Younes Zendour

Hello, I'm Younes.

Application Security & DevSecOps

Software engineer turned security engineer. I know how it's built, so I know how it breaks. I secure CI/CD pipelines, audit code for vulnerabilities, and help dev teams ship secure software without slowing down.
Research-driven.
Open to full-time opportunities in AppSec, DevSecOps & Cybersecurity.

1st Place | ENSET CTF
4th Place | Hack The Box CTF

Interests

application security, arabic, vulnerability research, DevSecOps, secure code review, cloud security, pentesting, martial arts

Education Research

University of South Brittany

Master's degree : Research Track, Software and Information Sciences

2025 - 2026

ENSIBS : Higher National School of Engineers of Southern Brittany

Engineer's degree, Cybersecurity

2024 - 2026

ENSET Mohammedia

Engineer's degree, Software & Distributed Systems Engineering

2022 - 2026

EST Meknes

DUT, Computer Science / Software Engineering

2020 - 2022

EXPERIENCE
SKILLS

Pentesting & Offensive Security

Burp Suite Nuclei Nmap Metasploit Ffuf SQLMap Wireshark Hashcat Platforms PentesterLab HackTheBox

Application Security Testing

SAST Semgrep SonarQube DAST OWASP ZAP SCA Trivy Dependency-Track Secrets Gitleaks

Frameworks & Standards

OWASP Top 10 OWASP ASVS STRIDE Secure SDLC OWASP SAMM MITRE ATT&CK Threat Modeling

CI/CD & DevSecOps

GitHub Actions HashiCorp Vault Cosign/Sigstore Syft Grype SBOM SLSA

Cloud Security

IAM GuardDuty CloudTrail Prowler ScoutSuite Checkov OPA

Runtime & K8s Security

Falco Tetragon Kyverno kube-bench NetworkPolicies

Languages

CERTIFICATIONS
Practical Malware Analysis & Triage
Kubernetes for Absolute Beginners
HashiCorp Packer
Linux 101

Degrees collected. Now grinding the real ones.

eWPTX
AWS Certified Security - Specialty
View all certificates →
PROJECTS

recently working on

PAPERS THAT SHAPED MY THINKING
CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy
Weichselbaum, Spagnuolo, Lekies, Janc - Google, CCS 2016
94.72% of CSP policies are trivially bypassable. One JSONP endpoint on a trusted domain and it's over. Whitelists don't survive real-world complexity - nonce-based with strict-dynamic is the only model that holds.
Reflections on Trusting Trust
Ken Thompson - Turing Award Lecture, 1984
A compiler can betray you and erase the evidence. 40 years later, this is still the exact reason we need signed builds, SLSA provenance, and reproducible pipelines.

The Cold War's Impact on the Evolution of Training Theory in Boxing

Nicholas Bourne, Jan Todd, & Terry Todd - 2002

"Rigorous methodology applied to a field that resisted change."