<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>Emma Barfety, Auteur</title>
	<atom:link href="https://www.riskinsight-wavestone.com/en/author/emma-barfety/feed/" rel="self" type="application/rss+xml" />
	<link>https://www.riskinsight-wavestone.com/author/emma-barfety/</link>
	<description>The cybersecurity &#38; digital trust blog by Wavestone&#039;s consultants</description>
	<lastBuildDate>Fri, 18 Aug 2023 15:55:29 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	

<image>
	<url>https://www.riskinsight-wavestone.com/wp-content/uploads/2024/02/Blogs-2024_RI-39x39.png</url>
	<title>Emma Barfety, Auteur</title>
	<link>https://www.riskinsight-wavestone.com/author/emma-barfety/</link>
	<width>32</width>
	<height>32</height>
</image> 
	<item>
		<title>ChatGPT &#038; DevSecOps – What are the new cybersecurity risks introduced by the use of AI by developers? </title>
		<link>https://www.riskinsight-wavestone.com/en/2023/08/chatgpt-devsecops-what-are-the-new-cybersecurity-risks-introduced-by-the-use-of-ai-by-developers/</link>
					<comments>https://www.riskinsight-wavestone.com/en/2023/08/chatgpt-devsecops-what-are-the-new-cybersecurity-risks-introduced-by-the-use-of-ai-by-developers/#respond</comments>
		
		<dc:creator><![CDATA[Emma Barfety]]></dc:creator>
		<pubDate>Tue, 22 Aug 2023 15:00:00 +0000</pubDate>
				<category><![CDATA[Cloud & Next-Gen IT Security]]></category>
		<category><![CDATA[Focus]]></category>
		<category><![CDATA[artificial intelligence]]></category>
		<category><![CDATA[chatgpt]]></category>
		<category><![CDATA[DevSecOps]]></category>
		<guid isPermaLink="false">https://www.riskinsight-wavestone.com/?p=21035</guid>

					<description><![CDATA[<p>In November 2022, the conversational agent ChatGPT developed by OpenAI was made accessible to the general public. Since then, it&#8217;s an understatement to say that this new tool has garnered interest. Just two months after its launch, the tool became...</p>
<p>Cet article <a href="https://www.riskinsight-wavestone.com/en/2023/08/chatgpt-devsecops-what-are-the-new-cybersecurity-risks-introduced-by-the-use-of-ai-by-developers/">ChatGPT &amp; DevSecOps – What are the new cybersecurity risks introduced by the use of AI by developers? </a> est apparu en premier sur <a href="https://www.riskinsight-wavestone.com/en/">RiskInsight</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p><span data-contrast="auto">In November 2022, the conversational agent ChatGPT developed by OpenAI was made accessible to the general public. Since then, it&#8217;s an understatement to say that this new tool has garnered interest. Just two months after its launch, the tool became the fastest-growing application in history, with nearly 100 million active users per month (a record later surpassed by Threads).</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-contrast="auto">As users have adopted this product en masse, it now raises several fundamental cybersecurity questions.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-contrast="auto">Should companies allow their employees – specifically development teams – to continue using this tool without any restrictions? Should they suspend its usage until security teams address the issue? Or should it be outright banned?</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-contrast="auto">Some companies like J.P. Morgan or Verizon have chosen to prohibit its usage. Apple initially decided to <a href="https://www.businessinsider.com/chatgpt-companies-issued-bans-restrictions-openai-ai-amazon-apple-2023-7">allow the tool for its employees before reversing its decision and prohibiting it</a></span><span data-contrast="auto">. Amazon and Microsoft have simply asked their employees to be cautious about the information shared with OpenAI.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-contrast="auto">The most restrictive approach of blocking the platform avoids all cybersecurity questions but raises other concerns, including team performance, productivity, and the overall competitiveness of companies in rapidly changing markets.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-contrast="auto">Today, the question of blocking AI in IT remains relevant. We propose to provide some answers to this question for a </span><b><span data-contrast="auto">population particularly concerned with the issue: development teams.</span></b><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p> </p>
<h2 aria-level="3"><b><span data-contrast="none">ChatGPT, Personal Information Collection, and GDPR</span></b><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}"> </span></h2>
<p><span data-contrast="auto">OpenAI&#8217;s product is freely accessible and usable under the condition of creating a user account. It&#8217;s a known trend: if an online tool is free, its source of revenue doesn&#8217;t come from access to the tool. For the specific case of ChatGPT, the information from the history of millions of users helps improve the platform and the quality of the language model. ChatGPT is a preview service: any data entered by the user may be reviewed by a human to improve the services.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-contrast="auto">Currently, ChatGPT doesn&#8217;t seem compliant with GDPR and data protection laws, but no legal decision has been made. The terms and conditions currently don&#8217;t mention the right to limitation of processing, the right to data portability, or the right to object. The US-based company OpenAI doesn&#8217;t mention GDPR but emphasizes that ChatGPT complies with &#8220;CALIFORNIA PRIVACY RIGHTS.&#8221; However, this regulation only applies to California residents and doesn&#8217;t extend beyond the United States of America. OpenAI also doesn&#8217;t provide a solution for individuals to verify if the editor stores their personal data or to request its deletion.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-contrast="auto">When we delve into ChatGPT&#8217;s </span><a href="https://openai.com/policies/privacy-policy"><span data-contrast="none">privacy policy</span></a><span data-contrast="auto">  we can understand that:</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<ol>
<li data-leveltext="%1." data-font="Calibri" data-listid="17" data-list-defn-props="{&quot;335552541&quot;:0,&quot;335559684&quot;:-1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><span data-contrast="auto">OpenAI collects user IP addresses, their web browser type, and data and interactions with the website. For example, this includes the type of content generated with AI, use cases, and functions used.</span></li>
<li data-leveltext="%1." data-font="Calibri" data-listid="17" data-list-defn-props="{&quot;335552541&quot;:0,&quot;335559684&quot;:-1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><span data-contrast="auto">OpenAI also collects information about users&#8217; browsing activity on the web. It reserves the right to share this personal information with third parties, without specifying which ones.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
</ol>
<p><span data-contrast="auto">All of this is done with the goal of improving existing services or developing new features.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-contrast="auto">Turning back to developer populations, today we observe that the majority of code is written collaboratively using Git tools. Thus, it&#8217;s not uncommon for a developer to have to understand a piece of code they didn&#8217;t write themselves. Instead of asking the original author, which can take several minutes (at best), a developer might turn to ChatGPT to get an instant answer. The response might even be more detailed than what the code&#8217;s author could provide.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<table style="width: 100%; border-collapse: collapse; background-color: #b8bab8;">
<tbody>
<tr>
<td style="width: 100%;">
<p><span style="color: #ffffff;">As a result, it&#8217;s more than necessary to anonymize the elements shared with the Chatbot. Otherwise, some individuals might gain unauthorized access to confidential data. Thus, if a developer wants to understand the functionalities of a piece of code they&#8217;re not familiar with using ChatGPT&#8217;s help, they should: </span></p>
<ul style="list-style-type: circle;">
<li data-leveltext="•" data-font="Calibri" data-listid="19" data-list-defn-props="{&quot;335551671&quot;:0,&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Calibri&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;•&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="0" data-aria-level="1"><span style="color: #ffffff;">Break down the code to avoid revealing complete functionalities, </span></li>
<li data-leveltext="•" data-font="Calibri" data-listid="19" data-list-defn-props="{&quot;335551671&quot;:0,&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Calibri&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;•&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="0" data-aria-level="1"><span style="color: #ffffff;">Remove all secrets and potential passwords present in the code (a good practice to follow even without using ChatGPT), </span></li>
<li data-leveltext="•" data-font="Calibri" data-listid="19" data-list-defn-props="{&quot;335551671&quot;:0,&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Calibri&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;•&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="0" data-aria-level="1"><span style="color: #ffffff;" data-contrast="auto">Change the names of variables that are too explicit.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
</ul>
</td>
</tr>
</tbody>
</table>
<p> </p>
<h2 aria-level="3"><b><span data-contrast="none">Classic Attacks on AI Still Apply</span></b><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}"> </span></h2>
<p><span data-contrast="auto">Today, over half of companies are ready and willing to invest in and equip themselves with tools based on artificial intelligence. Consequently, it will become increasingly important for attackers to exploit this kind of technology. This is especially considering that cybersecurity as a notion is often overlooked when discussing artificial intelligence.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-contrast="auto">OpenAI&#8217;s AI isn&#8217;t immune to </span><b><span data-contrast="auto">poisoning attacks</span></b><span data-contrast="auto">. Even if the AI is trained on a substantial knowledge base, it&#8217;s unlikely that all of that knowledge has undergone manual review. If we return to the topic of </span><b><span data-contrast="auto">code generation, it&#8217;s plausible that based on certain specific inputs, the AI might suggest code containing a backdoor.</span></b><span data-contrast="auto"> While this scenario hasn&#8217;t been observed, it&#8217;s not possible to prove that it won&#8217;t occur for a specific user input.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-contrast="auto">We can also assume that the tool has been trained only on relatively safe web sources. The Large Language Model (LLM) on which ChatGPT is based: GPT3, could be susceptible to &#8220;self-poisoning.&#8221; As GPT3 is used by millions of users, it&#8217;s highly likely that text generated by GPT3 ends up in trusted internet content. The training of GPT4 could theoretically contain text generated by GPT3. Thus, the AI might learn from knowledge generated by previous versions of the same LLM model. It will be interesting to see how OpenAI addresses the poisoning issue as the model evolves.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-contrast="auto">Poisoning is one technique for adding backdoors to AI-generated code, but this isn&#8217;t the only attack vector. It&#8217;s also possible that compromising OpenAI&#8217;s systems could allow modifying ChatGPT&#8217;s configuration to suggest code containing backdoors under specific conditions. A malicious attacker might even filter based on the user account identity of ChatGPT (e.g., an account ending with @internationalfirm.com) to decide whether to generate code containing backdoors and other vulnerabilities. Thus, it&#8217;s necessary to remain vigilant about OpenAI&#8217;s security level to prevent any rebound compromise.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p> </p>
<h2 aria-level="3"><b><span data-contrast="none">ChatGPT and Code Generation</span></b><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}"> </span></h2>
<p><span data-contrast="auto">Code generation via ChatGPT is one of the features that can save developers the most time on a daily basis. For instance, a developer could ask to write a code skeleton for a function and then complete/correct the AI&#8217;s errors as needed. The main risk introduced by this practice is the insertion of malicious code into an application.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-contrast="auto">However, the risk existed well before ChatGPT. A malicious developer could very well obfuscate their code and deliberately insert a backdoor into an application. However, the introduction of AI brings a new dimension to the risk since a well-intentioned user might </span><b><span data-contrast="auto">inadvertently</span></b><span data-contrast="auto"> introduce a backdoor. This needs to be considered in the context of the </span><b><span data-contrast="auto">organization&#8217;s maturity regarding its CI/CD pipeline. Conducting SAST, DAST scans, and various audits before production helps reduce the risk.</span></b><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-contrast="auto">We have observed that code generation via ChatGPT does not follow security best practices by default. The tool can generate code using </span><b><span data-contrast="auto">insecure functions like scanf in C programming language</span></b><span data-contrast="auto">. We provided the following query to the tool: &#8220;Can you write a function in C language that creates a list of integers using user inputs?&#8221; (initially prompted in French).</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><img fetchpriority="high" decoding="async" class="aligncenter wp-image-21041 size-full" src="https://www.riskinsight-wavestone.com/wp-content/uploads/2023/08/Article-ChatGPT1.png" alt="xtrait de code - Code généré par ChatGPT suite à l’entrée utilisateur décrite ci-dessus " width="732" height="624" srcset="https://www.riskinsight-wavestone.com/wp-content/uploads/2023/08/Article-ChatGPT1.png 732w, https://www.riskinsight-wavestone.com/wp-content/uploads/2023/08/Article-ChatGPT1-224x191.png 224w, https://www.riskinsight-wavestone.com/wp-content/uploads/2023/08/Article-ChatGPT1-46x39.png 46w" sizes="(max-width: 732px) 100vw, 732px" /></p>
<p style="text-align: center;"><i><span data-contrast="none">Code generated by ChatGPT following the described user input</span></i><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0,&quot;335559740&quot;:240}"> </span></p>
<p><span data-contrast="auto">Analyzing the code generated by ChatGPT, among other things, we notice three significant vulnerabilities:</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<ol>
<li><span data-contrast="auto">To begin, the use of the scanf function allows the user to enter any input length (int overflow&#8230;). There&#8217;s no validation of the user&#8217;s input, which remains a key vulnerability type highlighted by the OWASP TOP10.</span></li>
<li>Additionally, the function is sensitive to buffer overflow: beyond the 100th input, the list &#8220;list&#8221; no longer has space to store additional data, which can either end execution with an error or allow a malicious user to write data in a memory area that&#8217;s not authorized,<b style="font-size: revert; color: initial;"><span data-contrast="auto"> to take control of program execution.</span></b></li>
<li>Finally, ChatGPT allocates memory to the list via the malloc function but forgets to free the memory once the list is no longer used, which could lead to <b style="font-size: revert; color: initial;"><span data-contrast="auto">memory leaks.</span></b><span style="font-size: revert; color: initial;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
</ol>
<p><span data-contrast="auto">So, by default, Chat GPT does not generate code securely, unlike an experienced developer. </span><b><span data-contrast="auto">The tool proposes code containing critical vulnerabilities</span></b><span data-contrast="auto">. If the user is cybersecurity-aware, they can ask ChatGPT to identify vulnerabilities in their own code. ChatGPT is fully capable of detecting some vulnerabilities in the code generated by itself.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><img decoding="async" class="aligncenter wp-image-21046 size-full" src="https://www.riskinsight-wavestone.com/wp-content/uploads/2023/08/Article-ChatGPT3.png" alt="" width="815" height="339" srcset="https://www.riskinsight-wavestone.com/wp-content/uploads/2023/08/Article-ChatGPT3.png 815w, https://www.riskinsight-wavestone.com/wp-content/uploads/2023/08/Article-ChatGPT3-437x182.png 437w, https://www.riskinsight-wavestone.com/wp-content/uploads/2023/08/Article-ChatGPT3-71x30.png 71w, https://www.riskinsight-wavestone.com/wp-content/uploads/2023/08/Article-ChatGPT3-768x319.png 768w" sizes="(max-width: 815px) 100vw, 815px" /></p>
<p style="text-align: center;"><em>ChatGPT is able to detect vulnerabilities in code it has generated.</em></p>
<p><span data-contrast="auto">To summarize, code generation via ChatGPT doesn&#8217;t introduce new risks but </span><b><span data-contrast="auto">increases the probability of a vulnerability appearing in production</span></b><span data-contrast="auto">. Recommendations can vary based on the organization&#8217;s maturity and confidence in securing code delivered to production. A robust CI/CD pipeline and strong processes with automatic security scans (SAST, DAST, FOSS&#8230;) have a good chance of detecting the most critical vulnerabilities.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p aria-level="3"> </p>
<p><span data-contrast="auto">ChatGPT isn&#8217;t the only online resource accessible to users that can lead to data exfiltration (Google Drive, WeTransfer&#8230;). The risk of data leakage already looms over any organization that hasn&#8217;t implemented an allow-list on its users&#8217; internet proxy. The differentiating factor in the case of ChatGPT is that the user doesn&#8217;t necessarily realize the public nature of the data posted on the platform. The benefits and time saved by the tool are often too tempting for the user, making them forget best practices. In this sense, ChatGPT doesn&#8217;t introduce new risks but increases the likelihood of data leakage.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><b><span data-contrast="auto">An organization therefore has two options to prevent data leakage via ChatGPT: (1) train and educate its users and trust them, or (2) block the tool.</span></b><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-contrast="auto">For developer populations, once again, code generation via ChatGPT doesn&#8217;t introduce new risks but increases the probability of a vulnerability appearing in production. It&#8217;s up to the organization to assess the capabilities of its CI/CD pipeline and production processes to evaluate residual risks, particularly concerning false negatives from integrated security tools (SAST, DAST&#8230;).</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-contrast="auto">To make an informed decision, a </span><b><span data-contrast="auto">risk analysis remains a valuable tool for deciding whether to potentially block access to ChatGPT</span></b><span data-contrast="auto">. The following aspects should be considered: user awareness level, sensitivity of manipulated data, internet filtering paradigm, maturity of the CI/CD pipeline&#8230; These analyses should, of course, be balanced against potential productivity gains for teams.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p>Cet article <a href="https://www.riskinsight-wavestone.com/en/2023/08/chatgpt-devsecops-what-are-the-new-cybersecurity-risks-introduced-by-the-use-of-ai-by-developers/">ChatGPT &amp; DevSecOps – What are the new cybersecurity risks introduced by the use of AI by developers? </a> est apparu en premier sur <a href="https://www.riskinsight-wavestone.com/en/">RiskInsight</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://www.riskinsight-wavestone.com/en/2023/08/chatgpt-devsecops-what-are-the-new-cybersecurity-risks-introduced-by-the-use-of-ai-by-developers/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Security in Agility and DevSecOps: linked fates?</title>
		<link>https://www.riskinsight-wavestone.com/en/2022/09/security-in-agility-and-devsecops-linked-fates/</link>
					<comments>https://www.riskinsight-wavestone.com/en/2022/09/security-in-agility-and-devsecops-linked-fates/#respond</comments>
		
		<dc:creator><![CDATA[Emma Barfety]]></dc:creator>
		<pubDate>Wed, 21 Sep 2022 16:00:00 +0000</pubDate>
				<category><![CDATA[Cloud & Next-Gen IT Security]]></category>
		<category><![CDATA[Focus]]></category>
		<category><![CDATA[agile]]></category>
		<category><![CDATA[CICD]]></category>
		<category><![CDATA[DevSecOps]]></category>
		<guid isPermaLink="false">https://www.riskinsight-wavestone.com/?p=18781</guid>

					<description><![CDATA[<p>Is it necessary to engage in DevSecOps because projects work in Agile? A few questions need to be asked to get a clearer picture. In previous articles, we talked a lot about how security should be organised to accompany agile...</p>
<p>Cet article <a href="https://www.riskinsight-wavestone.com/en/2022/09/security-in-agility-and-devsecops-linked-fates/">Security in Agility and DevSecOps: linked fates?</a> est apparu en premier sur <a href="https://www.riskinsight-wavestone.com/en/">RiskInsight</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p style="text-align: justify;">Is it necessary to engage in DevSecOps because projects work in Agile? A few questions need to be asked to get a clearer picture.</p>
<p style="text-align: justify;">In previous articles, we talked a lot about how security should be organised to accompany agile projects: <a href="https://www.riskinsight-wavestone.com/en/2019/12/cybersecurity-transformation-agile/">the change in the security paradigm to ensure Security by Design</a>, how to organise the ISS teams in the face of these changes, the possible methodologies for continuing to <a href="https://www.riskinsight-wavestone.com/en/2020/06/comment-conduire-un-atelier-cybersecurite-agile/">analyse risks</a> or <a href="https://www.riskinsight-wavestone.com/en/2021/03/security-accreditation-for-agile-projects-how-to-successfully-do-it/">get security approvals</a> (and a general reminder of what <a href="https://www.riskinsight-wavestone.com/en/2021/10/agile-security/">security looks like in agile</a>).</p>
<p style="text-align: justify;">These articles were <strong>mainly about the organisational and methodological paradigm</strong> shifts that ISS teams were undergoing, to be able to best support projects, which deliver code much faster.</p>
<h2 style="text-align: justify;">The links between Agility and DevOps</h2>
<p style="text-align: justify;">By shifting the focus towards the <strong>development teams</strong>, it is now a question of dealing in greater depth with <strong>software solutions and processes enabling security to be integrated directly into the development pipelines</strong> and into the daily lives of developers, where Agile and DevOps methodologies, although they aim to provide the best value to customers, will be expressed differently.</p>
<p style="text-align: justify;">As the DevOps movement was born later than Agile methods, development teams were organised earlier than operations in an iterative and rapid mode for application and service delivery. DevOps principles bridge this gap by <strong>bringing Operations and Development teams closer together</strong>, and by offering solutions to accelerate delivery through the strong automation of the software development lifecycle, via CI/CD pipelines. In the end, the two approaches feed off and complement each other, to deliver faster and with better quality, thanks to the automation of a large number of tasks, thus avoiding human errors.</p>
<h2 style="text-align: justify;">What about security?</h2>
<p style="text-align: justify;">Back to our topic of interest, it is now a question of <strong>automating security as much as possible</strong>. Just like the Agile and DevOps methods, Security in Agile and DevSecOps are also closely related. The idea is to bring security closer and closer to the development teams, but also make it as fast as possible. A key profile of the security principles in Agile is perfectly suited to DevSecOps: the <strong>Security Champion</strong>. As described in the article &#8220;<a href="https://www.riskinsight-wavestone.com/en/2021/01/how-to-structure-cybersecurity-teams-to-integrate-security-in-agile-at-scale/">How to structure SSI teams to ensure security in Agile at scale</a>&#8220;, this is the security ambassador within the development teams. They are an integral part of the product team and are present in every sprint. Their role is to ensure that security is considered in each sprint in the development of User Stories (by integrating Evil or Security User Stories already written, or by helping to write them). The Security Champion can come from the world of development and become more skilled in security issues, with the help of the Security Guild.</p>
<p style="text-align: justify;">To take it a step further, the Security Champion can also help their team understand automated security solutions, with the help of a specialist from the ISS team, who will help them to develop their skills in <strong>application security</strong>.</p>
<p style="text-align: justify;">Having said that, is it because Agile Security and DevSecOps are linked that one should automatically embark on a transformation programme towards DevSecOps?</p>
<h2 style="text-align: justify;">Some preparatory questions for embarking on DevSecOps.</h2>
<p style="text-align: justify;">In line with any major transformation project, it is worth asking why you are doing it, making sure you have a plan and the <strong>right sponsorship</strong>. DevSecOps is no exception to the rule, even if the questions to ask are specific.</p>
<h3 style="text-align: justify;">Defining the scope and objectives</h3>
<p style="text-align: justify;">Firstly, before you start, you need to identify your <strong>motivating factors</strong>. Is it to deliver faster? Better? More securely? Will the problems encountered by the Dev, Sec and Ops teams be resolved by bringing the skills together? This is to prioritise efforts and ensure that the project can be &#8216;sold&#8217; to sponsors. Next, the <strong>scope</strong> must be identified, trying to delimit it between <strong>transitional scope</strong> (short and medium term) and <strong>target scope</strong> (long term). Work can start on an application portfolio, a factory for testing, followed by creation of a roadmap for deploying the model to the full scope.</p>
<p style="text-align: justify;">The <strong>current maturity</strong> of the organisation in terms of tooling and automation in the product development cycle should be assessed. A good knowledge of the tools used in the pipelines is a prerequisite. If there are still too many grey areas, an inventory of existing tools and an <strong>inventory of the practices and processes in place should be put together first.</strong></p>
<p style="text-align: justify;"> </p>
<h3 style="text-align: justify;">Presence of the essential building blocks of the CI/CD pipeline</h3>
<p style="text-align: justify;">Before security can be integrated into development pipelines in an automated manner, it is first necessary to ensure that we have a good vision of what a state-of-the-art pipeline might look like. It is possible to embark on a DevSecOps programme without operational pipelines already installed but having a clear idea of the target is key. Here are some examples of solutions:</p>
<p style="text-align: justify;"><img decoding="async" class="aligncenter wp-image-18769 size-full" src="https://www.riskinsight-wavestone.com/wp-content/uploads/2022/09/Image1.png" alt="" width="929" height="480" srcset="https://www.riskinsight-wavestone.com/wp-content/uploads/2022/09/Image1.png 929w, https://www.riskinsight-wavestone.com/wp-content/uploads/2022/09/Image1-370x191.png 370w, https://www.riskinsight-wavestone.com/wp-content/uploads/2022/09/Image1-71x37.png 71w, https://www.riskinsight-wavestone.com/wp-content/uploads/2022/09/Image1-768x397.png 768w" sizes="(max-width: 929px) 100vw, 929px" /></p>
<p style="text-align: center;"><em>Figure 1 &#8211; the essential building blocks of a DevOps pipeline</em></p>
<p style="text-align: justify;">The company must also be able to quantify the developments carried out internally or externally, with development agencies. Indeed, a complete pipeline will be useful for companies developing mainly in-house: it is an indispensable tool for developing quickly, with the right security tools integrated into the pipeline. In the case of external developments, the principle is different, and security is less &#8220;easy&#8221; to control: agencies will not necessarily give access to their pipelines or their source code. They may only deliver executables or images, via remote repositories for example. Integrating security is therefore done by more traditional means: via Security Assurance Plans (SAPs) for example, or by contractually obliging agencies to train their developers in application security, via training software solutions (for example CodeWarrior, which delivers &#8216;belts&#8217; according to the level of training achieved).</p>
<p style="text-align: justify;">Secondly, one of the most important ideas is that <strong>the pipeline is built in stages</strong>. In line with the &#8220;test and learn&#8221; approach dear to Agile methods, a &#8220;pilot&#8221; version of the pipeline can be deployed for a volunteer product team to test it over a few weeks/months. The deployment is then carried out progressively, according to a pre-established roadmap. In most cases, companies first set up a DevOps pipeline, with a few codes analysis tools (most often quality-oriented), then, once the pipeline is considered functional, the security tools are added.</p>
<p style="text-align: justify;">However, it could be worthwhile to consider security tools as an integral part of the CICD pipeline. They could then be integrated into it progressively, according to a prioritised roadmap, as proposed below.</p>
<p style="text-align: justify;">Here are some examples of tools that make up the security stack:</p>
<p style="text-align: justify;"><img loading="lazy" decoding="async" class="aligncenter wp-image-18771 size-full" src="https://www.riskinsight-wavestone.com/wp-content/uploads/2022/09/Image2.png" alt="" width="1225" height="344" srcset="https://www.riskinsight-wavestone.com/wp-content/uploads/2022/09/Image2.png 1225w, https://www.riskinsight-wavestone.com/wp-content/uploads/2022/09/Image2-437x123.png 437w, https://www.riskinsight-wavestone.com/wp-content/uploads/2022/09/Image2-71x20.png 71w, https://www.riskinsight-wavestone.com/wp-content/uploads/2022/09/Image2-768x216.png 768w" sizes="auto, (max-width: 1225px) 100vw, 1225px" /></p>
<p style="text-align: center;"><em>Figure 2 &#8211; Examples of security solutions to be integrated into the CICD pipeline (DevSecOps)</em></p>
<p style="text-align: justify;">According to our feedback from the field, some tools are &#8220;easier” to implement and are therefore implemented as a priority.</p>
<p style="text-align: justify;"> </p>
<p style="text-align: justify;"><strong>Static Application Security Testing (SAST) tools</strong></p>
<p style="text-align: justify;">As mentioned earlier, these tools are nearly always already present in the initial pipeline, in their code quality testing format. Here it is a matter of <strong>configuring them to go one step further</strong> and perform security analysis of static code. This type of tool can be integrated at several points in the pipeline, in a &#8220;<strong>shift-left</strong>&#8221; logic, i.e., integrating security as early as possible in the pipeline. It can be positioned directly on the developers&#8217; IDEs (integrated development environment), to provide them with &#8220;real-time&#8221; feedback on errors that could introduce vulnerabilities. It can also be used at the time of code compilation.</p>
<p style="text-align: justify;">A disadvantage of this type of tool is the high number of false positives. The configuration is scalable and improves over time. However, the governance and processes around the tool need to be thought out in advance: a <strong>vulnerability triage</strong> team can be a solution, as well as training security champions to spot false positives, with the help of an application security expert (an Application Security Engineer for example).</p>
<p style="text-align: justify;"><strong>SCA (Software Composition Analysis) tools</strong></p>
<p style="text-align: justify;">These tools should logically be installed as a priority, as developers make great use of <strong>open-source libraries</strong> to develop their products. The SCA will check the components of the library, such as licences, dependencies, vulnerabilities, and potential exploits. Many attacks originate from the uncontrolled use of open-source libraries that may contain critical vulnerabilities (such as the Log4Shell exploit).</p>
<p style="text-align: justify;">This tool can be used like SAST, on IDEs or before compiling the code.</p>
<p style="text-align: justify;"><strong>DAST tools</strong></p>
<p style="text-align: justify;">DAST tools scan running application builds for security vulnerabilities. They allow the simulation of a malicious attacker&#8217;s behaviour through automated pen tests and detect common security vulnerabilities such as OWASP 10. These tools may be less easy to use in authenticated mode (authentication is difficult in automatic mode, it must be done manually before running a test). The tests also take longer than a static scan, and dedicated time must be set aside so as not to disrupt the work of developers or production.</p>
<p style="text-align: justify;">They can be used at the time of testing, but also in production.</p>
<p style="text-align: justify;">It is necessary to think very early on about <strong>the governance and processes</strong> to be put in place around these tools, in particular by ensuring that developers cannot ignore detected vulnerabilities (by passing them as &#8220;false positives&#8221;, for example) and to ensure that vulnerabilities are centralised in a single tool (vulnerability management tool, for example), for greater efficiency.</p>
<p style="text-align: justify;"> </p>
<h3 style="text-align: justify;">Checking the presence of enabling technical prerequisites</h3>
<p style="text-align: justify;">The interest in working in DevSecOps may be limited on non-configurable and non-instantiable software package type applications.</p>
<p style="text-align: justify;">On the infrastructure side, Infrastructure as Code (management and provisioning of infrastructure via code rather than manual processes) allows the use of containers or provisioned VMs that are key to use CICD pipelines more efficiently.</p>
<p style="text-align: justify;"> </p>
<h3 style="text-align: justify;">Not forgetting the whole governance and change management layer around the project</h3>
<p style="text-align: justify;">Make sure you build, or already have, an operating model that meets your needs (security champions, enabler teams, tooling, processes). Working in &#8220;agile at scale&#8221; mode is not mandatory for the first iterations (depending on the scope chosen).</p>
<p style="text-align: justify;">Using a &#8220;test and learn&#8221; method to <strong>experiment</strong> is a good way to involve the teams very early on, and to get complete and relevant feedback from the field, before starting to deploy at scale. Cybersecurity experiments have been carried out with clients to find out what types of practices or tools to implement.</p>
<p style="text-align: justify;">Some examples:</p>
<p style="text-align: justify;">&#8211; <strong>Purple teaming</strong> to allow developers to see the results of another team&#8217;s testing tools and attempt to exploit them (allowing developers to see the reality of an attack and the potential ease of carrying it out),</p>
<p style="text-align: justify;">&#8211; Implementing solutions such as <strong>Cloudbees</strong>, to automate the CICD pipeline processes,</p>
<p style="text-align: justify;">&#8211; Training Security Champions to <strong>interpret the results</strong> of security tools.</p>
<p style="text-align: justify;">These experiments also act as change management, as most stakeholders can be involved early in the transformation programme.</p>
<p style="text-align: justify;"> </p>
<h2 style="text-align: justify;">In conclusion</h2>
<p style="text-align: justify;">CICD pipelines are a <strong>real opportunity for security to become automated</strong>. By integrating the right tools into the pipeline, developers are supported in their practice, kept on real security guardrails, facilitating the development of a secure product.</p>
<p style="text-align: justify;">In addition to securing the products, it is also a question of <strong>securing the pipeline itself</strong>, in the same way as any component with broad access to the information system: it is a question of controlling access to the various tools that make up the pipeline, ensuring that secrets are properly managed, that the underlying servers are hardened, etc.</p>
<p style="text-align: justify;">In a future article, we will detail our views on the pillars of DevSecOps, or how to achieve a sustainable and effective transformation (based on shift-left, guardrails and empowerment of the teams on security!).</p>
<p style="text-align: justify;"> </p>
<p style="text-align: justify;"><strong>Any comments or corrections? Do not hesitate to contact us!</strong></p>
<p>Cet article <a href="https://www.riskinsight-wavestone.com/en/2022/09/security-in-agility-and-devsecops-linked-fates/">Security in Agility and DevSecOps: linked fates?</a> est apparu en premier sur <a href="https://www.riskinsight-wavestone.com/en/">RiskInsight</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://www.riskinsight-wavestone.com/en/2022/09/security-in-agility-and-devsecops-linked-fates/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Agile Security, Emma Barféty interview</title>
		<link>https://www.riskinsight-wavestone.com/en/2021/10/agile-security/</link>
					<comments>https://www.riskinsight-wavestone.com/en/2021/10/agile-security/#respond</comments>
		
		<dc:creator><![CDATA[Emma Barfety]]></dc:creator>
		<pubDate>Mon, 11 Oct 2021 10:00:00 +0000</pubDate>
				<category><![CDATA[Cloud & Next-Gen IT Security]]></category>
		<category><![CDATA[Interview]]></category>
		<category><![CDATA[agile]]></category>
		<category><![CDATA[agility]]></category>
		<category><![CDATA[DevSecOps]]></category>
		<category><![CDATA[scrum]]></category>
		<category><![CDATA[security]]></category>
		<guid isPermaLink="false">https://www.riskinsight-wavestone.com/?p=17026</guid>

					<description><![CDATA[<p>Emma, could you please introduce the topic ? Historically, the Agile approach is a set of practices used for IT development projects.  The Manifesto published in 2001 proposes 4 main values to revolutionise the performance of companies: This emphasis on...</p>
<p>Cet article <a href="https://www.riskinsight-wavestone.com/en/2021/10/agile-security/">Agile Security, Emma Barféty interview</a> est apparu en premier sur <a href="https://www.riskinsight-wavestone.com/en/">RiskInsight</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<h1 style="text-align: justify;"><strong>Emma, could you please introduce the topic ?</strong></h1>
<p style="text-align: justify;"><strong>Historically</strong>, the Agile approach is a set of practices used for <strong>IT development projects</strong>. </p>
<p style="text-align: justify;">The Manifesto published in 2001 proposes 4 main values to revolutionise the performance of companies:</p>
<p><img loading="lazy" decoding="async" class="aligncenter wp-image-17027 size-full" src="https://www.riskinsight-wavestone.com/wp-content/uploads/2021/10/Image-1-EN.png" alt="" width="1512" height="281" srcset="https://www.riskinsight-wavestone.com/wp-content/uploads/2021/10/Image-1-EN.png 1512w, https://www.riskinsight-wavestone.com/wp-content/uploads/2021/10/Image-1-EN-437x81.png 437w, https://www.riskinsight-wavestone.com/wp-content/uploads/2021/10/Image-1-EN-71x13.png 71w, https://www.riskinsight-wavestone.com/wp-content/uploads/2021/10/Image-1-EN-768x143.png 768w" sizes="auto, (max-width: 1512px) 100vw, 1512px" /></p>
<p style="text-align: justify;">This emphasis on human interaction between the development team and business teams aims at reducing the time to market of the products developed, as opposed to projects conducted in V-model which, once delivered, may no longer satisfy changing business requirements.</p>
<p style="text-align: justify;">Today, this practice is applied in <strong>most companies at all levels</strong>. In the latest <a href="https://stateofagile.com/#ufh-i-661275008-15th-state-of-agile-report/7027494"><em>State of Agile Report</em></a>, out of more than 4,000 companies surveyed worldwide, 95% declared that they use agile and 65% of them have been practising it for at least 3 years.  In addition to IT, the methodology is also used in marketing, human resources, sales, and finance departments. 52% of the companies surveyed stated that at least half of their company&#8217;s departments adopt agile processes and therefore the scalability of such practices should not be ignored.</p>
<p style="text-align: justify;">Beyond a project management method, it is a new philosophy with gamified elements. We no longer speak of meetings but of ceremonies, with new roles appearing such as product owner and scrum master. Using this philosophy, the desire is to create an <strong>atmosphere of co-construction and to make maximum use of collective intelligence</strong> to improve the company&#8217;s performance.</p>
<p style="text-align: justify;">Although the concept of security is present in the manifesto, the integration of such measures into product development is not properly addressed. The method by which security is implemented in V-model projects does not apply to the agile philosophy and thus new ways of implementing security should be identified for it.</p>
<p> </p>
<h1 style="text-align: justify;"><strong>What are the trends and challenges of this field? </strong></h1>
<p style="text-align: justify;">One of our challenges is to provide our clients with a global view of their problems. Adopting an <strong>agile approach requires a change in all levels</strong> of the business from security, to quality teams and as such the effect on all levels of the business must be considered.</p>
<p style="text-align: justify;"><strong>In terms of organisation</strong>, the ISS must reposition itself as <strong>a service to the business</strong> and thus shift its image from a ‘policeman’ to a support function. The role of <strong>Security Champion </strong>(a member of the feature team such as a developer) becomes the point of contact for the ISS teams. In doing this a connection can be created with each feature team, thus increasing autonomy over security integration. This is not something that can be achieved overnight, it requires training to highlight cybersecurity issues and share knowledge (particularly the basics of ISS and secure development). In addition to this, a security Guild should be created, bringing together ISS experts, security champions as well as security enthusiasts. This allows members to exchange information on the latest security news, good practices as feedback and lessons learned from the field. This Guild must be set-up in such a way to allow easy communication between members (such as on an internal wiki).</p>
<p style="text-align: justify;">After the security champion receives training from the ISS team, they become the security referent and thus developers can turn to them for questions and advice. Therefore, the role in itself is fairly technical. In adopting an agile approach, the ISS experts will keep their role, but the relationship will change from that of control and audit to support and facilitative. Audits can still be carried out (such as penetration tests) at the request of the feature team or on the initiative of the security experts. Methodological tools must also be available to help the Champions in their tasks and this includes rewriting risks in conversational format. To adapt to the use of User Stories by feature teams, the ISS team could try writing Evil User Stories, which correspond to an action carried out from the point of view of an attacker. For example:</p>
<p><img loading="lazy" decoding="async" class="aligncenter wp-image-17029 size-full" src="https://www.riskinsight-wavestone.com/wp-content/uploads/2021/10/Image-2-EN.png" alt="" width="1793" height="264" srcset="https://www.riskinsight-wavestone.com/wp-content/uploads/2021/10/Image-2-EN.png 1793w, https://www.riskinsight-wavestone.com/wp-content/uploads/2021/10/Image-2-EN-437x64.png 437w, https://www.riskinsight-wavestone.com/wp-content/uploads/2021/10/Image-2-EN-71x10.png 71w, https://www.riskinsight-wavestone.com/wp-content/uploads/2021/10/Image-2-EN-768x113.png 768w, https://www.riskinsight-wavestone.com/wp-content/uploads/2021/10/Image-2-EN-1536x226.png 1536w" sizes="auto, (max-width: 1793px) 100vw, 1793px" /></p>
<p style="text-align: justify;">Faced with these risks, there are Security User Stories, proposing remediation solutions for EUS, with ready-to-use acceptance criteria. All this can be integrated into a security baseline (also in backlog format, in a product management tool, such as JIRA for example), proposing a <strong>minimum-security base</strong> to be integrated into the products.</p>
<p style="text-align: justify;">In addition to organisational support for the teams, technical support must be provided by optimising the continuous integration and deployment chain (CI/CD) with tools aimed at <strong>automating security as much as possible</strong>, which can be called the <strong>Security Stack</strong> or <strong>Security Pipeline</strong>: code review, vulnerability scans, detection of secrets, security of the Infrastructure as Code, etc.).  Particular attention must be paid to its own security, so as not to produce the opposite effect&#8230; From a shift-left security perspective, security is integrated into the product by default, right from the start. It therefore adapts its velocity to that of an agile approach and enables a shift from a DevOps logic to that of DevSecOps. </p>
<p style="text-align: justify;">Another role can be created, that of <strong>AppSec Manager</strong>. This is part of the ISS team and is an expert in software security as well as an expert in the security stack. Their role is to help the developers to prioritise and remedy the vulnerabilities reported by the Stack. They work in tandem with the <strong>Risk Manager</strong>/IS expert, who provides them with knowledge of the risks associated with the product, which enables a more detailed analysis of the vulnerabilities to be dealt with as a priority. All this helps to create a culture of security by design.</p>
<p style="text-align: justify;"> </p>
<h1 style="text-align: justify;"><strong>What do customer expect? </strong></h1>
<p style="text-align: justify;">CISO customers expect to be reassured that security in agile mode will not cause them to &#8220;lose control&#8221; over the proper implementation of security. The model we propose empowers the feature teams, gives them tools, but security retains control by centralising the performance indicators, by having the capacity to carry out random checks/according to predefined criteria, via bug bounty for example or an envelope of pentester days, to be distributed over the various products.</p>
<p style="text-align: justify;">Secondly, as a consultant, I think that clients expect us to share our <strong>convictions and very concrete examples</strong> of what we have been able to achieve for other clients. To meet this demand, Wavestone&#8217;s Cybersecurity and Digital Trust (CDT) practice has created several methodological accelerators based on feedback from the field, ready to be shared and adapted. Being able to carry out the mission in Agile mode was also part of the expectations, favouring <strong>co-construction</strong> rather than providing fixed and almost finalised deliverables from the first draft. In this gamification perspective, which is very important from an agile approach, we offer original co-construction workshops based on collective intelligence, thanks to our <strong>Creadesk</strong> asset, which trains consultants and provides them with tools for remote collective work.</p>
<p> </p>
<h1 style="text-align: justify;"><strong>Any final advice for our readers? </strong></h1>
<p style="text-align: justify;">Implementing a true <strong>test &amp; lean </strong>approach is crucial. In order to extract the most benefit from using co-constructing tools, we must regularly test and verify them in the field. While anticipating problems is crucial, significant value can be achieved when one we confront the problems as they arise. It allows us to be in direct contact with the business and feature teams, to show them that concrete actions are being implemented. The approach is agile, flexible, and scalable. The accelerators, methodologies and tools proposed evolve during the pilots and become even more relevant for the second wave of pilots, until all the feature teams are integrated.</p>
<p style="text-align: justify;">At the same time, it is important to remember that change management is essential. A real communication plan is needed &#8211; building communities of practice/guilds from the beginning of the pilots and identifying early adopters who will be valuable drivers of change within the teams. Agile has a real and rapid impact in everyday life and at all team levels: implementing this change is essential.  </p>
<p>Cet article <a href="https://www.riskinsight-wavestone.com/en/2021/10/agile-security/">Agile Security, Emma Barféty interview</a> est apparu en premier sur <a href="https://www.riskinsight-wavestone.com/en/">RiskInsight</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://www.riskinsight-wavestone.com/en/2021/10/agile-security/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Security accreditation for Agile projects: how to successfully do it !</title>
		<link>https://www.riskinsight-wavestone.com/en/2021/03/security-accreditation-for-agile-projects-how-to-successfully-do-it/</link>
		
		<dc:creator><![CDATA[Emma Barfety]]></dc:creator>
		<pubDate>Mon, 22 Mar 2021 09:00:42 +0000</pubDate>
				<category><![CDATA[Cyberrisk Management & Strategy]]></category>
		<category><![CDATA[Focus]]></category>
		<category><![CDATA[How to]]></category>
		<category><![CDATA[accreditation]]></category>
		<category><![CDATA[agility]]></category>
		<guid isPermaLink="false">https://www.riskinsight-wavestone.com/?p=15390</guid>

					<description><![CDATA[<p>[nota bene: this article has been translated to English for accessibility reasons. It does not address UK or US regulations, but only French ones regarding Security Accreditation (“homologation” in French). It is nonetheless useful for any organization wanting to implement...</p>
<p>Cet article <a href="https://www.riskinsight-wavestone.com/en/2021/03/security-accreditation-for-agile-projects-how-to-successfully-do-it/">Security accreditation for Agile projects: how to successfully do it !</a> est apparu en premier sur <a href="https://www.riskinsight-wavestone.com/en/">RiskInsight</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p style="text-align: justify;"><em>[<strong>nota bene</strong>: this article has been translated to English for accessibility reasons. It does not address UK or US regulations, but only French ones regarding Security Accreditation (“homologation” in French). It is nonetheless useful for any organization wanting to implement security accreditation in Agile projects.]</em></p>
<p style="text-align: justify;">“Security accreditation is a formal act by which the authority responsible for a system commits its responsibility to risk management.” <a href="#_ftn1" name="_ftnref1">[1]</a>. It is of course mandatory in some cases<a href="#_ftn2" name="_ftnref2">[2]</a>, but beyond that, it is also a way of sending a strong message to users and top management: <strong>security is indeed a major topic for the</strong> <strong>organization</strong>. Agile methodology was at first designed for projects, but it can be a real opportunity for security teams to reduce security risks.</p>
<p style="text-align: justify;">This method disrupted working habits of product teams and ISS teams (Information System Security). The latter have to find a way to go beyond adapting old accreditation method and propose a new relevant solution to still comply with the original goal of the accreditation: “Find a balance between acceptable risk and security costs, then have it formally accepted by a manager/an authority who has the power to do so<a href="#_ftn3" name="_ftnref3">[3]</a>”.</p>
<p>&nbsp;</p>
<h2 style="text-align: justify;">One solution: provisional accreditation and long-term accreditation</h2>
<p style="text-align: justify;">As a famous Agile Security expert from Wavestone once said: “Agile and accreditation, it’s not rocket science”. Without denying the difficulties, explaining it is quite simple. Faced with teams that must deliver faster and provide continuous releases, the risk levels and therefore the security accreditation must be dealt with at the same pace.</p>
<h3>What should the accreditation consider?</h3>
<p style="text-align: justify;">As always, security accreditation is all about giving thorough information on a project’s security risk level to the Accreditation Authority, for them to decide if it’s acceptable with regard to the organization ISS criteria (e.g. number of EUS still on the backlog, percentage of security baseline rules implemented on a given scope, etc.). Then, they take responsibility for the possible residual risks.</p>
<p style="text-align: justify;">For example, only a few features are available to a few users at the beginning of a project. This small scope will display a lower level of risk (because of a low level of exposure) despite not being fully secured yet. Provisional accreditation (for a few months for example) may be issued to allow experimentation. It will have to be renewed when renewal criteria (defined in advance) are met.</p>
<figure id="post-15391 media-15391" class="align-none"><img loading="lazy" decoding="async" class="wp-image-15391 size-full aligncenter" src="https://www.riskinsight-wavestone.com/wp-content/uploads/2021/03/Schema-agilite-EN.png" alt="" width="1652" height="930" srcset="https://www.riskinsight-wavestone.com/wp-content/uploads/2021/03/Schema-agilite-EN.png 1652w, https://www.riskinsight-wavestone.com/wp-content/uploads/2021/03/Schema-agilite-EN-339x191.png 339w, https://www.riskinsight-wavestone.com/wp-content/uploads/2021/03/Schema-agilite-EN-69x39.png 69w, https://www.riskinsight-wavestone.com/wp-content/uploads/2021/03/Schema-agilite-EN-768x432.png 768w, https://www.riskinsight-wavestone.com/wp-content/uploads/2021/03/Schema-agilite-EN-1536x865.png 1536w" sizes="auto, (max-width: 1652px) 100vw, 1652px" /></figure>
<p style="text-align: center;"><strong><em>Figure 1 </em></strong><em>– Product exposure to residual risk<br />
From the ANSSI&nbsp;guide (in French): Digital Agility and Security, October 2018 (</em><a href="https://www.ssi.gouv.fr/uploads/2018/11/guide-securite-numerique-agile-anssi-pa-v1.pdf"><em>link to the guide</em></a><em>)</em></p>
<p style="text-align: justify;">For a project at cruising speed, accessible to its target audience with all the expected features, a firm accreditation (3 years for example) is pronounced. The criteria for renewal, leading to the issuance of a new accreditation, are also defined in advance.</p>
<h3>When to renew the accreditation?</h3>
<p style="text-align: justify;">The criteria used to know when to renew the accreditation are closely linked to the project, the context, or the scope, but here are <strong>some examples</strong> to build these criteria. The provisional accreditation is valid until:</p>
<ul style="text-align: justify;">
<li>New critical features are added (“critical” depending on the project),</li>
<li>A new threshold for the number of users has been reached (defined in advance, depending on the associated risks),</li>
<li>New personal data must be integrated and processed by the project,</li>
<li>New features related to payments must be implemented,</li>
<li>A new level of transaction volume is reached,</li>
<li>And of course when the accreditation deadline is reached.</li>
</ul>
<p style="text-align: justify;">Long-term accreditation is valid for a longer time because less changes are expected at this stage of the project. That being said, the accreditation will have to be renewed regularly (at least every 3 years) to check on security levels and in a will of <strong>continuous improvement</strong>.</p>
<h3>What evidence should squads bring?</h3>
<p style="text-align: justify;">Squads/feature teams should be able to bring different types of evidence/proofs (of the security level) to the Accreditation authority/responsible for the accreditation. The Evil User Stories (EUS) serve as what we used to call risks, where prioritization gives information about their criticality (see our <a href="https://www.riskinsight-wavestone.com/en/2020/10/how-to-conduct-an-agile-cyber-security-workshop/">article on how to lead a workshop on risk analysis in Agile</a>). An extract from the backlog can be used as proof that the main EUS have been processed and that <strong>residual EUS</strong> are known (and accepted by the Accreditation Authority).</p>
<p style="text-align: justify;">The <strong>Security Form</strong> (or Passport, detailed in <a href="https://www.riskinsight-wavestone.com/en/2019/12/cybersecurity-transformation-agile/">this article on Agile transformation</a> &#8211; <em>in French</em> -) is also a relevant way to follow-up on security levels of projects.</p>
<p style="text-align: justify;"><strong>Code review</strong> and <strong>vulnerability scan reports</strong> can also be used (for squads that have integrated DevSecOps and have the appropriate tools).</p>
<p style="text-align: justify;">If the X-team exists (see <a href="https://www.riskinsight-wavestone.com/en/2021/01/how-to-structure-cybersecurity-teams-to-integrate-security-in-agile-at-scale/">our article on the new ISS roles in Agile and the corresponding organization</a>) or if an external audit team was able to perform them, the penetration test reports are also presented.</p>
<p style="text-align: justify;">Any other existing documents can be used to give all necessary information (architecture documents, applicable regulations, etc.).</p>
<p style="text-align: justify;">For provisional accreditation, these documents don’t have to be gathered in a proper “accreditation folder”, which would imply losing time for squads. What is necessary is to ensure they exist and are available to anyone involved in the accreditation process (accreditation authority or their delegate, ISS team, etc.).</p>
<h3>Who are the actors in this process?</h3>
<p style="text-align: justify;">During product development, the <strong>Security Champion</strong> (<a href="https://www.riskinsight-wavestone.com/en/2021/01/how-to-structure-cybersecurity-teams-to-integrate-security-in-agile-at-scale/">see this article for definition</a>) is in charge of organizing the risk analysis workshops (identification of EUS and associated Security Stories). The ISS team is of course involved in the process, bringing their knowledge to the squads during workshops.</p>
<p style="text-align: justify;">The <strong>Product Owner</strong> is responsible for the creation and updates of the necessary documentation. They also make sure the ISS team is informed and asked for help when needed.</p>
<p style="text-align: justify;"><strong>The accreditation Authority</strong> should be a business manager (e.g. the Business Owner) as usual. They must have the capacity to accept <strong>residual risks</strong> and validate the product security levels. As security should not slow down any Agile processes, the signing of a provisional accreditation may be delegated to the Product Owner, <strong>as they are representative of the Business Owner in the squad</strong>. The temporary accreditation can thus be signed faster if criteria for validity are met. In some cases, where projects would pose a risk to other businesses or systems, a transversal officer/business owner must be found, to sign for both businesses or systems. If no one is found, or no compromise is achieved, the Chief Information Officer (CIO) will assume responsibility, as it is their role to ensure the operational conditions of the Information System.</p>
<p style="text-align: justify;">As a conclusion, security accreditation remains key when speaking about integration of security into projects, in particular within the Agile framework which changes the product teams’ way of working. The ISS teams must take advantage and (re)join these product teams (through the Security Champion and the security training of the product teams) and thus work together towards the incremental reduction of risk.</p>
<p>&nbsp;</p>
<p style="text-align: justify;">More articles to come on Agile Security, stay tuned!</p>
<p>&nbsp;</p>
<p style="text-align: justify;"><a href="#_ftnref1" name="_ftn1">[1]</a> ANSSI guide (in French): <em>Digital</em> <em>Agility and Security</em>, October 2018 (<a href="https://www.ssi.gouv.fr/uploads/2018/11/guide-securite-numerique-agile-anssi-pa-v1.pdf">link to the guide</a>)</p>
<p style="text-align: justify;"><a href="#_ftnref2" name="_ftn2">[2]</a> (<strong>French regulations only</strong>) For administrations: decree n ° 2010-112 of February 2, 2010, terms of the General Safety Reference System (RGS). For any product dealing with information coming under National Defense secrecy: Interministerial General Instruction 1300. For operators of vital importance: cyber section of the LPM (law n ° 2013-1168 of 18 December 2013 &#8211; article 22), to strengthen the security of the critical information systems they operate, carried out as part of an accreditation process.</p>
<p style="text-align: justify;"><a href="#_ftnref3" name="_ftn3">[3]</a> ANSSI&nbsp;guide (in French): <em>The nine steps of the security accreditation</em>, August 2014 (<a href="https://www.ssi.gouv.fr/uploads/2014/06/guide_homologation_de_securite_en_9_etapes.pdf">link to the guide</a>)</p>
<p>Cet article <a href="https://www.riskinsight-wavestone.com/en/2021/03/security-accreditation-for-agile-projects-how-to-successfully-do-it/">Security accreditation for Agile projects: how to successfully do it !</a> est apparu en premier sur <a href="https://www.riskinsight-wavestone.com/en/">RiskInsight</a>.</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>How can we structure cybersecurity teams to better integrate security in Agile at scale?</title>
		<link>https://www.riskinsight-wavestone.com/en/2021/01/how-to-structure-cybersecurity-teams-to-integrate-security-in-agile-at-scale/</link>
		
		<dc:creator><![CDATA[Emma Barfety]]></dc:creator>
		<pubDate>Mon, 11 Jan 2021 07:00:01 +0000</pubDate>
				<category><![CDATA[Cloud & Next-Gen IT Security]]></category>
		<category><![CDATA[Cybersecurity & Digital Trust]]></category>
		<category><![CDATA[agile]]></category>
		<category><![CDATA[agile project]]></category>
		<category><![CDATA[enabler squad]]></category>
		<category><![CDATA[ISP agile]]></category>
		<category><![CDATA[security baseline]]></category>
		<category><![CDATA[security champion]]></category>
		<category><![CDATA[security guild]]></category>
		<category><![CDATA[x-team]]></category>
		<guid isPermaLink="false">https://www.riskinsight-wavestone.com/?p=14961</guid>

					<description><![CDATA[<p>As discussed in the previous article (in French), ISS teams must adapt their organisation, processes and tools to ensure that security issues are considered on an ongoing basis. Agile methodologies are becoming more common within organisations and security teams must...</p>
<p>Cet article <a href="https://www.riskinsight-wavestone.com/en/2021/01/how-to-structure-cybersecurity-teams-to-integrate-security-in-agile-at-scale/">How can we structure cybersecurity teams to better integrate security in Agile at scale?</a> est apparu en premier sur <a href="https://www.riskinsight-wavestone.com/en/">RiskInsight</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p>As discussed in the <a href="https://www.riskinsight-wavestone.com/en/2019/12/cybersecurity-transformation-agile/">previous article</a> (in French), ISS teams must adapt their organisation, processes and tools to ensure that security issues are considered on an ongoing basis.</p>
<p>Agile methodologies are becoming more common within organisations and security teams must <strong>adapt</strong> <strong>to be part of the new operational model</strong>.</p>
<p>However, when security is scaled up from a few Agile projects supported to hundreds, the scarcity of security expertise becomes a major obstacle. The consequence? Security teams become overloaded and unable to support all the <em>feature teams. </em>Therefore, feature teams are required to resolve issues with new functionalities and release without a security review.</p>
<p>In order to to support this transformation, CISO teams must thoroughly review their operating model to be relevant and enable and effective security environment. What does this mean? They must review their <strong>organisation</strong>, <strong>processes</strong> and <strong>tools</strong>.</p>
<p><strong> </strong></p>
<h2>How can we enable this transition?</h2>
<h3> Define new ISS roles for a transition to a new operating model</h3>
<p>&nbsp;</p>
<figure id="post-14962 media-14962" class="align-none"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-14962" src="https://www.riskinsight-wavestone.com/wp-content/uploads/2021/01/Image-1-2.png" alt="" width="1625" height="928" srcset="https://www.riskinsight-wavestone.com/wp-content/uploads/2021/01/Image-1-2.png 1625w, https://www.riskinsight-wavestone.com/wp-content/uploads/2021/01/Image-1-2-334x191.png 334w, https://www.riskinsight-wavestone.com/wp-content/uploads/2021/01/Image-1-2-68x39.png 68w, https://www.riskinsight-wavestone.com/wp-content/uploads/2021/01/Image-1-2-120x70.png 120w, https://www.riskinsight-wavestone.com/wp-content/uploads/2021/01/Image-1-2-768x439.png 768w, https://www.riskinsight-wavestone.com/wp-content/uploads/2021/01/Image-1-2-1536x877.png 1536w" sizes="auto, (max-width: 1625px) 100vw, 1625px" /></figure>
<p>&nbsp;</p>
<p>The first step is to understand the different roles that security must play in the new operating model to support this move to scale:</p>
<ul>
<li><strong>The <em>Security Guild</em></strong>: in order to share knowledge between teams, it is important to build a <strong>community of people</strong>, who have an interest for security and help them build the best practices. This community of <em>Security Champions</em>, which is described in the following paragraph (and anyone who is interested in security subjects), also has to implement a common framework of references on the methodologies (Security KM, Evil User Stories, Security Baseline, Level 1 control, <a href="https://www.riskinsight-wavestone.com/en/2019/12/cybersecurity-transformation-agile/">described in our previous article &#8211; in French &#8211;</a>).</li>
</ul>
<p><strong> </strong></p>
<ul>
<li><strong>The<em> Security Champion</em></strong>: this is the security ambassador within the <em>Feature</em> <em>Teams</em>. He/she is fully part of the team and present in every <em>sprint planning </em> His/her role is to ensure that security is considered at every sprint during the development of <em>User Stories</em>. The <em>Security Champion </em>may be from the developing world and develop skills on security subjects, with help from the Security <em>Guild</em> and the <em>Enabler Squad.</em></li>
</ul>
<p>&nbsp;</p>
<ul>
<li><strong>The<em> Enabler Squad</em></strong>: if we look into Spotify’s model, it is the engine of all Guilds. A group of people from the CISO team who will steer the <em>Security Guild </em>while building methods, processes, products, services and standards for development, which will help <em>Security Champions </em>gain autonomy. When starting the industrialization of the model, they can play the role of a <em>Security Champion</em>, before training them. They also provide security expertise on the most critical perimeters and support the less mature teams.</li>
</ul>
<p>&nbsp;</p>
<ul>
<li><strong>The<em> X-Team</em></strong><em>(“cross team”)</em>: If the Enabler Squad’s role is to assist the <em>Feature Teams</em> in the security integration, the X-Team’s is to control the security level and guarantee risk coverage. This team performs targeted technical tests (penetration tests, code review, etc). Obviously, performing a penetration test in every <em>Feature Team </em>and for every sprint is not possible as it is really time consuming. Therefore, tests could be done through sampling and/or randomly (thereby playing the “Chaos Monkey’s” role in the organisation<a href="#_ftn1" name="_ftnref1">[1]</a>), by focussing on the most sensitive and less mature perimeters. As long as enough security KPIs are received from the <em>Feature Teams</em>, the <em>X-Team</em> can perform controls on all teams, especially those where the security maturity is drifting from the targeted level.</li>
</ul>
<p>&nbsp;</p>
<ul>
<li><strong>CISO</strong>: his/her role evolves and is now a checkpoint and provides them with the ability to reject a particular change if the appropriate security controls are not in place (E.g. based on the <em>X-Team </em>findings or according to a “security score” at application or infrastructure level, scored by the ISS team). Given that they cannot be present during all Agile discussions, they must rely on the <em>Security</em> <em>Guild </em>to point out where a strategic decision must be taken. However, they could participate in PI planning and other infrequent discussions, to have an overview on all the ongoing projects and decide which one should be supported more closely. Dedicated committees can also be set up, allowing projects to sign up and have subjects arbitrated, with a call to the CISO if final arbitration is required.</li>
</ul>
<p>&nbsp;</p>
<p>As in every change project, the effectiveness of acculturation lies more in practice than in theory. It’s better to start small and initiate a <strong>progressive handling of the new operating model by the ISS team. </strong>It will then be easier to expand the perimeter to the whole company.</p>
<p>&nbsp;</p>
<h3>Mobilising security experts to start the transition in 2 or 3 <em>Feature Teams</em></h3>
<p>Integration of security must be carried out continuously. The goal of <em>Feature Teams </em>is to be mature and competent in cybersecurity and to have autonomy regarding risk management. But <strong>in the interim period</strong>, the presence of security experts in a position support support is crucial in order to ease the integration of security into projects, while <em>Security Champions </em>are embedded in every <em>Feature Team. </em>These security experts must prioritise projects (e.g. critical projects, <em>Feature Teams </em>facing difficulties…) as they will not have the capacity to support every project.</p>
<p>The objective is to start the transition, using security experts from the ISS team to “do” with the teams, <strong>learn by doing </strong>and use this knowledge to build the first bricks of the security methods required by the Agile team.</p>
<p>It is at that point that the first <strong>useful tools and methodologies </strong>must be built, used and upgraded:</p>
<ul>
<li><strong>The Security Passport: </strong>it must be completed at every step of a project’s life (and beyond). It’s completed at the beginning of the project (at the same time as the PI Planning) to identify the project sensitivity, then set up and monitor the appropriate security measures.</li>
</ul>
<p>&nbsp;</p>
<ul>
<li><strong>The Security Baseline:</strong> this is a set of basic security rules and standards, translated into “Agile language” (e.g. “as a developer I want to implement security measures to prevent attacks”) for easy integration into the backlogs of the <em>Feature Teams</em> and subsequently implementation during sprints. They are represented as <em>Security Stories</em>:</li>
</ul>
<figure id="post-14964 media-14964" class="align-none"><img loading="lazy" decoding="async" class="size-full wp-image-14964 aligncenter" src="https://www.riskinsight-wavestone.com/wp-content/uploads/2021/01/Image-2-2.png" alt="" width="1469" height="196" srcset="https://www.riskinsight-wavestone.com/wp-content/uploads/2021/01/Image-2-2.png 1469w, https://www.riskinsight-wavestone.com/wp-content/uploads/2021/01/Image-2-2-437x58.png 437w, https://www.riskinsight-wavestone.com/wp-content/uploads/2021/01/Image-2-2-71x9.png 71w, https://www.riskinsight-wavestone.com/wp-content/uploads/2021/01/Image-2-2-768x102.png 768w" sizes="auto, (max-width: 1469px) 100vw, 1469px" /></figure>
<p>&nbsp;</p>
<p>To reach a minimum level of security, projects (critical or not) must at the very least comply with this Security Baseline.</p>
<ul>
<li><strong>Training for the <em>Security Champion-to-be</em></strong></li>
<li style="list-style-type: none;">
<ul>
<li>Presentation of the job description, roles and responsibilities.</li>
<li>Training on evil user stories (EUS), security stories due to the gamification often used in Agile. <em>Security Champions </em>can get familiar with the Agile Card Game built by Wavestone (<a href="https://www.riskinsight-wavestone.com/en/2019/12/cybersecurity-transformation-agile/"><em>to learn more, </em>have a look <em>at that article &#8211; in French &#8211;</em></a>).</li>
<li>Learning how to use the knowledge management (KM) to share information, keep the community alive and know the key personnel.</li>
</ul>
</li>
</ul>
<p>&nbsp;</p>
<ul>
<li><strong>Securing team production</strong></li>
<li style="list-style-type: none;">
<ul>
<li>Controlling development: training about secure development, securing the CI/CD pipeline, setting up control over the code, etc.</li>
<li>Defining rules for separation of roles and responsibilities in DevOps: start of production, tests edition, production changeover, etc.</li>
</ul>
</li>
</ul>
<p>A more complete article will be dedicated to this last part.</p>
<p>&nbsp;</p>
<h2>What’s next? How do we transform to be able to scale?</h2>
<p>This interim period where ISS experts are working in <em>Feature Teams</em> is key <strong>for building the different roles, tools and processes. </strong></p>
<p>Once the model is well known by the ISS teams, it is time to <strong>deploy this methodology to the entire Agile perimeter.</strong></p>
<h3>Communicate</h3>
<p>Celebrating successes of the first set of <em>Feature Teams </em>involved in the pilots can trigger adoption by the rest of the teams.</p>
<p>Once the first projects have demonstrated the benefit of the approach and the tools and methods have been developed, it will just be a matter of spreading these best practices throughout the company.</p>
<h3>Train</h3>
<p>Security Experts could be used as coaches to spread good practices within <em>Feature Teams, </em>which will be trained progressively.</p>
<p>A good solution is to use half of the security experts to <strong>share tools </strong>and <strong>train the teams. That half is known as the <em>Security Enabler Squad</em>. </strong></p>
<p>The other half is then focused on <strong>risk mitigation </strong>for the critical or less mature areas, supporting them to achieve a good maturity level of the <em>Security Champions</em> of the other <em>Feature Teams</em>.</p>
<p>Communication and animation of the security community must go on around the transformation to support the change of scale.</p>
<h3>Control and steer the maturity of the <em>Security Champions</em></h3>
<p><strong> </strong>Finally, once <em>Feature Teams</em> are trained to use the security tools and methods, the ISS team, consisting of security experts can focus their efforts on <strong>controlling important releases</strong> and<strong> steering the Security Guild</strong>. As it is a space for information sharing, it has to be up to date, to pace up the maturity level of the entire Guild.</p>
<p><strong> </strong></p>
<h2>How long does it take to achieve full Agile Security?</h2>
<p>Initial feedback shows a 3-year transition from the beginning of the intermediate state, when the security team work closely with a few <em>Feature Teams</em>, to a completely autonomous team of <em>Security Champions. </em>It may seem long, but the transition to Agile is much more than a simple change of methodology. It is a real paradigm shift that requires significant change in ways of working and methods to ensure that change can be sustained in the future</p>
<p>In the next article, we will answer the following questions:</p>
<ul>
<li>How to ensure security controls in Agile?</li>
<li>Beyond projects support, how should the organisation and major ISS processes evolve to operate in the new Agile operating model of the company?</li>
</ul>
<p><a href="#_ftnref1" name="_ftn1">[1]</a> <a href="https://netflix.github.io/chaosmonkey/">https://netflix.github.io/chaosmonkey/</a></p>
<p>Cet article <a href="https://www.riskinsight-wavestone.com/en/2021/01/how-to-structure-cybersecurity-teams-to-integrate-security-in-agile-at-scale/">How can we structure cybersecurity teams to better integrate security in Agile at scale?</a> est apparu en premier sur <a href="https://www.riskinsight-wavestone.com/en/">RiskInsight</a>.</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>How to conduct an Agile Cyber Security workshop?</title>
		<link>https://www.riskinsight-wavestone.com/en/2020/10/how-to-conduct-an-agile-cyber-security-workshop/</link>
		
		<dc:creator><![CDATA[Emma Barfety]]></dc:creator>
		<pubDate>Wed, 28 Oct 2020 08:00:19 +0000</pubDate>
				<category><![CDATA[Cloud & Next-Gen IT Security]]></category>
		<category><![CDATA[Cybersecurity & Digital Trust]]></category>
		<category><![CDATA[agile project]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[How-to]]></category>
		<category><![CDATA[risk management]]></category>
		<category><![CDATA[Transformation]]></category>
		<category><![CDATA[user stories]]></category>
		<guid isPermaLink="false">https://www.riskinsight-wavestone.com/?p=14373</guid>

					<description><![CDATA[<p>We talked about it in a previous article, the agile digital transformation is on the way and this new model requires a total rethinking of the way security is integrated into projects. In this article, we will discover how to...</p>
<p>Cet article <a href="https://www.riskinsight-wavestone.com/en/2020/10/how-to-conduct-an-agile-cyber-security-workshop/">How to conduct an Agile Cyber Security workshop?</a> est apparu en premier sur <a href="https://www.riskinsight-wavestone.com/en/">RiskInsight</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p>We talked about it in a <a href="https://www.riskinsight-wavestone.com/en/2019/12/cybersecurity-transformation-agile/">previous article</a>, the agile digital transformation is on the way and this new model requires a total rethinking of the way security is integrated into projects. In this article, we will discover how to conduct an agile Cybersecurity workshop, allowing to define Evil User Stories (EUS) and Security Stories. Find below a brief reminder of the fundamental notions to understand the rest.</p>
<figure id="post-12288 media-12288" class="align-center">
<figure id="post-14430 media-14430" class="align-center"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-14430" src="https://www.riskinsight-wavestone.com/wp-content/uploads/2020/10/user-stories.png" alt="" width="962" height="418" srcset="https://www.riskinsight-wavestone.com/wp-content/uploads/2020/10/user-stories.png 962w, https://www.riskinsight-wavestone.com/wp-content/uploads/2020/10/user-stories-437x191.png 437w, https://www.riskinsight-wavestone.com/wp-content/uploads/2020/10/user-stories-71x31.png 71w, https://www.riskinsight-wavestone.com/wp-content/uploads/2020/10/user-stories-768x334.png 768w" sizes="auto, (max-width: 962px) 100vw, 962px" /></figure>
</figure>
<p>&nbsp;</p>
<h2>The EUS &amp; Security Stories workshop: Who, when, where?</h2>
<p>First of all, we can only advise you to involve in this workshop the usual actors of agile ceremonies:</p>
<ul>
<li><em><strong>The Product Owner</strong></em> (PO) as a representative of business needs</li>
<li><strong><em>The Agile Coach</em></strong> in his capacity as guarantor of the respect of the method</li>
<li><strong>The technical referents</strong> of the project (architect, developers, testers&#8230;)</li>
</ul>
<p>To bring a cyber security eye, it is important to count on the presence of the <strong>Security Champion</strong> from the project team. If none is available, a member of the CISO team can replace him or her and will have the Cyber Security &#8220;mindset&#8221; to guide you and complete the workshop.</p>
<p>Then, one often wonders when these workshops should be conducted&#8230; To tell you the truth, there is no rule about this, as it will depend on the security requirements of each release! However, our first piece of advice on this subject is to <strong>synchronize their frequency with that of the product backlog review</strong>. So, all you need to do is extend the workshops where you work on <em>User Stories</em> by about 50% to devote yourself to this security study with all the right players already present and mobilized.</p>
<p>Finally, where should the workshop be held? Ideally in the continuity of your previous workshop, in a room with a board or a projector allowing you to share a screen and the possibility to annotate the diagrams quite easily (post-its, whiteboard markers&#8230;). However, it is also possible to do it online! At Wavestone, we regularly use solutions such as <a href="https://www.mural.co/">Mural</a> or <a href="https://stormboard.com/">Stormboard</a> for this purpose. Get your hands on a solution like this and see if it&#8217;s playable!</p>
<p>&nbsp;</p>
<h2>Course of the workshop</h2>
<p>First of all, it is often necessary for the <em>Security Champion</em> to lead the way in the first workshops. But the idea is to coordinate with the Agile Coach and work together so that the technical referents can gradually take charge of the methodology and make it their own.</p>
<p>When we train our clients on the subject, we often take a use case, fictitious but concrete and realistic! WaveCare is a medical application with many innovative features such as :</p>
<ul>
<li>Consulting the availability of practitioners near you</li>
<li>Real-time transmission of your health data thanks to your connected watch</li>
<li>Realization of remote consultations in Visio (Skype conference)</li>
<li>Receipt of the order after the appointment in dematerialized format</li>
</ul>
<p>For this demonstration, let&#8217;s focus on two components in particular: the descriptive schema of the <strong>functionality allowing a patient to search and reserve a slot</strong> in his doctor&#8217;s diary and the general architecture schema.</p>
<figure id="post-13190 media-13190" class="align-center">
<figure id="post-14432 media-14432" class="align-center"><img loading="lazy" decoding="async" class="aligncenter  wp-image-14432" src="https://www.riskinsight-wavestone.com/wp-content/uploads/2020/10/image-1-5.png" alt="" width="863" height="578" srcset="https://www.riskinsight-wavestone.com/wp-content/uploads/2020/10/image-1-5.png 728w, https://www.riskinsight-wavestone.com/wp-content/uploads/2020/10/image-1-5-285x191.png 285w, https://www.riskinsight-wavestone.com/wp-content/uploads/2020/10/image-1-5-58x39.png 58w" sizes="auto, (max-width: 863px) 100vw, 863px" /></figure>
</figure>
<p style="text-align: center;">&#8211;</p>
<figure id="post-13186 media-13186" class="align-center">
<figure id="post-14434 media-14434" class="align-center"><img loading="lazy" decoding="async" class="aligncenter  wp-image-14434" src="https://www.riskinsight-wavestone.com/wp-content/uploads/2020/10/image-2-2.png" alt="" width="854" height="575" srcset="https://www.riskinsight-wavestone.com/wp-content/uploads/2020/10/image-2-2.png 711w, https://www.riskinsight-wavestone.com/wp-content/uploads/2020/10/image-2-2-284x191.png 284w, https://www.riskinsight-wavestone.com/wp-content/uploads/2020/10/image-2-2-58x39.png 58w" sizes="auto, (max-width: 854px) 100vw, 854px" /></figure>
</figure>
<h2></h2>
<h3>Step 1: Building risk scenarios</h3>
<p>The first questions to ask yourself are &#8220;Where am I vulnerable? &#8220;How and where can I be attacked? ». The <em>Security Champion</em> and the developers will have to try to answer these questions! Here, a mix of application security and development knowledge will help identify exploitable vulnerabilities. We can already see an interesting aspect of the approach: it works on both the infrastructure and application aspects!</p>
<p>One piece of advice we can already give you: encourage developers to take ownership of the approach and to be proactive, it&#8217;s an excellent lever for raising security awareness! For the security referent, his or her role should mainly be to moderate the exchange and challenge the developers&#8217; proposals. This position can also help you identify potential <em>Security Champions</em>, so don&#8217;t skimp on keeping it!</p>
<p>So let&#8217;s apply what we have just said to our example, in the figures below.</p>
<figure id="post-13192 media-13192" class="align-center">
<figure id="post-14436 media-14436" class="align-center"><img loading="lazy" decoding="async" class="aligncenter  wp-image-14436" src="https://www.riskinsight-wavestone.com/wp-content/uploads/2020/10/image-3-1.png" alt="" width="872" height="587" srcset="https://www.riskinsight-wavestone.com/wp-content/uploads/2020/10/image-3-1.png 895w, https://www.riskinsight-wavestone.com/wp-content/uploads/2020/10/image-3-1-284x191.png 284w, https://www.riskinsight-wavestone.com/wp-content/uploads/2020/10/image-3-1-58x39.png 58w, https://www.riskinsight-wavestone.com/wp-content/uploads/2020/10/image-3-1-768x517.png 768w" sizes="auto, (max-width: 872px) 100vw, 872px" /></figure>
</figure>
<p style="text-align: center;">&#8211;</p>
<figure id="post-13188 media-13188" class="align-center">
<figure id="post-14438 media-14438" class="align-center"><img loading="lazy" decoding="async" class="aligncenter  wp-image-14438" src="https://www.riskinsight-wavestone.com/wp-content/uploads/2020/10/image-4.png" alt="" width="902" height="603" srcset="https://www.riskinsight-wavestone.com/wp-content/uploads/2020/10/image-4.png 826w, https://www.riskinsight-wavestone.com/wp-content/uploads/2020/10/image-4-286x191.png 286w, https://www.riskinsight-wavestone.com/wp-content/uploads/2020/10/image-4-58x39.png 58w, https://www.riskinsight-wavestone.com/wp-content/uploads/2020/10/image-4-768x513.png 768w" sizes="auto, (max-width: 902px) 100vw, 902px" /></figure>
</figure>
<p>And here we are, we can finally identify quite quickly some points of attention! If we want to detail the &#8220;<strong>Code Injection</strong>&#8221; scenario of the global architecture schema, we can for example rephrase it like this: &#8220;<strong>As an attacker, I want to inject malicious code into the application&#8217;s insecure input fields</strong>&#8220;. You see, this ending is very close to that of a classic <em>User Story</em>, but the angle is indeed that of the attacker!</p>
<p>&nbsp;</p>
<h3>Step 2: Evaluate the business impacts of the scenarios</h3>
<p>The second phase will be key to ensure that the team&#8217;s energy is used in the right place. This is where the <em>Product Owner</em> comes in! Together with the <em>Security Champion</em>, he will lead the debate to qualify the impact that each vulnerability can have.</p>
<p>Why is the PO decisive at this stage? Quite simply because <strong>he is the one who knows best both the business reality of the project and the importance of each feature</strong>. He will need to be well oriented, with questions such as &#8220;Is it serious if the data sent by the patient at this point is stolen? &#8220;What is the seriousness of the theft of the user&#8217;s account? etc.&#8221;, etc.</p>
<p>Next, you will need to give a score to prioritize each scenario. You then have two choices. The first is to use a classic cyber risk view, with a level of probability and impact. Personally, I recommend you rather use a point system or the Fibonacci suite, as for a classic US, it&#8217;s frankly simpler and instinctive!</p>
<p>&nbsp;</p>
<h3>Step 3: Define and prioritize Security Stories</h3>
<p>The next step will be to build <em>Security Stories</em> based on each of the scenarios.</p>
<p>Now it&#8217;s the turn of the <em>Security Champion</em> and the developers to get back on stage! To continue on the previous example, here is a <em>Security Story</em> we can write: &#8220;<strong>As a developer, I want to make sure that code injection attacks are avoided</strong>&#8220;. Concretely, it will make us add to the product <em>backlog</em> actions such as escaping special characters, filtering user input or using the HttpOnly attribute to prevent the theft of session cookies.</p>
<p>Obviously, for each of the <em>Security Stories</em>, it may turn out that the security measures to be implemented are already in place. Otherwise, the <em>Security Champion</em> will prioritize the technical security measures, with regard to covering the risks involved, on a company-wide scale and not only on a business level. For security measures that are not purely technical, it is up to the <em>Product Owner</em> to prioritize them, with regard to business risks and the team&#8217;s resources.</p>
<p>And there you have it, you can now start your sprint more serenely!</p>
<p>&nbsp;</p>
<h2>And to help you, prepare and adapt the material to your context!</h2>
<p>To make the workshops simpler and more fun, we have designed a generic deck of cards, consisting of cards with two sides each:</p>
<ul>
<li><strong>Front side</strong>: the <em>Evil User Stories</em>, they describe in a very pedagogical way what can go wrong, using which vulnerabilities (ex: privilege escalation on a Web server, brute force attack, XSS, &#8230;).</li>
<li><strong>Verso</strong>: the <em>Security Stories</em> describe the security measures to be implemented to ensure that the <em>Evil User Story</em> does not occur (e.g. use of a robust AES 256/512 encryption algorithm, &#8230;).</li>
</ul>
<p>These cards are really useful to get you started! For best results, you can even choose to <strong>adapt them to your business context</strong>. Use your security policies and integrate your requirements on encryption, password complexity, etc. Depending on the security needs of the project, you can also copy requirements related to certifications (HDS) or guidelines (LPM, NIS).</p>
<p><strong>You can find the card game available for free <a href="https://www.riskinsight-wavestone.com/wp-content/uploads/2020/06/Security-Agility-Card-game_EN.pdf">here</a></strong> and don&#8217;t hesitate to give us your feedback so that we can continue to improve it!</p>
<p>Also, a workshop that runs smoothly is always more productive! Don&#8217;t forget to <strong>prepare the materials beforehand</strong>: architecture diagrams of the project (data flow and classification), listing and details of the next User Stories to be developed&#8230;</p>
<p>Cet article <a href="https://www.riskinsight-wavestone.com/en/2020/10/how-to-conduct-an-agile-cyber-security-workshop/">How to conduct an Agile Cyber Security workshop?</a> est apparu en premier sur <a href="https://www.riskinsight-wavestone.com/en/">RiskInsight</a>.</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Comment conduire un atelier Cybersécurité agile ?</title>
		<link>https://www.riskinsight-wavestone.com/en/2020/06/comment-conduire-un-atelier-cybersecurite-agile/</link>
		
		<dc:creator><![CDATA[Emma Barfety]]></dc:creator>
		<pubDate>Fri, 12 Jun 2020 07:41:33 +0000</pubDate>
				<category><![CDATA[Cloud & Next-Gen IT Security]]></category>
		<category><![CDATA[Cybersecurity & Digital Trust]]></category>
		<category><![CDATA[Gestion des risques]]></category>
		<category><![CDATA[How-to]]></category>
		<category><![CDATA[Projet Agile]]></category>
		<category><![CDATA[Transformation]]></category>
		<category><![CDATA[user stories]]></category>
		<guid isPermaLink="false">https://www.riskinsight-wavestone.com/?p=13185</guid>

					<description><![CDATA[<p>Nous vous en parlions dans un précédent article, la transformation numérique agile est en marche et ce nouveau modèle impose de totalement revoir sa manière d’intégrer la sécurité dans les projets. Nous allons découvrir dans cet article comment conduire un...</p>
<p>Cet article <a href="https://www.riskinsight-wavestone.com/en/2020/06/comment-conduire-un-atelier-cybersecurite-agile/">Comment conduire un atelier Cybersécurité agile ?</a> est apparu en premier sur <a href="https://www.riskinsight-wavestone.com/en/">RiskInsight</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p>Nous vous en parlions dans <a href="https://www.riskinsight-wavestone.com/en/2019/12/cybersecurity-transformation-agile/" target="_blank" rel="noopener noreferrer">un précédent article</a>, la transformation numérique agile est en marche et ce nouveau modèle impose de totalement revoir sa manière d’intégrer la sécurité dans les projets. Nous allons découvrir dans cet article comment conduire un atelier Cybersécurité agile, permettant de définir les <em>Evil User Stories (EUS) </em>et<em> Security Stories</em>. Trouvez ci-dessous un bref rappel des notions fondamentales pour comprendre la suite.</p>
<figure id="post-12288 media-12288" class="align-center"><img loading="lazy" decoding="async" class="aligncenter wp-image-12288 size-full" src="https://www.riskinsight-wavestone.com/wp-content/uploads/2019/12/Diapositive2_rognee.png" alt="Atelier Cybersécurité Agile : les Evil User Stories et les Security User Stories" width="1032" height="502" srcset="https://www.riskinsight-wavestone.com/wp-content/uploads/2019/12/Diapositive2_rognee.png 1032w, https://www.riskinsight-wavestone.com/wp-content/uploads/2019/12/Diapositive2_rognee-393x191.png 393w, https://www.riskinsight-wavestone.com/wp-content/uploads/2019/12/Diapositive2_rognee-768x374.png 768w, https://www.riskinsight-wavestone.com/wp-content/uploads/2019/12/Diapositive2_rognee-71x35.png 71w" sizes="auto, (max-width: 1032px) 100vw, 1032px" /></figure>
<p>&nbsp;</p>
<h2>L’atelier EUS &amp; Security Stories : Qui, quand, où ?</h2>
<p>Tout d’abord, nous ne pouvons que vous conseiller d’impliquer dans cet atelier les habituels acteurs des cérémonies agiles :</p>
<ul>
<li><strong>Le <em>Product Owner</em> (PO)</strong> en sa qualité de représentant des besoins métiers</li>
<li><strong>Le <em>Coach</em> Agile</strong> en sa qualité de garant du respect de la méthode</li>
<li><strong>Les référents techniques</strong> du projet (architecte, développeurs, testeurs…)</li>
</ul>
<p>Pour apporter un œil cybersécurité, il est important de compter sur la présence du <strong><em>Security Champion</em></strong> de l’équipe projet. Si aucun n’est disponible, un membre de l’équipe du RSSI peut le remplacer et aura « l’état d’esprit » Cybersécurité pour vous aiguiller et mener l’atelier à bien.</p>
<p>Ensuite, on se demande souvent à quel moment ces ateliers doivent être conduits… Pour tout vous avouer, il n’y a pas de règle à ce sujet, car cela dépendra des exigences sécurité de chaque release ! Toutefois, notre premier conseil à ce sujet est de <strong>synchroniser leur fréquence avec celle de revue du backlog produit</strong>. Ainsi, il vous suffit de prolonger les ateliers où vous travaillez sur les <em>User Stories</em> d’environ 50% pour vous consacrer à cette étude sécurité avec déjà tous les bons acteurs présents et mobilisés.</p>
<p>Enfin, où réaliser l’atelier ? Idéalement dans la continuité de votre atelier précédent, dans une salle avec un tableau ou un projecteur permettant de partager un écran et la possibilité d’annoter les schémas assez facilement (post-its, feutres pour tableau blanc…). Néanmoins, il est également tout à fait envisageable de le faire en ligne ! Chez Wavestone, nous utilisons régulièrement des solutions comme <a href="https://www.mural.co/"><em>Mural</em> </a>ou <a href="https://stormboard.com/"><em>Stormboard</em> </a>à cet usage. Faites-vous la main sur une solution de ce genre et vous verrez si c’est jouable !</p>
<p>&nbsp;</p>
<h2>Déroulement de l’atelier</h2>
<p>Tout d’abord, il est souvent nécessaire que le <em>Security Champion</em> mène la barque dans les premiers ateliers. Mais l’idée est de se coordonner avec le Coach Agile et travailler de concert pour que les référents techniques puissent petit à petit prendre en main la méthodologie et se l’approprier.</p>
<p>Quand nous formons nos clients sur le sujet, nous prenons souvent un cas d’usage, fictif mais concret et réaliste ! WaveCare est une application médicale avec de nombreuses fonctionnalités innovantes telles que :</p>
<ul>
<li>Consultation des disponibilités de praticiens près de chez vous</li>
<li>Transmission en temps réel de vos données de santé grâce à votre montre connectée</li>
<li>Réalisation de consultations à distance en Visio (conférence Skype)</li>
<li>Réception de l’ordonnance après le RDV en format dématérialisé</li>
</ul>
<p>Pour cette démonstration, intéressons-nous à deux composants en particulier : le schéma descriptif de <strong>la fonctionnalité permettant à un patient de rechercher et réserver un créneau </strong>dans l’agenda de son médecin et le schéma d’architecture générale.</p>
<figure id="post-13190 media-13190" class="align-center"><img loading="lazy" decoding="async" class="aligncenter wp-image-13190 size-full" src="https://www.riskinsight-wavestone.com/wp-content/uploads/2020/06/RI_HT_Atelier_ESU_feature_1.jpg" alt="Schéma descriptif de la fonctionnalité &quot;Recherche et réservation d'un créneau par un patient&quot;" width="1040" height="720" srcset="https://www.riskinsight-wavestone.com/wp-content/uploads/2020/06/RI_HT_Atelier_ESU_feature_1.jpg 1040w, https://www.riskinsight-wavestone.com/wp-content/uploads/2020/06/RI_HT_Atelier_ESU_feature_1-276x191.jpg 276w, https://www.riskinsight-wavestone.com/wp-content/uploads/2020/06/RI_HT_Atelier_ESU_feature_1-56x39.jpg 56w, https://www.riskinsight-wavestone.com/wp-content/uploads/2020/06/RI_HT_Atelier_ESU_feature_1-768x532.jpg 768w, https://www.riskinsight-wavestone.com/wp-content/uploads/2020/06/RI_HT_Atelier_ESU_feature_1-245x170.jpg 245w" sizes="auto, (max-width: 1040px) 100vw, 1040px" /></figure>
<p style="text-align: center;">&#8211;</p>
<figure id="post-13186 media-13186" class="align-center"><img loading="lazy" decoding="async" class="aligncenter wp-image-13186 size-full" src="https://www.riskinsight-wavestone.com/wp-content/uploads/2020/06/RI_HT_Atelier_ESU_archi_1.jpg" alt="Schéma descriptif de l'architecture de la solution" width="1040" height="720" srcset="https://www.riskinsight-wavestone.com/wp-content/uploads/2020/06/RI_HT_Atelier_ESU_archi_1.jpg 1040w, https://www.riskinsight-wavestone.com/wp-content/uploads/2020/06/RI_HT_Atelier_ESU_archi_1-276x191.jpg 276w, https://www.riskinsight-wavestone.com/wp-content/uploads/2020/06/RI_HT_Atelier_ESU_archi_1-56x39.jpg 56w, https://www.riskinsight-wavestone.com/wp-content/uploads/2020/06/RI_HT_Atelier_ESU_archi_1-768x532.jpg 768w, https://www.riskinsight-wavestone.com/wp-content/uploads/2020/06/RI_HT_Atelier_ESU_archi_1-245x170.jpg 245w" sizes="auto, (max-width: 1040px) 100vw, 1040px" /></figure>
<h2></h2>
<h3><span style="color: #000000;">Etape 1 : Construire les scénarios de risque</span></h3>
<p>Les premières questions à se poser sont « Où-suis-je vulnérable ? », « Comment et par où peut-on m’attaquer ? ». Le référent sécurité (<em>Security Champion</em>) et les développeurs vont devoir essayer de répondre à ces questions ! Ici, c’est donc un mélange de connaissances en sécurité applicative et en développement qui va permettre d’identifier les vulnérabilités exploitables. Nous pouvons déjà noter un aspect intéressant de l’approche : elle fonctionne aussi bien sur l’aspect infrastructure qu’applicatif !</p>
<p>Un conseil que nous pouvons déjà vous donner : encouragez les développeurs à s’approprier l’approche et à être force de proposition, c’est un excellent levier pour les sensibiliser à la sécurité ! Pour le référent sécurité, son rôle doit majoritairement être de modérer l’échange et challenger les propositions des développeurs. Cette posture peut en plus vous permettre d’identifier des potentiels <em>Security Champions</em>, ne lésinez pas à la conserver !</p>
<p>Appliquons donc ce que nous venons de nous dire à notre exemple, dans les figures ci-dessous.</p>
<figure id="post-13192 media-13192" class="align-center"><img loading="lazy" decoding="async" class="aligncenter wp-image-13192 size-full" src="https://www.riskinsight-wavestone.com/wp-content/uploads/2020/06/RI_HT_Atelier_ESU_feature_2.jpg" alt="Schéma descriptif de la fonctionnalité &quot;Recherche et réservation d'un créneau par un patient&quot; avec les scénarios de risque " width="1040" height="720" srcset="https://www.riskinsight-wavestone.com/wp-content/uploads/2020/06/RI_HT_Atelier_ESU_feature_2.jpg 1040w, https://www.riskinsight-wavestone.com/wp-content/uploads/2020/06/RI_HT_Atelier_ESU_feature_2-276x191.jpg 276w, https://www.riskinsight-wavestone.com/wp-content/uploads/2020/06/RI_HT_Atelier_ESU_feature_2-56x39.jpg 56w, https://www.riskinsight-wavestone.com/wp-content/uploads/2020/06/RI_HT_Atelier_ESU_feature_2-768x532.jpg 768w, https://www.riskinsight-wavestone.com/wp-content/uploads/2020/06/RI_HT_Atelier_ESU_feature_2-245x170.jpg 245w" sizes="auto, (max-width: 1040px) 100vw, 1040px" /></figure>
<p style="text-align: center;">&#8211;</p>
<figure id="post-13188 media-13188" class="align-center"><img loading="lazy" decoding="async" class="aligncenter wp-image-13188 size-full" src="https://www.riskinsight-wavestone.com/wp-content/uploads/2020/06/RI_HT_Atelier_ESU_archi_2.jpg" alt="Schéma descriptif de l'architecture de la solution avec les scénarios de risque" width="1040" height="720" srcset="https://www.riskinsight-wavestone.com/wp-content/uploads/2020/06/RI_HT_Atelier_ESU_archi_2.jpg 1040w, https://www.riskinsight-wavestone.com/wp-content/uploads/2020/06/RI_HT_Atelier_ESU_archi_2-276x191.jpg 276w, https://www.riskinsight-wavestone.com/wp-content/uploads/2020/06/RI_HT_Atelier_ESU_archi_2-56x39.jpg 56w, https://www.riskinsight-wavestone.com/wp-content/uploads/2020/06/RI_HT_Atelier_ESU_archi_2-768x532.jpg 768w, https://www.riskinsight-wavestone.com/wp-content/uploads/2020/06/RI_HT_Atelier_ESU_archi_2-245x170.jpg 245w" sizes="auto, (max-width: 1040px) 100vw, 1040px" /></figure>
<p>Et voilà, on peut finalement identifier assez rapidement quelques points d’attention ! Si nous voulons détailler le scénario « <strong>Injection de code</strong> » du schéma d’architecture globale, nous pouvons par exemple le reformuler comme cela : « <strong>En tant qu&#8217;attaquant, je veux injecter du code malveillant dans les champs de saisie non sécurisés de l’application</strong> ». Vous voyez, cette terminaison est très proche de celle d’une <em>User Story</em> classique, mais l’angle est bien celui de l’attaquant !</p>
<p>&nbsp;</p>
<h3><span style="color: #000000;">Etape 2 : Evaluer les impacts métiers des scénarios</span></h3>
<p>La seconde phase va être clef pour s’assurer d’utiliser l’énergie de l’équipe au bon endroit. C’est à ce moment que le <em>Product Owner</em> entre en jeu ! Avec le <em>Security Champion</em>, il va mener les débats pour qualifier l’impact que peut avoir chaque vulnérabilité.</p>
<p>Pourquoi le PO est-il décisif sur cette étape ? Toute simplement car <strong>c’est lui qui connaît le mieux à la fois la réalité métier du projet et l’importance de chaque fonctionnalité</strong>. Il s’agira de bien l’orienter, avec des questions comme « Est-ce grave si les données envoyées à ce moment par le patient sont volées ? », « Quelle est la gravité du vol du compte de l’utilisateur ? », etc.</p>
<p>Ensuite, il vous faudra donner une note pour prioriser chaque scénario. Deux choix s’offrent alors à vous. Le premier est d’utiliser une vue risque cyber classique, avec un niveau de probabilité et d’impact. Personnellement, je vous recommande plutôt d’utiliser un système de point ou la suite de Fibonacci, comme pour une US classique, c’est franchement plus simple et instinctif !</p>
<p>&nbsp;</p>
<h3><span style="color: #000000;">Etape 3 : Définir et prioriser les Security Stories</span></h3>
<p>La prochaine étape consistera à construire des <em>Security Stories</em> basées sur chacun des scénarios.</p>
<p>Au tour du <em>Security Champion</em> et des développeurs de remonter sur scène ! Pour continuer sur l’exemple précédent, voici une <em>Security Story</em> que nous pouvons rédiger : « <strong>En tant que développeur, je veux m&#8217;assurer que les attaques par injection de code sont évitées </strong>». Concrètement, elle nous fera ajouter au <em>backlog</em> du produit des actions comme l’échappement des caractères spéciaux, le filtrage des entrées utilisateurs ou encore l’usage de l’attribut HttpOnly pour éviter le vol des cookies de session.</p>
<p>Evidemment, pour chacune des <em>Security Stories</em>, il peut s’avérer que les mesures de sécurité à mettre en œuvre le sont déjà. Dans le cas contraire, le <em>Security Champion</em> se charge de prioriser les mesures de sécurité techniques, au regard de la couverture des risques induits, à l’échelle de l’entreprise et pas uniquement du métier. Pour les mesures de sécurité n’étant pas uniquement techniques, c’est au <em>Product Owner</em> de les prioriser, au regard des risques business et des moyens de l’équipe.</p>
<p>Et voilà, vous pouvez maintenant démarrer votre sprint plus sereinement !</p>
<p>&nbsp;</p>
<h2>Et pour vous aider, préparez et adaptez le matériel à votre contexte !</h2>
<p>Pour rendre les ateliers plus simples et ludiques, nous avons conçus un jeu de cartes génériques, constitué de cartes ayant chacune deux faces :</p>
<ul>
<li><strong>Recto : </strong>les <em>Evil User Stories</em>, elles décrivent de façon très pédagogique ce qui peut mal se passer, en utilisant quelles vulnérabilités (ex : élévation de privilèges sur un serveur Web, attaque par force brute, XSS, …)</li>
<li><strong>Verso :</strong> les <em>Security Stories</em> décrivent les mesures de sécurité à implémenter pour s’assurer que <em>l’Evil User Story</em> ne se produit pas (ex : utilisation d’un algorithme de chiffrement robuste AES 256/512, …).</li>
</ul>
<p>Ces cartes sont vraiment utiles pour vous lancer ! Pour de meilleurs résultats, vous pouvez même choisir de <strong>les adapter à votre contexte d’entreprise</strong>. Utilisez vos politiques de sécurité et intégrez vos exigences sur le chiffrement, la complexité des mots de passe, etc. Suivant les besoins de sécurité du projet, vous pouvez aussi calquer de exigences liées à des certifications (HDS) ou des directives (LPM, NIS).</p>
<p><strong>Retrouvez le jeu de carte disponible gratuitement <a href="https://www.riskinsight-wavestone.com/wp-content/uploads/2020/06/Securite-Agilite-Jeu-de-cartes_VF.pdf" target="_blank" rel="noopener noreferrer">ici</a></strong> (et en anglais <a href="https://www.riskinsight-wavestone.com/wp-content/uploads/2020/06/Security-Agility-Card-game_EN.pdf" target="_blank" rel="noopener noreferrer">ici</a>)et n’hésitez pas nous faire vos retours pour que nous continuions à l’améliorer !</p>
<p>Également, un atelier qui se déroule avec fluidité est toujours plus productif ! N’oubliez pas de <strong>préparer les supports en amont</strong> : schémas d’architecture du projet (flux et classification des données), listing et détail des prochaines <em>User Stories</em> à développer…</p>
<p>Cet article <a href="https://www.riskinsight-wavestone.com/en/2020/06/comment-conduire-un-atelier-cybersecurite-agile/">Comment conduire un atelier Cybersécurité agile ?</a> est apparu en premier sur <a href="https://www.riskinsight-wavestone.com/en/">RiskInsight</a>.</p>
]]></content:encoded>
					
		
		
			</item>
	</channel>
</rss>
