Bois-le-Roi, Île-de-France, France
# Principal Application Security Expert ### TotalEnergies Digital Factory · Paris, France --- I define and drive the application security strategy across a cloud-native software factory of 30+ autonomous product squads, and across TotalEnergies' globally operated cloud platforms (AWS & Azure) covering 130 countries. No day looks the same, which is the only way I'd have it. --- ## What I actually do **AppSec strategy & architecture** Own the end-to-end Secure Software Development Lifecycle — from threat modelling at design phase through to post-deployment monitoring. I set the security architecture patterns, reference designs, and guardrails that product squads and cloud platform teams are expected to follow. I make the binding technical calls on application and platform security. **CI/CD & tooling** I evaluate, select, and embed security tooling across the pipeline: SAST, DAST, SCA, secret detection, container security, API security. I build the business case, then make sure teams actually use it (the hard part). **Cloud security (Azure & AWS)** Own the application security posture across cloud workloads and platform-layer services. This means working with both product squads and the infrastructure teams that operate the platforms — because security embedded in a platform is worth ten security gates bolted on afterwards. **Risk governance** Independent expert judgement on cybersecurity risk — risk classification, risk acceptance, derogation instruction. **Security research** I research novel vulnerability classes and attack techniques relevant to our stack and threat model. I translate external threat intelligence into concrete security requirements before it becomes someone else's incident report. **Developer enablement** Threat modelling workshops, secure code review training, hands-on coaching embedded in squad ways of working. The goal is to make security a shared engineering instinct, not a checklist at the end of the SDLC. **External & community** Occasional conference appearances, industry working groups, vendor technical partnerships. I engage with the security community because I find it genuinely interesting — and because it keeps me honest about what I don't know yet. --- ## Stack & stuff Cloud: Azure · AWS (mostly) Pipeline: GitHub Actions (hey hey) · SAST/DAST/SCA · Supply chain security (SLSA, SBOM) AppSec: OWASP · API security · OAuth2/OIDC · Secrets management Languages I can actually read code in: Python · JavaScript/TypeScript · Java · etc... *10+ years in application security. Still finding interesting bugs.*