Application Security & Compliance
OWASP reflexes since the Zend years, network security from BTS, IT contract law and GDPR awareness from the Master and CTO roles. Read a security-sensitive contract and harden a SaaS shipping financial or personal data.
Each segment is a period (journey or achievement) where the competency was applied. The colour and size of the end dot reflect the level reached during that period.
My definition
Application security and compliance, in my view, is designing software that does not leak, does not allow lateral access, and does not break a regulator's expectations. It covers OWASP Top 10, network security, IT contract law, and GDPR. It is not an add-on plugged in at the end of a project but a discipline you install from the wireframe phase, otherwise security debt becomes existential at the first serious external audit.
I run this competency on 3 layers in parallel. Code: OWASP Top 10 internalised across 8 portfolio references (PSR, accounting SaaS, Magento, ESB), dependency audits, secret scanning, threat-modelling on every feature touching credentials, payments, or KYC. System: network segmentation, role-bounded IAM, credential vault, per-partner isolation through APIM. Compliance: GDPR, direct contractual negotiation (DPA, SCCs, SLA, reversibility) which I run without relying on external counsel for routine deals. Network baseline laid by the BTS Computer Science and maintained by 11 years of production.
In 2026, the European regulatory landscape is forcing a maturity jump: the French NIS2 transposition is in its final adoption phase (law expected mid-2026, 15,000 entities in scope, regular audits starting Q4 2026), with a 24-hour incident reporting window strictly enforced. Details on the European Commission official tracker. In parallel, the AI Act is reaching full applicability, and the 2026-2027 French e-invoicing mandate adds a layer of fiscal compliance for accounting SaaS. The CSSLP/CISSP-ready CTO has become a top-priority hire on regulated industries (health, finance, institutional real estate).
My evidence
Anecdote 1 : Securing the PSR platform end-to-end
The Pichet PSR platform was a public-facing API receiving leads from partners across a dozen external real-estate portals - every lead carried personal data (name, email, phone, real-estate intent) governed by GDPR, and every mishandled credential potentially opened a path to lead diversion to a competitor. Protection could not be an add-on, it had to live in the initial design.
I enforced per-partner credential isolation through Microsoft APIM (unique API keys per portal, scope-bounded permissions, systematic rotation through the APIM lifecycle). For GDPR flows: HTTPS-only, no intermediate persistent storage of leads (the commercial CRM remains the only source of truth), gateway-level validation on payload format and size, immediate rejection of malformed requests. I ran a formal 2023 security audit that resulted in hardened access controls and updated firewall rules. In parallel, I tooled role-based isolation on internal credentials so each operator only saw the partners they owned.
2023 audit cleared without major non-conformity, partner trust maintained for 3 years, and zero security incident across the operation - which made it possible to gradually expand the partner perimeter without going through another internal evangelisation phase.
That project locked in a security review as a recurring cycle rather than a one-shot event. Today on every ACCENSEO engagement touching regulated data, I replay the same pattern: threat-model from the wireframe phase, role-based isolation in the design, external audit at least yearly. That is what makes it possible to defend SLA contracts in front of a critical customer without justifying everything wave after wave.
Anecdote 2 : Designing the accounting SaaS security around regulated data
The ACCENSEO accounting SaaS handles the most sensitive data: Open Banking PSD2 banking data (3 providers wired in parallel), customer KYC, accounting entries subject to audit, 2026-2027 e-invoicing regulated by the French DGFiP. Before writing any feature, I ran a competitor security audit: it surfaced critical flaws at established players (IDOR allowing one to read another customer's data, KYC flaws on identity verification). I could not reproduce those mistakes.
I built security before the application code. IDOR + KYC threat model laid down on every feature touching customer data, 6-role access control (Admin, Collaborator, Consultant, Accountant, Accounting, Banking) wired through Better Auth with full MFA (email, TOTP, SMS) and dedicated accounting login tokens. On regulated flows, I plugged the EDI Teledec (DGFiP-licensed partner) for VAT / IS / CFE / DAS2 / PAS submissions, and integrated Open Banking PSD2 across 3 providers (GoCardless/Nordigen, Bridge, Qonto) with strict consent tracking. For e-invoicing, I built the DGFiP v3.1 pipeline as early as 2025, ahead of the 2026-2027 mandate. Every security decision was documented in versioned ADRs to survive future team growth.
Compliance baseline reached ahead of the 2026-2027 regulatory deadline, rollout-ready without an emergency security rewrite, and the platform commercialisable to French accountants and SMBs without depending on an external audit at every cycle.
On this project I understood that well-executed regulatory compliance becomes a product moat: competitors carrying IDOR or KYC flaws cannot attack my segment without rewriting entire sections. That is exactly the posture I want to push on the next CTO scale-up role in regulated industries - turn regulation into an entry barrier rather than into a chain.
Anecdote 3 : Holding the PCI / OWASP line on Magento Enterprise
On the Fleurance Nature refit in 2017, Magento Enterprise Edition 1.10 carried the company's PCI-DSS responsibility for online payment across 3 storefronts, 4 customer groups, 12 pricing matrices. With 60 custom modules and 1,040 modified PHP files, the risk of introducing a security regression at every release was permanent - and any card data leak would have cost the group its PCI compliance.
I enforced strict PCI-aware patterns on every custom module: no card data storage on the Magento side (full delegation to a certified payment gateway), systematic use of Observer / Strategy patterns to never touch the Magento core - which prevents the unintended introduction of a capture point - and a complete security regression suite before every release. On the OWASP Top 10 side, I framed XSS prevention on UGC contributions, multi-store session isolation, and strict input validation across every custom form.
Zero production security incident during the migration and across the 5 years of operation that followed, PCI compliance preserved throughout the process, and the Varnish cache stayed operational without introducing any authentication bypass.
On this project, I locked in security as a daily review rather than a yearly audit. That reflex is what lets me today negotiate IT contractual clauses (DPA, SCCs, SLA, reversibility) directly at ACCENSEO without going through external counsel on routine deals - because I know what I am signing.
My self-critique
Level Senior on application OWASP and IT contract law (read and negotiate), Confirmed on network security and GDPR. OWASP Top 10 internalised across 8 portfolio references, network baseline laid by the BTS Computer Science and maintained by 11 years of production. As CTO at ACCENSEO and Celiane, I personally negotiate IT contractual clauses (DPA, SCCs, SLA, reversibility) without external counsel on routine deals. What still needs strengthening: formal threat modelling (STRIDE) and preparation for highly regulated industries like health or critical finance.
Hygiene baseline for any CTO and explicit differentiator on regulated industries. It is what lets me secure a product platform without depending on an external consultant and defend contractual clauses sales-side without legal escalation. For the regulated accounting SaaS (e-invoicing 2026-2027) and the broker SaaS (DSP2, KYC), it is the condition for market entry.
First significant use: BTS IG (IT Management). Progression up to Software Engineer · PHP Zend Framework Developer, now at 4/5 (Advanced). The continuity of these contexts signals a robust acquisition, battle-tested by repetition and diversity.
My golden rules
*Treat security as a continuous deliverable, not an event.* Two rules: refresh the OWASP Top 10 every year on the active stacks, run an external audit at least once a year. And threat-model every feature touching credentials, payment, or KYC from the wireframe phase - not later. Document security choices in ADRs so they survive turnover.
My evolution in this skill
Application security and compliance are what makes my CTO decisions acceptable board-side, legal-side and customer-side. In the 24-month plan, they let me attack a regulated market (health, finance, institutional real estate) without externalized legal overhead and pass an ISO / SOC2 light audit without massive rewrite. Without them, the role is restricted to non-regulated sectors and loses half the French addressable market.
The observable goal is to pass an external audit (ISO 27001 light, SOC2 type 1, or tier-2 pentest) without major non-conformity and to defend the security strategy in front of an audit committee in 60 minutes. Senior maintained by default, opening toward Expert if the target industry justifies it (health, critical finance).
Annual systematic review of the OWASP Top 10 applied to ACCENSEO stacks, continuous follow of ANSSI bulletins and Cloudflare Radar, threat modeling applied to recent accounting SaaS features. Master in Software Engineering active.
CSSLP (Certified Secure Software Lifecycle Professional) or CISSP certification targeted 2027 depending on the target CTO role maturity. Practical advanced threat-modeling training (STRIDE / LINDDUN) planned 2026.
My quarterly routine
- weekly intake: Cloudflare Radar, GitHub Security Blog, ANSSI bulletins, Krebs on Security
- annual reread of *Threat Modeling: Designing for Security* (Adam Shostack), follow of Tanya Janca's posts
- every quarter, a dependency audit + secret-scan + ACL review on every ACCENSEO product