
48
go doSomeThing()
mrartichaut
0
53
Practical Cryptography : Data Encryption
mrartichaut
0
62
Practical Cryptography : Password Hashing
mrartichaut
1
74
HTTP/2 : One connection to rule them all
mrartichaut
1
62
Other Decks in Programming
See All in Programming
ぼくの開発環境2026
yuzneri
0
240
Best-Practices-for-Cortex-Analyst-and-AI-Agent
ryotaroikeda
1
110
そのAIレビュー、レビューしてますか? / Are you reviewing those AI reviews?
rkaga
6
4.6k
AI時代のキャリアプラン「技術の引力」からの脱出と「問い」へのいざない / tech-gravity
minodriven
21
7.3k
FOSDEM 2026: STUNMESH-go: Building P2P WireGuard Mesh Without Self-Hosted Infrastructure
tjjh89017
0
170
HTTPプロトコル正しく理解していますか? 〜かわいい猫と共に学ぼう。ฅ^•ω•^ฅ ニャ〜
hekuchan
2
690
OSSとなったswift-buildで Xcodeのビルドを差し替えられるため 自分でXcodeを直せる時代になっている ダイアモンド問題編
yimajo
3
620
AWS re:Invent 2025参加 直前 Seattle-Tacoma Airport(SEA)におけるハードウェア紛失インシデントLT
tetutetu214
2
120
今こそ知るべき耐量子計算機暗号(PQC)入門 / PQC: What You Need to Know Now
mackey0225
3
380
なぜSQLはAIぽく見えるのか/why does SQL look AI like
florets1
0
470
要求定義・仕様記述・設計・検証の手引き - 理論から学ぶ明確で統一された成果物定義
orgachem
PRO
1
150
AIによるイベントストーミング図からのコード生成 / AI-powered code generation from Event Storming diagrams
nrslib
2
1.9k
Featured
See All Featured
Discover your Explorer Soul
emna__ayadi
2
1.1k
How to Think Like a Performance Engineer
csswizardry
28
2.4k
Agile Actions for Facilitating Distributed Teams - ADO2019
mkilby
0
120
The B2B funnel & how to create a winning content strategy
katarinadahlin
PRO
1
280
職位にかかわらず全員がリーダーシップを発揮するチーム作り / Building a team where everyone can demonstrate leadership regardless of position
madoxten
57
50k
Fireside Chat
paigeccino
41
3.8k
Rails Girls Zürich Keynote
gr2m
96
14k
Unlocking the hidden potential of vector embeddings in international SEO
frankvandijk
0
170
State of Search Keynote: SEO is Dead Long Live SEO
ryanjones
0
120
The Curse of the Amulet
leimatthew05
1
8.7k
Between Models and Reality
mayunak
1
190
Skip the Path - Find Your Career Trail
mkilby
0
57
Transcript
An introduction to AppSec Jérémy Courtial Software Security Architect @JeremyCourtial
AppSec?
Application Secucirty?
It’s not just about firewall
Combination of 3 bugs leading to privilege escalation https://newsroom.fb.com/news/2018/09/security-update/
Unpatched Apache Struts with critical Remote Execution vulnerability. (Plus lake
of defence in depth?)
« Application security encompasses measures taken to improve the security
of an application often by finding, fixing and preventing security vulnerabilities. » Wikipedia
It not just about finding & fixing It’s how applications
are made
Security is not a feature It’s a property like performance
and reliability
Security should be addressed at each step of the development
lifecycle
Design Implementation Vetification Release Security requirements Training Architecture reviews Threat
modelling Documentation Secure coding Code reviews Static analysis Dynamic analysis Pen testing Secure environnement Monitoring Incident Response Requirements & trainings
Requirements & trainings Use HSTS Must be HTTPS-only Have anti-CSRF
mechanism See Spring-Security ? Security checklists
Design Feedbacks-oriented meeting before any major changes enters development. Identifying
subjects that need closer follow-ups. Ensuring best practices. Architecture reviews
Impl. Static analysis Code analysis: Looks for common vulnerabilities pattern
in code. Composition analysis: Looks for vulnerable dependencies.
Impl. Static analysis Code analysis Composition analysis
Verification Dynamic analysis Looks for common vulnerabilities in live applications.
OWASP ZAP
Release Secure environment Up-to-date infrastructure (« patch, patch, patch… »)
Host hardening: system, Docker, k8s, etc. Protected and segmented networks
Who ?
None
Security champions One per team/platform Infuses security in daily activities
Security owner Owns the threat model Leads structural projects Harmonises
practices Leans on champions
Security team Varies skills: - DevSec - Pen testing -
Network & system - Compliance - …
How ?
Don’t be a faceless gate
Support Help Devs to produce more secure apps! Tools, guidance,
feedback, even code!
Partnership Communicate goals, roadmaps, challenges, etc. We all want to
ship ours (secure) products Shared responsibility
Get out of the way: automate, automate! Setup meaningful and
actionable alerts DevOps: ride the wave
Security is impor Last challenge: awareness
openrday.oodrive.fr Come talk about dev, security, etc.
Thank you!
SiteGround - Reliable hosting with speed, security, and support you can count on.
mrartichaut
yuzneri
ryotaroikeda
rkaga
minodriven
tjjh89017
hekuchan
yimajo
tetutetu214
mackey0225
florets1
orgachem
nrslib
emna__ayadi
csswizardry
mkilby
katarinadahlin
madoxten
paigeccino
gr2m
frankvandijk
ryanjones
leimatthew05
mayunak
