Other activities on Application Security topics.

Book

• Technical editor for the book Alice and Bob Learn Application Security.

Vulnerability study

• Analysis of the Log4Shell vulnerability.

Technical blog post

⚠️ A migration operation of the Excellium Services website to the Thales website is pending. Therefore, all blog posts hosted on the Excellium Services website are temporary unavailable.

• Discovery of Kubernetes Native applications from an application security perspective.
• Identify, in a continuous way, your web attack surface exposed on the Internet, using Open-Source Software.
• What is the purpose of the Common Vulnerabilities and Exposures (CVE) systems from a security perspective?.
• Discovery of Cloud Native applications from an application security perspective.
• Agile threat modeling and the “the devil is in the details” idiom.
• Discovery of Self Sovereign Identity (SSI) from a security perspective.
• Continuous deployment: applying security for web application development.
• Risks linked to external dependencies.
• What is Web Cryptography API?.
• How to evaluate an OAuth/OpenID Connect system from a security point of view?.
• How to automatically validate the configuration of your API Gateway.
• How to report a security issue in a standardized manner with Security.txt.
• Password hashing: Be careful about what you hash!.
• Android mobile application cloning.

Technical post on Social Network

• Tips about the FastHTML web framework.
• Tips about Content-Security-policy.
• Tips about the SchemaFactory behavior in java regarding the exposure to XXE related attacks.
• Tips about the XMLInputFactory behavior in java regarding the exposure to XEE related attacks.
• Tips about the FEATURE_SECURE_PROCESSING option in java regarding the exposure to XEE related attacks.
• Tips regarding the polyfill JS library related supply chain attacks.
• Tips regarding the Content-Security-Policy restriction bypass.
• Tips regarding the XPS file format.
• Tips regarding the bypass of the mime type detection by the Apache Tika java library.
• Tips regarding the assessment of a web API based on SpringBoot.
• Tips regarding the assessment of a SPA via the map files.
• Hijack the HTTP/FTP call flow in a .NET app via its configuration file.
• Tips regarding the assessment of a Java app via the JDK tools.
• Tips regarding the validation of the signature of a binary file in .NET.

Continuous training

Library

• Different books I have read and enjoyed.

Profile on online training platforms

• PentesterLab (actively used).
• PortSwigger Web Security Academy (actively used).
• AppSecEngineer (used to delve deeper into specific topics).
• Root-Me (not used anymore).