At first glance, cybersecurity and agility seem to be at odds, with the former imposing constraints that can hamper the creative and productive momentum of development teams. Agility, recognized for its effectiveness in accelerating the delivery of quality products, clashes with the rigor of cybersecurity, which is seen as an obstacle to the pace of development and, by extension, speed to market.
This vision is widespread in the sector, but the increase in cyber risks and the inadequacy of current protection systems are forcing the Information Systems Security Manager (ISSM) to review their strategy. Old security approaches, based on the solidity of infrastructures – like a fortress – are now obsolete in the face of new applications and the diversification of data uses. Cybersecurity is therefore forced to integrate the product design process from its inception, thus adopting an agile posture to remain relevant. It remains to be seen whether it can adapt to this requirement…
“Shift Left”: Anticipating security in the development cycle
Traditionally, the development of an IT product goes through four key stages: design, development, testing—including essential security testing—and finally delivery. Historically, security testing has been integrated downstream in the process, often revealing vulnerabilities late, leading to a reassessment of costs and time to market.
The “ Shift Left ” approach proposes a paradigm shift by integrating security from the earliest stages of the development cycle. This strategy aims to proactively include security analyses and controls within the daily routines of project teams. Security experts collaborate from the design stage to identify potential risks and define appropriate preventive measures, continuing their support throughout the process to ensure the application of security best practices.
In the era of DevSecOps, security testing automation is done through the integration of specific tools within the DevOps ecosystem, such as code audit systems (static and dynamic analysis) , external dependency management, vulnerability detection, or alert systems linked to a SOC (Security Operations Center). That said, the adoption of these tools cannot eliminate the need for manual audits and intrusion tests, which are essential for assessing the functional aspect of the security implemented. In addition, organizing bug bounty campaigns proves to be an effective method for ensuring optimal application security on an ongoing basis.
“Evil User Story”, or the art of predicting the worst in an Agile framework
To align with the agile mindset of development teams, some organizations adopt an innovative approach to security from the very beginning of the project. This specific ritual, conducted in the presence of the project team, the Security Champion, and sometimes a member of the security team (the latter becoming optional as the team matures), aims to anticipate potential attack scenarios for each User Story by conceptualizing a corresponding Evil User Story , which consists of considering a scenario of malicious exploitation of the product.
To ensure optimal understanding by developers, these Evil User Stories are formulated according to a clear and direct model: “As a (risk source), I want to (exploit a vulnerability) to (generate a business impact)”. Following the identification of each Evil User Story, adequate security strategies are developed and integrated into the team’s backlog, thus ensuring that security risks are systematically taken into account from the earliest stages of development.
“Security Gates”: Towards infallible security through automation
In the DevOps universe, the use of ” quality gates ” is a common practice to interrupt or reject the compilation of code when anomalies are identified. Initially dedicated to quality, this method is now finding its place in the field of security… By equipping the software factory with advanced static and dynamic code analysis tools, such as CheckMarx or Fortify , the security team can precisely determine the criteria that will define the success or failure of security audits. The obvious advantage of this proactive approach is that it allows early detection of vulnerabilities.
“Security Champion”, the RSSI’s right arm in the democratization of cybersecurity
Given the scale of IT security issues, the CISO team often finds itself understaffed, unable to address all security issues or support each project in identifying and mitigating cyber risks. To overcome this limitation and avoid bottlenecks that could hinder innovation and the deployment of solutions, decentralizing security expertise is becoming imperative.
With this in mind, the OWASP (Open Web Application Security Project) recommends the appointment of “ Security Champions ” at the heart of development teams. More than just a security expert, the Security Champion is a developer who stands out for his interest in security issues and who devotes part of his activity to integrating security requirements into the development process. By serving as a bridge between the technical teams and the security unit, the establishment of a network of Security Champions is a key strategy for extending the culture of cybersecurity to the entire organization.
Please note: for this transformation to take shape, it requires a thorough review of organizational and cultural structures, supported by unwavering commitment from management. Adopting these practices gradually and relying on the figure of the Security Champion is highly recommended to breathe lasting renewal into cybersecurity management.
CISA hit by Ivanti flaws
Ironically, the Cybersecurity and Infrastructure Security Agency (CISA), the guardian of American cybersecurity, found itself compromised by vulnerabilities already well established in the solutions of Ivanti, a publisher whose products have been marked by multiple critical flaws.
In February, cyber attackers successfully infiltrated CISA’s systems. The agency quickly confirmed the incident to The Record, revealing malicious activity exploiting weaknesses in the Ivanti software used by the agency. “ Only two systems were impacted, which we immediately took offline.
