How to build a secure by design company?
Why do people put their money in the bank rather than under their mattress? Because we trust the financial institutions, and our savings are safer with them than in some random place back home. Of course, we are a long way from the days when you had to deposit your coins—or gold bars if you were lucky—at the bank counter. With the digitisation of business, trust has spread to the computerised world.
Trust is paramount for all financial services players, including fintech companies. Because they trust us, individuals agree to share their banking and personal data. What do they expect in return? They expect products and services that carry the highest level of security in order to prevent data theft.
At Algoan, we strive to be state of the art in this area. We have been developing a secure by design approach from day one. What are the implications? How do we develop our products accordingly? We spoke with Fabrice Ongenae, our CTO, to explain the technical choices that guarantee the security of our products.
Security and compliance: the challenges for Algoan
What are the security and compliance issues facing Algoan? To deliver our products, we need our customers—and, by extension, our customers’ customers—to share their banking and personal data with us.
‘Banking data are very sensitive. A security breach can have a significant impact on users’ lives. They trust us, and it is up to us to honour that trust by setting high standards and delivering the most secure products possible’. – Fabrice Ongenae, CTO, Algoan
As for personal data, you are probably aware of the numerous scandals linked to security breaches concerning such data (Facebook – Cambridge Analytica is but one example). Therefore, the stakes are high for securing this data, as well for ensuring compliance in the collection and use of the data. This means one must know how to store it, in what form, for how long, etc. The General Data Protection Regulation (GDPR) has provided a legal framework on this matter since 2018. At Algoan, we had already adopted a conservative approach: to use and retain only the data necessary to build our products, and no more.
Protecting the customer’s data brings us closer to the customer; trust is the essence of the relationship. The large banks we work with have very high standards—and rightly so.
‘We are a young company, operating in a delicate market. There is no room for error in terms of securing the data transmitted. If we were to experience a major breach, we would not get a second chance. As the business becomes more visible, the threats also change. We must continually maintain and increase standards to guard against this. In concrete terms, this means we must make technical choices that place security at the forefront of everything we do.’
Secure by design: our approach to security at Algoan
Spearheading security issues is an integral part of Algoan’s DNA—likely the advantage of having two engineers as co-founders! All our technical choices rely on the DevSecOps approach, which includes Shift Left. Let’s explain them quickly.
- DevSecOps: perhaps you have heard of DevOps. This approach combines software development and IT operations. For what purpose? To integrate deployment constraints at the programming stage, rather than after the fact. By extension, DevSecOps brings security closer to programming. The security schemes are created simultaneously with the features. This allows us to identify the red flags right from the beginning of product development and add security tests at all stages of development.
- Shift Left: this concept is designed to liberate you from the current silo approach. Literally ‘to the left’, it allows testing—and in our case, security testing—to be done earlier in the product development cycle, rather than at the time of release. The key advantage? We avoid sending flaws into production. This is very attractive from a security perspective, but it’s also attractive from a financial perspective. According to a common adage in the tech community, bug X that originates from a security flaw costs 10 at the development stage, 100 at the QA stage and 1,000 once in production.
‘At Algoan, we have fully embraced one of the central themes of DevSecOps: expect the best, prepare for the worst. The idea is to think about possible flaws right from the beginning when creating products and features, and respond to them in advance’.
In order to prove our high technical standards, we apply for certification from certain recognised organisations. In particular, the ISO 27001 standard we will obtain at the beginning of 2022 confirms our accomplishments and reassures our current and future customers.
Working with recognised experts in their field
‘Our tech team’s values are: being state of the art, being agile, and contributing to the tech community, especially via open-source.’
Open source is at the heart of Algoan’s technical culture. Collaborative by nature, we seek the expertise of niche organisations. Algoan is still a small company, and working with these market leaders allows us to benefit from their experience and save development time:
- When we built our data model, questions arose about storage, form, etc. We called on the firm, Digital & Ethics to leverage their best practices.
- Google Cloud, our hosting provider, has a considerable impact on open source, with different tools such as Kubernetes or Tensorflow. We received direct support from their teams on architecture issues through the Startup Program in 2017 and 2020.
We are very open-source oriented, so we need tools to protect ourselves from potential security flaws. That’s why we use Snyk, which automatically detects security flaws in open source dependencies before we use them internally. Snyk also serves a compliance purpose, to ensure that we are not using a dependency with a proprietary license.
‘Snyk plays a key role in our technical organisation. They share the same vision of open source as we do. They fit perfectly with our DevSecOps and Shift Left approaches to helping developers build our products.’
Surrounding ourselves with these tools allows us to detect flaws and correct them more quickly than if we remained isolated while developing. We always keep in mind the logic of pay it forward, the basis of open source. In turn, we contribute to the community: For example, on Github, we share open source dependencies on which we have worked. At the same time, we rely on a highly qualified and passionate team.
Building an expert and passionate team
We wouldn’t achieve any of our security goals without the team we have managed to assemble. Fabrice is the CTO and is responsible for security. Paul, a co-founder of Algoan, manages data compliance aspects. We have a DevOps department that makes sure to ask the right questions from the beginning stages of infrastructure creation in order to ensure there are no flaws (Shift Left, always). Our other techs are divided into teams, with a tribe leader and two lead developers.
At each stage of development, the objective is to add a security aspect: this part is included natively, as we conceptualise. We conduct automatic security tests upstream. During production, tools monitor our infrastructure and ensure that there are no breaches, etc. We also conduct penetration tests on our own system to identify possible flaws and produce internal reports. This creates a paper trail, which we can provide to the auditors during certification, and which we can pass on to our customers if we detect any flaws in theirs!
‘Often, the pentester is outsourced or hired at a more advanced stage of a company’s development. Hiring Achraf at the inception of Algoan was a strategic choice. Having a person dedicated to security issues right from the very beginning of the company adds tremendous value. Whenever the technical team takes decisions, Achraf brings his expertise to bear to ensure that security is an integral part of those decisions.’
Recruiting the team is only the first step in building a robust internal security culture. Then it needs to be maintained. How? Every two months or so, Achraf and Fabrice give presentations to the whole team involved in production. Often, they choose current events and analyse how they could have been anticipated. It is also an opportunity to present the latest developments in security.
Beyond these sessions, training is strongly recommended, particularly two MOOCs on OpenClassrooms—one on cybersecurity and the other on conducting pentests.
‘We also run game days. Think of it as fireman training: we simulate security breaches that could occur, and the team has to find the solution. This ensures that the team is organised, cohesive and would know how to work together in the event of a difficult situation at Algoan.’
This concept is being used today: as soon as an incident occurs during production, the alarm bells ring – just like the Andon Cord at Toyota. Everyone stops what they are doing and gets organised in order to identify the problem and solve it as quickly as possible.
Securing the data transmitted by our customers and protecting ourselves from external threats is paramount at a company like Algoan. We strive to be cutting edge on this topic by making strategic technical choices, collaborating with leading organisations, and creating and maintaining a qualified and passionate team. Fabrice and Achraf continue to work on an increasingly ambitious roadmap in order to continue investing in DevSecOps and Shift Left. Even more automation and innovation are to be expected in order to achieve perfection.