---
title: "Application Security & Compliance - José DA COSTA"
description: "Application security and compliance, in my view, is **designing software that does not leak, does not allow lateral access, and does not break a regulator's expectations**. It covers OWASP Top 10, net"
locale: "en"
canonical: "https://portfolio.josedacosta.info/en/skills/application-security-compliance"
source: "https://portfolio.josedacosta.info/en/skills/application-security-compliance.md"
html_source: "https://portfolio.josedacosta.info/en/skills/application-security-compliance"
author: "José DA COSTA"
type: "skill"
slug: "application-security-compliance"
generated_at: "2026-04-26T21:12:47.097Z"
---

# Application Security & Compliance

Icon: 🔐

## My definition

Application security and compliance, in my view, is **designing software that does not leak, does not allow lateral access, and does not break a regulator's expectations**. It covers OWASP Top 10, network security, IT contract law, and GDPR. It is not an add-on plugged in at the end of a project but a discipline you install from the wireframe phase, otherwise security debt becomes existential at the first serious external audit.

### Context

I run this competency on **3 layers** in parallel. **Code**: OWASP Top 10 internalised across 8 portfolio references (PSR, accounting SaaS, Magento, ESB), dependency audits, secret scanning, threat-modelling on every feature touching credentials, payments, or KYC. **System**: network segmentation, role-bounded IAM, credential vault, per-partner isolation through APIM. **Compliance**: GDPR, direct contractual negotiation (DPA, SCCs, SLA, reversibility) which I run without relying on external counsel for routine deals. Network baseline laid by the **BTS Computer Science** and maintained by 11 years of production.

### Relevance

In 2026, the European regulatory landscape is forcing a maturity jump: the **French NIS2 transposition** is in its final adoption phase (law expected mid-2026, **15,000 entities** in scope, regular audits starting Q4 2026), with a **24-hour incident reporting** window strictly enforced. Details on [the European Commission official tracker](https://digital-strategy.ec.europa.eu/en/policies/nis2-directive-france). In parallel, the **AI Act** is reaching full applicability, and the **2026-2027 French e-invoicing mandate** adds a layer of fiscal compliance for accounting SaaS. The CSSLP/CISSP-ready CTO has become a top-priority hire on regulated industries (health, finance, institutional real estate).

## My evidence

### Securing the PSR platform end-to-end

**Context:** The Pichet **PSR platform** was a **public-facing API receiving leads from partners** across a dozen external real-estate portals - every lead carried personal data (name, email, phone, real-estate intent) governed by **GDPR**, and every mishandled credential potentially opened a path to lead diversion to a competitor. Protection could not be an add-on, it had to live in the initial design.

**Action:** I enforced **per-partner credential isolation through Microsoft APIM** (unique API keys per portal, scope-bounded permissions, **systematic rotation** through the APIM lifecycle). For GDPR flows: **HTTPS-only**, **no intermediate persistent storage** of leads (the commercial CRM remains the only source of truth), gateway-level validation on payload format and size, immediate rejection of malformed requests. I ran a **formal 2023 security audit** that resulted in hardened access controls and updated firewall rules. In parallel, I tooled **role-based isolation** on internal credentials so each operator only saw the partners they owned.

**Result:** **2023 audit cleared** without major non-conformity, **partner trust maintained** for 3 years, and **zero security incident** across the operation - which made it possible to gradually expand the partner perimeter without going through another internal evangelisation phase.

**Value added:** That project locked in a **security review as a recurring cycle** rather than a one-shot event. Today on every ACCENSEO engagement touching regulated data, I replay the same pattern: threat-model from the wireframe phase, role-based isolation in the design, external audit at least yearly. That is what makes it possible to defend SLA contracts in front of a critical customer without justifying everything wave after wave.

### Designing the accounting SaaS security around regulated data

**Context:** The ACCENSEO accounting SaaS handles the most sensitive data: **Open Banking PSD2 banking data** (3 providers wired in parallel), **customer KYC**, **accounting entries** subject to audit, **2026-2027 e-invoicing** regulated by the French DGFiP. Before writing any feature, I ran a **competitor security audit**: it surfaced critical flaws at established players (**IDOR** allowing one to read another customer's data, **KYC flaws** on identity verification). I could not reproduce those mistakes.

**Action:** I built security **before the application code**. **IDOR + KYC threat model** laid down on every feature touching customer data, **6-role access control** (Admin, Collaborator, Consultant, Accountant, Accounting, Banking) wired through **Better Auth** with full **MFA** (email, TOTP, SMS) and dedicated accounting login tokens. On regulated flows, I plugged the **EDI Teledec** (DGFiP-licensed partner) for VAT / IS / CFE / DAS2 / PAS submissions, and integrated **Open Banking PSD2** across 3 providers (GoCardless/Nordigen, Bridge, Qonto) with strict consent tracking. For e-invoicing, I built the **DGFiP v3.1 pipeline** as early as 2025, ahead of the 2026-2027 mandate. Every security decision was documented in **versioned ADRs** to survive future team growth.

**Result:** **Compliance baseline reached ahead of the 2026-2027 regulatory deadline**, **rollout-ready** without an emergency security rewrite, and the platform commercialisable to French accountants and SMBs without depending on an external audit at every cycle.

**Value added:** On this project I understood that **well-executed regulatory compliance becomes a product moat**: competitors carrying IDOR or KYC flaws cannot attack my segment without rewriting entire sections. That is exactly the posture I want to push on the next CTO scale-up role in regulated industries - **turn regulation into an entry barrier** rather than into a chain.

### Holding the PCI / OWASP line on Magento Enterprise

**Context:** On the Fleurance Nature refit in 2017, **Magento Enterprise Edition 1.10** carried the company's PCI-DSS responsibility for online payment across **3 storefronts**, **4 customer groups**, **12 pricing matrices**. With **60 custom modules** and **1,040 modified PHP files**, the risk of introducing a security regression at every release was permanent - and any card data leak would have cost the group its PCI compliance.

**Action:** I enforced strict **PCI-aware patterns** on every custom module: **no card data storage** on the Magento side (full delegation to a certified payment gateway), systematic use of **Observer / Strategy** patterns to never touch the Magento core - which prevents the unintended introduction of a capture point - and a **complete security regression suite** before every release. On the **OWASP Top 10** side, I framed XSS prevention on UGC contributions, multi-store session isolation, and strict input validation across every custom form.

**Result:** **Zero production security incident** during the migration and across the 5 years of operation that followed, **PCI compliance** preserved throughout the process, and the **Varnish cache** stayed operational without introducing any authentication bypass.

**Value added:** On this project, I locked in **security as a daily review** rather than a yearly audit. That reflex is what lets me today negotiate **IT contractual clauses** (DPA, SCCs, SLA, reversibility) directly at ACCENSEO without going through external counsel on routine deals - because I know what I am signing.

## My self-critique

### Mastery level

Level **Senior** on application OWASP and IT contract law (read and negotiate), **Confirmed** on network security and GDPR. OWASP Top 10 internalised across 8 portfolio references, network baseline laid by the BTS Computer Science and maintained by 11 years of production. As CTO at ACCENSEO and Celiane, I personally negotiate IT contractual clauses (DPA, SCCs, SLA, reversibility) without external counsel on routine deals. What still needs strengthening: **formal threat modelling** (STRIDE) and preparation for highly regulated industries like health or critical finance.

### Importance in my profile

Hygiene baseline for any CTO and explicit differentiator on regulated industries. It is what lets me secure a product platform without depending on an external consultant and defend contractual clauses sales-side without legal escalation. For the regulated accounting SaaS (e-invoicing 2026-2027) and the broker SaaS (DSP2, KYC), it is the condition for market entry.

### Advice (for myself and others)

### My golden rules

*Treat security as a continuous deliverable, not an event.* Two rules: refresh the OWASP Top 10 every year on the active stacks, run an external audit at least once a year. And threat-model every feature touching credentials, payment, or KYC **from the wireframe phase** - not later. Document security choices in ADRs so they survive turnover.

## My evolution in this skill

### Role in my professional project

Application security and compliance are **what makes my CTO decisions acceptable board-side, legal-side and customer-side**. In the 24-month plan, they let me attack a regulated market (health, finance, institutional real estate) without externalized legal overhead and pass an ISO / SOC2 light audit without massive rewrite. Without them, the role is restricted to non-regulated sectors and loses half the French addressable market.

### Mid-term target level

The observable goal is to **pass an external audit** (ISO 27001 light, SOC2 type 1, or tier-2 pentest) without major non-conformity and to **defend the security strategy in front of an audit committee in 60 minutes**. Senior maintained by default, opening toward Expert if the target industry justifies it (health, critical finance).

### Current training

Annual systematic review of the **OWASP Top 10** applied to ACCENSEO stacks, continuous follow of [ANSSI bulletins](https://www.cert.ssi.gouv.fr/) and [Cloudflare Radar](https://radar.cloudflare.com/), threat modeling applied to recent accounting SaaS features. Master in Software Engineering active.

### Future training

**CSSLP** (Certified Secure Software Lifecycle Professional) or **CISSP** certification targeted 2027 depending on the target CTO role maturity. Practical advanced threat-modeling training (STRIDE / LINDDUN) planned 2026.

## Progression across journey

This skill was developed across 9 different journey items.

- **1999** - [CTO · Founder · technical director](https://portfolio.josedacosta.info/en/journey/celiane-founder.md) (entrepreneurship) - Confidence: 1/5
- **2001** - [BTS IG (IT Management)](https://portfolio.josedacosta.info/en/journey/bts-computer-science.md) (education) - Confidence: 1/5
- **2008** - [Junior Software Engineer · PHP Joomla Webmaster Developer](https://portfolio.josedacosta.info/en/journey/ministere-sante-webmaster.md) (experience) - Confidence: 2/5
- **2009** - [Software Engineer · PHP Zend Framework Developer](https://portfolio.josedacosta.info/en/journey/european-sourcing-engineer.md) (experience) - Confidence: 4/5
- **2013** - [Senior Software Engineer · Lead PHP Symfony Developer](https://portfolio.josedacosta.info/en/journey/medialeads-senior-engineer.md) (experience) - Confidence: 3/5
- **2017** - [Senior Software Engineer · Lead PHP Magento Developer](https://portfolio.josedacosta.info/en/journey/smile-senior-engineer.md) (experience) - Confidence: 3/5
- **2019** - [Engineering Manager · Project Manager / Product Owner · Technical Lead](https://portfolio.josedacosta.info/en/journey/pichet-group.md) (experience) - Confidence: 4/5
- **2019** - [Technical Lead · Flows and Products: content and enterprise integration](https://portfolio.josedacosta.info/en/journey/pichet-technical-lead.md) (experience) - Confidence: 3/5
- **2023** - [Master Expert in Software Engineering](https://portfolio.josedacosta.info/en/journey/master-software-engineering.md) (education) - Confidence: 4/5

## Related achievements

- [Intelligent Accounting SaaS Platform](https://portfolio.josedacosta.info/en/achievements/plateforme-comptabilite-saas.md) - Competitor security audit (IDOR, KYC) feeding the platform's secure-by-design conception
- [Partner Lead Reception API Platform (alias PSR)](https://portfolio.josedacosta.info/en/achievements/plateforme-api-reception-leads-partenaires.md) - APIM credential isolation, GDPR compliance and 2023 security audit

Interactive version with navigation: https://portfolio.josedacosta.info/en/skills/application-security-compliance