{"id":13185,"date":"2020-06-12T08:41:33","date_gmt":"2020-06-12T07:41:33","guid":{"rendered":"https:\/\/www.riskinsight-wavestone.com\/?p=13185"},"modified":"2021-07-12T09:54:34","modified_gmt":"2021-07-12T08:54:34","slug":"comment-conduire-un-atelier-cybersecurite-agile","status":"publish","type":"post","link":"https:\/\/www.riskinsight-wavestone.com\/en\/2020\/06\/comment-conduire-un-atelier-cybersecurite-agile\/","title":{"rendered":"Comment conduire un atelier Cybers\u00e9curit\u00e9 agile ?"},"content":{"rendered":"<p>Nous vous en parlions dans <a href=\"https:\/\/www.riskinsight-wavestone.com\/en\/2019\/12\/cybersecurity-transformation-agile\/\" target=\"_blank\" rel=\"noopener noreferrer\">un pr\u00e9c\u00e9dent article<\/a>, la transformation num\u00e9rique agile est en marche et ce nouveau mod\u00e8le impose de totalement revoir sa mani\u00e8re d\u2019int\u00e9grer la s\u00e9curit\u00e9 dans les projets. Nous allons d\u00e9couvrir dans cet article comment conduire un atelier Cybers\u00e9curit\u00e9 agile, permettant de d\u00e9finir les <em>Evil User Stories (EUS) <\/em>et<em> Security Stories<\/em>. Trouvez ci-dessous un bref rappel des notions fondamentales pour comprendre la suite.<\/p>\n<figure id=\"post-12288 media-12288\" class=\"align-center\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-12288 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/12\/Diapositive2_rognee.png\" alt=\"Atelier Cybers\u00e9curit\u00e9 Agile : les Evil User Stories et les Security User Stories\" width=\"1032\" height=\"502\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/12\/Diapositive2_rognee.png 1032w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/12\/Diapositive2_rognee-393x191.png 393w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/12\/Diapositive2_rognee-768x374.png 768w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2019\/12\/Diapositive2_rognee-71x35.png 71w\" sizes=\"auto, (max-width: 1032px) 100vw, 1032px\" \/><\/figure>\n<p>&nbsp;<\/p>\n<h2>L\u2019atelier EUS &amp; Security Stories\u00a0: Qui, quand, o\u00f9\u00a0?<\/h2>\n<p>Tout d\u2019abord, nous ne pouvons que vous conseiller d\u2019impliquer dans cet atelier les habituels acteurs des c\u00e9r\u00e9monies agiles\u00a0:<\/p>\n<ul>\n<li><strong>Le <em>Product Owner<\/em> (PO)<\/strong> en sa qualit\u00e9 de repr\u00e9sentant des besoins m\u00e9tiers<\/li>\n<li><strong>Le <em>Coach<\/em> Agile<\/strong> en sa qualit\u00e9 de garant du respect de la m\u00e9thode<\/li>\n<li><strong>Les r\u00e9f\u00e9rents techniques<\/strong> du projet (architecte, d\u00e9veloppeurs, testeurs\u2026)<\/li>\n<\/ul>\n<p>Pour apporter un \u0153il cybers\u00e9curit\u00e9, il est important de compter sur la pr\u00e9sence du <strong><em>Security Champion<\/em><\/strong> de l\u2019\u00e9quipe projet. Si aucun n\u2019est disponible, un membre de l\u2019\u00e9quipe du RSSI peut le remplacer et aura \u00ab\u00a0l\u2019\u00e9tat d\u2019esprit\u00a0\u00bb Cybers\u00e9curit\u00e9 pour vous aiguiller et mener l\u2019atelier \u00e0 bien.<\/p>\n<p>Ensuite, on se demande souvent \u00e0 quel moment ces ateliers doivent \u00eatre conduits\u2026 Pour tout vous avouer, il n\u2019y a pas de r\u00e8gle \u00e0 ce sujet, car cela d\u00e9pendra des exigences s\u00e9curit\u00e9 de chaque release\u00a0! Toutefois, notre premier conseil \u00e0 ce sujet est de <strong>synchroniser leur fr\u00e9quence avec celle de revue du backlog produit<\/strong>. Ainsi, il vous suffit de prolonger les ateliers o\u00f9 vous travaillez sur les <em>User Stories<\/em> d\u2019environ 50% pour vous consacrer \u00e0 cette \u00e9tude s\u00e9curit\u00e9 avec d\u00e9j\u00e0 tous les bons acteurs pr\u00e9sents et mobilis\u00e9s.<\/p>\n<p>Enfin, o\u00f9 r\u00e9aliser l\u2019atelier\u00a0? Id\u00e9alement dans la continuit\u00e9 de votre atelier pr\u00e9c\u00e9dent, dans une salle avec un tableau ou un projecteur permettant de partager un \u00e9cran et la possibilit\u00e9 d\u2019annoter les sch\u00e9mas assez facilement (post-its, feutres pour tableau blanc\u2026). N\u00e9anmoins, il est \u00e9galement tout \u00e0 fait envisageable de le faire en ligne\u00a0! Chez Wavestone, nous utilisons r\u00e9guli\u00e8rement des solutions comme <a href=\"https:\/\/www.mural.co\/\"><em>Mural<\/em> <\/a>ou <a href=\"https:\/\/stormboard.com\/\"><em>Stormboard<\/em> <\/a>\u00e0 cet usage. Faites-vous la main sur une solution de ce genre et vous verrez si c\u2019est jouable\u00a0!<\/p>\n<p>&nbsp;<\/p>\n<h2>D\u00e9roulement de l\u2019atelier<\/h2>\n<p>Tout d\u2019abord, il est souvent n\u00e9cessaire que le <em>Security Champion<\/em> m\u00e8ne la barque dans les premiers ateliers. Mais l\u2019id\u00e9e est de se coordonner avec le Coach Agile et travailler de concert pour que les r\u00e9f\u00e9rents techniques puissent petit \u00e0 petit prendre en main la m\u00e9thodologie et se l\u2019approprier.<\/p>\n<p>Quand nous formons nos clients sur le sujet, nous prenons souvent un cas d\u2019usage, fictif mais concret\u00a0et r\u00e9aliste\u00a0! WaveCare est une application m\u00e9dicale avec de nombreuses fonctionnalit\u00e9s innovantes\u00a0telles que\u00a0:<\/p>\n<ul>\n<li>Consultation des disponibilit\u00e9s de praticiens pr\u00e8s de chez vous<\/li>\n<li>Transmission en temps r\u00e9el de vos donn\u00e9es de sant\u00e9 gr\u00e2ce \u00e0 votre montre connect\u00e9e<\/li>\n<li>R\u00e9alisation de consultations \u00e0 distance en Visio (conf\u00e9rence Skype)<\/li>\n<li>R\u00e9ception de l\u2019ordonnance apr\u00e8s le RDV en format d\u00e9mat\u00e9rialis\u00e9<\/li>\n<\/ul>\n<p>Pour cette d\u00e9monstration, int\u00e9ressons-nous \u00e0 deux composants en particulier\u00a0: le sch\u00e9ma descriptif de <strong>la fonctionnalit\u00e9 permettant \u00e0 un patient de rechercher et r\u00e9server un cr\u00e9neau <\/strong>dans l\u2019agenda de son m\u00e9decin et le sch\u00e9ma d\u2019architecture g\u00e9n\u00e9rale.<\/p>\n<figure id=\"post-13190 media-13190\" class=\"align-center\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-13190 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2020\/06\/RI_HT_Atelier_ESU_feature_1.jpg\" alt=\"Sch\u00e9ma descriptif de la fonctionnalit\u00e9 &quot;Recherche et r\u00e9servation d'un cr\u00e9neau par un patient&quot;\" width=\"1040\" height=\"720\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2020\/06\/RI_HT_Atelier_ESU_feature_1.jpg 1040w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2020\/06\/RI_HT_Atelier_ESU_feature_1-276x191.jpg 276w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2020\/06\/RI_HT_Atelier_ESU_feature_1-56x39.jpg 56w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2020\/06\/RI_HT_Atelier_ESU_feature_1-768x532.jpg 768w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2020\/06\/RI_HT_Atelier_ESU_feature_1-245x170.jpg 245w\" sizes=\"auto, (max-width: 1040px) 100vw, 1040px\" \/><\/figure>\n<p style=\"text-align: center;\">&#8211;<\/p>\n<figure id=\"post-13186 media-13186\" class=\"align-center\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-13186 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2020\/06\/RI_HT_Atelier_ESU_archi_1.jpg\" alt=\"Sch\u00e9ma descriptif de l'architecture de la solution\" width=\"1040\" height=\"720\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2020\/06\/RI_HT_Atelier_ESU_archi_1.jpg 1040w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2020\/06\/RI_HT_Atelier_ESU_archi_1-276x191.jpg 276w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2020\/06\/RI_HT_Atelier_ESU_archi_1-56x39.jpg 56w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2020\/06\/RI_HT_Atelier_ESU_archi_1-768x532.jpg 768w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2020\/06\/RI_HT_Atelier_ESU_archi_1-245x170.jpg 245w\" sizes=\"auto, (max-width: 1040px) 100vw, 1040px\" \/><\/figure>\n<h2><\/h2>\n<h3><span style=\"color: #000000;\">Etape 1\u00a0: Construire les sc\u00e9narios de risque<\/span><\/h3>\n<p>Les premi\u00e8res questions \u00e0 se poser sont \u00ab\u00a0O\u00f9-suis-je vuln\u00e9rable\u00a0?\u00a0\u00bb, \u00ab Comment et par o\u00f9 peut-on m\u2019attaquer\u00a0?\u00a0\u00bb. Le r\u00e9f\u00e9rent s\u00e9curit\u00e9 (<em>Security Champion<\/em>) et les d\u00e9veloppeurs vont devoir essayer de r\u00e9pondre \u00e0 ces questions\u00a0! Ici, c\u2019est donc un m\u00e9lange de connaissances en s\u00e9curit\u00e9 applicative et en d\u00e9veloppement qui va permettre d\u2019identifier les vuln\u00e9rabilit\u00e9s exploitables. Nous pouvons d\u00e9j\u00e0 noter un aspect int\u00e9ressant de l\u2019approche\u00a0: elle fonctionne aussi bien sur l\u2019aspect infrastructure qu\u2019applicatif\u00a0!<\/p>\n<p>Un conseil que nous pouvons d\u00e9j\u00e0 vous donner : encouragez les d\u00e9veloppeurs \u00e0 s\u2019approprier l\u2019approche et \u00e0 \u00eatre force de proposition, c\u2019est un excellent levier pour les sensibiliser \u00e0 la s\u00e9curit\u00e9\u00a0! Pour le r\u00e9f\u00e9rent s\u00e9curit\u00e9, son r\u00f4le doit majoritairement \u00eatre de mod\u00e9rer l\u2019\u00e9change et challenger les propositions des d\u00e9veloppeurs. Cette posture peut en plus vous permettre d\u2019identifier des potentiels <em>Security Champions<\/em>, ne l\u00e9sinez pas \u00e0 la conserver\u00a0!<\/p>\n<p>Appliquons donc ce que nous venons de nous dire \u00e0 notre exemple, dans les figures ci-dessous.<\/p>\n<figure id=\"post-13192 media-13192\" class=\"align-center\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-13192 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2020\/06\/RI_HT_Atelier_ESU_feature_2.jpg\" alt=\"Sch\u00e9ma descriptif de la fonctionnalit\u00e9 &quot;Recherche et r\u00e9servation d'un cr\u00e9neau par un patient&quot; avec les sc\u00e9narios de risque \" width=\"1040\" height=\"720\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2020\/06\/RI_HT_Atelier_ESU_feature_2.jpg 1040w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2020\/06\/RI_HT_Atelier_ESU_feature_2-276x191.jpg 276w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2020\/06\/RI_HT_Atelier_ESU_feature_2-56x39.jpg 56w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2020\/06\/RI_HT_Atelier_ESU_feature_2-768x532.jpg 768w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2020\/06\/RI_HT_Atelier_ESU_feature_2-245x170.jpg 245w\" sizes=\"auto, (max-width: 1040px) 100vw, 1040px\" \/><\/figure>\n<p style=\"text-align: center;\">&#8211;<\/p>\n<figure id=\"post-13188 media-13188\" class=\"align-center\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-13188 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2020\/06\/RI_HT_Atelier_ESU_archi_2.jpg\" alt=\"Sch\u00e9ma descriptif de l'architecture de la solution avec les sc\u00e9narios de risque\" width=\"1040\" height=\"720\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2020\/06\/RI_HT_Atelier_ESU_archi_2.jpg 1040w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2020\/06\/RI_HT_Atelier_ESU_archi_2-276x191.jpg 276w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2020\/06\/RI_HT_Atelier_ESU_archi_2-56x39.jpg 56w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2020\/06\/RI_HT_Atelier_ESU_archi_2-768x532.jpg 768w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2020\/06\/RI_HT_Atelier_ESU_archi_2-245x170.jpg 245w\" sizes=\"auto, (max-width: 1040px) 100vw, 1040px\" \/><\/figure>\n<p>Et voil\u00e0, on peut finalement identifier assez rapidement quelques points d\u2019attention\u00a0! Si nous voulons d\u00e9tailler le sc\u00e9nario \u00ab\u00a0<strong>Injection de code<\/strong>\u00a0\u00bb du sch\u00e9ma d\u2019architecture globale, nous pouvons par exemple le reformuler comme cela\u00a0: \u00ab\u00a0<strong>En tant qu&#8217;attaquant, je veux injecter du code malveillant dans les champs de saisie non s\u00e9curis\u00e9s de l\u2019application<\/strong> \u00bb. Vous voyez, cette terminaison est tr\u00e8s proche de celle d\u2019une <em>User Story<\/em> classique, mais l\u2019angle est bien celui de l\u2019attaquant\u00a0!<\/p>\n<p>&nbsp;<\/p>\n<h3><span style=\"color: #000000;\">Etape 2\u00a0: Evaluer les impacts m\u00e9tiers des sc\u00e9narios<\/span><\/h3>\n<p>La seconde phase va \u00eatre clef pour s\u2019assurer d\u2019utiliser l\u2019\u00e9nergie de l\u2019\u00e9quipe au bon endroit. C\u2019est \u00e0 ce moment que le <em>Product Owner<\/em> entre en jeu\u00a0! Avec le <em>Security Champion<\/em>, il va mener les d\u00e9bats pour qualifier l\u2019impact que peut avoir chaque vuln\u00e9rabilit\u00e9.<\/p>\n<p>Pourquoi le PO est-il d\u00e9cisif sur cette \u00e9tape\u00a0? Toute simplement car <strong>c\u2019est lui qui conna\u00eet le mieux \u00e0 la fois la r\u00e9alit\u00e9 m\u00e9tier du projet et l\u2019importance de chaque fonctionnalit\u00e9<\/strong>. Il s\u2019agira de bien l\u2019orienter, avec des questions comme \u00ab\u00a0Est-ce grave si les donn\u00e9es envoy\u00e9es \u00e0 ce moment par le patient sont vol\u00e9es\u00a0?\u00a0\u00bb, \u00ab\u00a0Quelle est la gravit\u00e9 du vol du compte de l\u2019utilisateur\u00a0?\u00a0\u00bb, etc.<\/p>\n<p>Ensuite, il vous faudra donner une note pour prioriser chaque sc\u00e9nario. Deux choix s\u2019offrent alors \u00e0 vous.\u00a0Le premier est d\u2019utiliser une vue risque cyber classique, avec un niveau de probabilit\u00e9 et d\u2019impact. Personnellement, je vous recommande plut\u00f4t d\u2019utiliser un syst\u00e8me de point ou la suite de Fibonacci, comme pour une US classique, c\u2019est franchement plus simple et instinctif\u00a0!<\/p>\n<p>&nbsp;<\/p>\n<h3><span style=\"color: #000000;\">Etape 3\u00a0: D\u00e9finir et prioriser les Security Stories<\/span><\/h3>\n<p>La prochaine \u00e9tape consistera \u00e0 construire des <em>Security Stories<\/em> bas\u00e9es sur chacun des sc\u00e9narios.<\/p>\n<p>Au tour du <em>Security Champion<\/em> et des d\u00e9veloppeurs de remonter sur sc\u00e8ne\u00a0! Pour continuer sur l\u2019exemple pr\u00e9c\u00e9dent, voici une <em>Security Story<\/em> que nous pouvons r\u00e9diger\u00a0: \u00ab\u00a0<strong>En tant que d\u00e9veloppeur, je veux m&#8217;assurer que les attaques par injection de code sont \u00e9vit\u00e9es <\/strong>\u00bb. Concr\u00e8tement, elle nous fera ajouter au <em>backlog<\/em> du produit des actions comme l\u2019\u00e9chappement des caract\u00e8res sp\u00e9ciaux, le filtrage des entr\u00e9es utilisateurs ou encore l\u2019usage de l\u2019attribut HttpOnly pour \u00e9viter le vol des cookies de session.<\/p>\n<p>Evidemment, pour chacune des <em>Security Stories<\/em>, il peut s\u2019av\u00e9rer que les mesures de s\u00e9curit\u00e9 \u00e0 mettre en \u0153uvre le sont d\u00e9j\u00e0. Dans le cas contraire, le <em>Security Champion<\/em> se charge de prioriser les mesures de s\u00e9curit\u00e9 techniques, au regard de la couverture des risques induits, \u00e0 l\u2019\u00e9chelle de l\u2019entreprise et pas uniquement du m\u00e9tier. Pour les mesures de s\u00e9curit\u00e9 n\u2019\u00e9tant pas uniquement techniques, c\u2019est au <em>Product Owner<\/em> de les prioriser, au regard des risques business et des moyens de l\u2019\u00e9quipe.<\/p>\n<p>Et voil\u00e0, vous pouvez maintenant d\u00e9marrer votre sprint plus sereinement\u00a0!<\/p>\n<p>&nbsp;<\/p>\n<h2>Et pour vous aider, pr\u00e9parez et adaptez le mat\u00e9riel \u00e0 votre contexte\u00a0!<\/h2>\n<p>Pour rendre les ateliers plus simples et ludiques, nous avons con\u00e7us un jeu de cartes g\u00e9n\u00e9riques, constitu\u00e9 de cartes ayant chacune deux faces\u00a0:<\/p>\n<ul>\n<li><strong>Recto : <\/strong>les <em>Evil User Stories<\/em>, elles d\u00e9crivent de fa\u00e7on tr\u00e8s p\u00e9dagogique ce qui peut mal se passer, en utilisant quelles vuln\u00e9rabilit\u00e9s (ex : \u00e9l\u00e9vation de privil\u00e8ges sur un serveur Web, attaque par force brute, XSS, \u2026)<\/li>\n<li><strong>Verso :<\/strong> les <em>Security Stories<\/em> d\u00e9crivent les mesures de s\u00e9curit\u00e9 \u00e0 impl\u00e9menter pour s\u2019assurer que <em>l\u2019Evil User Story<\/em> ne se produit pas (ex : utilisation d\u2019un algorithme de chiffrement robuste AES 256\/512, \u2026).<\/li>\n<\/ul>\n<p>Ces cartes sont vraiment utiles pour vous lancer\u00a0! Pour de meilleurs r\u00e9sultats, vous pouvez m\u00eame choisir de <strong>les adapter\u00a0\u00e0 votre contexte d\u2019entreprise<\/strong>. Utilisez vos politiques de s\u00e9curit\u00e9 et int\u00e9grez vos exigences sur le chiffrement, la complexit\u00e9 des mots de passe, etc. Suivant les besoins de s\u00e9curit\u00e9 du projet, vous pouvez aussi calquer de exigences li\u00e9es \u00e0 des certifications (HDS) ou des directives (LPM, NIS).<\/p>\n<p><strong>Retrouvez le jeu de carte disponible gratuitement <a href=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2020\/06\/Securite-Agilite-Jeu-de-cartes_VF.pdf\" target=\"_blank\" rel=\"noopener noreferrer\">ici<\/a><\/strong> (et en anglais <a href=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2020\/06\/Security-Agility-Card-game_EN.pdf\" target=\"_blank\" rel=\"noopener noreferrer\">ici<\/a>)et n\u2019h\u00e9sitez pas nous faire vos retours pour que nous continuions \u00e0 l\u2019am\u00e9liorer !<\/p>\n<p>\u00c9galement, un atelier qui se d\u00e9roule avec fluidit\u00e9 est toujours plus productif\u00a0! N\u2019oubliez pas de <strong>pr\u00e9parer les supports en amont<\/strong>\u00a0: sch\u00e9mas d\u2019architecture du projet (flux et classification des donn\u00e9es), listing et d\u00e9tail des prochaines <em>User Stories<\/em> \u00e0 d\u00e9velopper\u2026<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Nous vous en parlions dans un pr\u00e9c\u00e9dent article, la transformation num\u00e9rique agile est en marche et ce nouveau mod\u00e8le impose de totalement revoir sa mani\u00e8re d\u2019int\u00e9grer la s\u00e9curit\u00e9 dans les projets. Nous allons d\u00e9couvrir dans cet article comment conduire un&#8230;<\/p>\n","protected":false},"author":1357,"featured_media":13210,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"page-templates\/tmpl-one.php","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[3223,36],"tags":[70,3499,3525,142,3281],"coauthors":[3212,3524,3485],"class_list":["post-13185","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud-next-gen-it-security","category-cybersecurity-digital-trust","tag-gestion-des-risques","tag-how-to","tag-projet-agile","tag-transformation","tag-user-stories"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Comment conduire un atelier Cybers\u00e9curit\u00e9 agile ? - RiskInsight<\/title>\n<meta name=\"description\" content=\"Comment faire du security by design dans un projet agile ? Nos retours d&#039;exp\u00e9rience pour bien conduire un atelier Cybers\u00e9curit\u00e9 agile !\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.riskinsight-wavestone.com\/2020\/06\/comment-conduire-un-atelier-cybersecurite-agile\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Comment conduire un atelier Cybers\u00e9curit\u00e9 agile ? - RiskInsight\" \/>\n<meta property=\"og:description\" content=\"Comment faire du security by design dans un projet agile ? Nos retours d&#039;exp\u00e9rience pour bien conduire un atelier Cybers\u00e9curit\u00e9 agile !\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.riskinsight-wavestone.com\/2020\/06\/comment-conduire-un-atelier-cybersecurite-agile\/\" \/>\n<meta property=\"og:site_name\" content=\"RiskInsight\" \/>\n<meta property=\"article:published_time\" content=\"2020-06-12T07:41:33+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-07-12T08:54:34+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2020\/06\/Fotolia_73142653_Subscription_Monthly_XXL-Vector-illustration-concept-for-new-business-project-startup.\u00a9-oberonsk-scaled.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"2560\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Vincent Nguyen, Emma Barfety, Cl\u00e9ment JOLLIET\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Vincent Nguyen, Emma Barfety, Cl\u00e9ment JOLLIET\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2020\/06\/comment-conduire-un-atelier-cybersecurite-agile\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2020\/06\/comment-conduire-un-atelier-cybersecurite-agile\/\"},\"author\":{\"name\":\"Vincent Nguyen\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/836af2ef2be74699a7090c74f4465aa7\"},\"headline\":\"Comment conduire un atelier Cybers\u00e9curit\u00e9 agile ?\",\"datePublished\":\"2020-06-12T07:41:33+00:00\",\"dateModified\":\"2021-07-12T08:54:34+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2020\/06\/comment-conduire-un-atelier-cybersecurite-agile\/\"},\"wordCount\":1530,\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2020\/06\/comment-conduire-un-atelier-cybersecurite-agile\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2020\/06\/Fotolia_73142653_Subscription_Monthly_XXL-Vector-illustration-concept-for-new-business-project-startup.\u00a9-oberonsk-scaled.jpg\",\"keywords\":[\"Gestion des risques\",\"How-to\",\"Projet Agile\",\"Transformation\",\"user stories\"],\"articleSection\":[\"Cloud &amp; Next-Gen IT Security\",\"Cybersecurity &amp; Digital Trust\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2020\/06\/comment-conduire-un-atelier-cybersecurite-agile\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/2020\/06\/comment-conduire-un-atelier-cybersecurite-agile\/\",\"name\":\"Comment conduire un atelier Cybers\u00e9curit\u00e9 agile ? - RiskInsight\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2020\/06\/comment-conduire-un-atelier-cybersecurite-agile\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2020\/06\/comment-conduire-un-atelier-cybersecurite-agile\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2020\/06\/Fotolia_73142653_Subscription_Monthly_XXL-Vector-illustration-concept-for-new-business-project-startup.\u00a9-oberonsk-scaled.jpg\",\"datePublished\":\"2020-06-12T07:41:33+00:00\",\"dateModified\":\"2021-07-12T08:54:34+00:00\",\"description\":\"Comment faire du security by design dans un projet agile ? Nos retours d'exp\u00e9rience pour bien conduire un atelier Cybers\u00e9curit\u00e9 agile !\",\"breadcrumb\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2020\/06\/comment-conduire-un-atelier-cybersecurite-agile\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.riskinsight-wavestone.com\/2020\/06\/comment-conduire-un-atelier-cybersecurite-agile\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2020\/06\/comment-conduire-un-atelier-cybersecurite-agile\/#primaryimage\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2020\/06\/Fotolia_73142653_Subscription_Monthly_XXL-Vector-illustration-concept-for-new-business-project-startup.\u00a9-oberonsk-scaled.jpg\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2020\/06\/Fotolia_73142653_Subscription_Monthly_XXL-Vector-illustration-concept-for-new-business-project-startup.\u00a9-oberonsk-scaled.jpg\",\"width\":2560,\"height\":2560},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2020\/06\/comment-conduire-un-atelier-cybersecurite-agile\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Comment conduire un atelier Cybers\u00e9curit\u00e9 agile ?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"name\":\"RiskInsight\",\"description\":\"The cybersecurity &amp; digital trust blog by Wavestone&#039;s consultants\",\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\",\"name\":\"Wavestone\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"width\":50,\"height\":50,\"caption\":\"Wavestone\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/836af2ef2be74699a7090c74f4465aa7\",\"name\":\"Vincent Nguyen\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/author\/vincent-nguyen\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Comment conduire un atelier Cybers\u00e9curit\u00e9 agile ? - RiskInsight","description":"Comment faire du security by design dans un projet agile ? Nos retours d'exp\u00e9rience pour bien conduire un atelier Cybers\u00e9curit\u00e9 agile !","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.riskinsight-wavestone.com\/2020\/06\/comment-conduire-un-atelier-cybersecurite-agile\/","og_locale":"en_US","og_type":"article","og_title":"Comment conduire un atelier Cybers\u00e9curit\u00e9 agile ? - RiskInsight","og_description":"Comment faire du security by design dans un projet agile ? Nos retours d'exp\u00e9rience pour bien conduire un atelier Cybers\u00e9curit\u00e9 agile !","og_url":"https:\/\/www.riskinsight-wavestone.com\/2020\/06\/comment-conduire-un-atelier-cybersecurite-agile\/","og_site_name":"RiskInsight","article_published_time":"2020-06-12T07:41:33+00:00","article_modified_time":"2021-07-12T08:54:34+00:00","og_image":[{"width":2560,"height":2560,"url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2020\/06\/Fotolia_73142653_Subscription_Monthly_XXL-Vector-illustration-concept-for-new-business-project-startup.\u00a9-oberonsk-scaled.jpg","type":"image\/jpeg"}],"author":"Vincent Nguyen, Emma Barfety, Cl\u00e9ment JOLLIET","twitter_misc":{"Written by":"Vincent Nguyen, Emma Barfety, Cl\u00e9ment JOLLIET","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.riskinsight-wavestone.com\/2020\/06\/comment-conduire-un-atelier-cybersecurite-agile\/#article","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/2020\/06\/comment-conduire-un-atelier-cybersecurite-agile\/"},"author":{"name":"Vincent Nguyen","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/836af2ef2be74699a7090c74f4465aa7"},"headline":"Comment conduire un atelier Cybers\u00e9curit\u00e9 agile ?","datePublished":"2020-06-12T07:41:33+00:00","dateModified":"2021-07-12T08:54:34+00:00","mainEntityOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/2020\/06\/comment-conduire-un-atelier-cybersecurite-agile\/"},"wordCount":1530,"publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/2020\/06\/comment-conduire-un-atelier-cybersecurite-agile\/#primaryimage"},"thumbnailUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2020\/06\/Fotolia_73142653_Subscription_Monthly_XXL-Vector-illustration-concept-for-new-business-project-startup.\u00a9-oberonsk-scaled.jpg","keywords":["Gestion des risques","How-to","Projet Agile","Transformation","user stories"],"articleSection":["Cloud &amp; Next-Gen IT Security","Cybersecurity &amp; Digital Trust"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.riskinsight-wavestone.com\/2020\/06\/comment-conduire-un-atelier-cybersecurite-agile\/","url":"https:\/\/www.riskinsight-wavestone.com\/2020\/06\/comment-conduire-un-atelier-cybersecurite-agile\/","name":"Comment conduire un atelier Cybers\u00e9curit\u00e9 agile ? - RiskInsight","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/2020\/06\/comment-conduire-un-atelier-cybersecurite-agile\/#primaryimage"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/2020\/06\/comment-conduire-un-atelier-cybersecurite-agile\/#primaryimage"},"thumbnailUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2020\/06\/Fotolia_73142653_Subscription_Monthly_XXL-Vector-illustration-concept-for-new-business-project-startup.\u00a9-oberonsk-scaled.jpg","datePublished":"2020-06-12T07:41:33+00:00","dateModified":"2021-07-12T08:54:34+00:00","description":"Comment faire du security by design dans un projet agile ? Nos retours d'exp\u00e9rience pour bien conduire un atelier Cybers\u00e9curit\u00e9 agile !","breadcrumb":{"@id":"https:\/\/www.riskinsight-wavestone.com\/2020\/06\/comment-conduire-un-atelier-cybersecurite-agile\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.riskinsight-wavestone.com\/2020\/06\/comment-conduire-un-atelier-cybersecurite-agile\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/2020\/06\/comment-conduire-un-atelier-cybersecurite-agile\/#primaryimage","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2020\/06\/Fotolia_73142653_Subscription_Monthly_XXL-Vector-illustration-concept-for-new-business-project-startup.\u00a9-oberonsk-scaled.jpg","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2020\/06\/Fotolia_73142653_Subscription_Monthly_XXL-Vector-illustration-concept-for-new-business-project-startup.\u00a9-oberonsk-scaled.jpg","width":2560,"height":2560},{"@type":"BreadcrumbList","@id":"https:\/\/www.riskinsight-wavestone.com\/2020\/06\/comment-conduire-un-atelier-cybersecurite-agile\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.riskinsight-wavestone.com\/en\/"},{"@type":"ListItem","position":2,"name":"Comment conduire un atelier Cybers\u00e9curit\u00e9 agile ?"}]},{"@type":"WebSite","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","name":"RiskInsight","description":"The cybersecurity &amp; digital trust blog by Wavestone&#039;s consultants","publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization","name":"Wavestone","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","width":50,"height":50,"caption":"Wavestone"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/836af2ef2be74699a7090c74f4465aa7","name":"Vincent Nguyen","url":"https:\/\/www.riskinsight-wavestone.com\/en\/author\/vincent-nguyen\/"}]}},"_links":{"self":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/13185","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/users\/1357"}],"replies":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/comments?post=13185"}],"version-history":[{"count":14,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/13185\/revisions"}],"predecessor-version":[{"id":13238,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/13185\/revisions\/13238"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media\/13210"}],"wp:attachment":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media?parent=13185"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/categories?post=13185"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/tags?post=13185"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/coauthors?post=13185"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}