How do you build a secure by design company?

Why do we put our money in the bank rather than under our mattress? Because we trust financial institutions, and our savings are safer with them than in some random place at home. Of course, we're a long way from the days when you had to deposit your coins - or gold bars, for the lucky ones - at the bank counter. With the digitization of industry, trust has extended to the digital world.

This relationship of trust is central to all financial services players, especially fintechs. It is the basis on which individuals agree to share their banking and personal data. What do we expect in return? Products and services with the highest levels of security, to prevent any hold-up of this data.

At Algoan, we strive to be state-of-the-art in this field. From day one, we've been developing a secure by design approach. What are the implications? How do we develop our products accordingly? We spoke to Fabrice Ongenae, our CTO, to explain the technical choices that guarantee the security of our products.

Security and compliance: the challenges for Algoan

What are the security and compliance challenges facing Algoan? To deliver our products, we need our customers - and, by extension, our customers' customers - to share their banking and personal data with us.

"Banking data is highly sensitive. A security breach can have a major impact on users' lives. They place their trust in us, and it's up to us to honor it with high standards, delivering the most secure products possible." - Fabrice Ongenae, CTO, Algoan

As for personal data, you'll surely have in mind the many scandals linked to security flaws concerning them (Facebook - Cambridge Analytica to name but one example). We therefore have a major stake in securing this data, as well as compliance in its collection and use. This means knowing how to store it, in what form, for how long, etc. The General Data Protection Regulation (GDPR) has provided a legal framework since 2018 on this subject. At Algoan, we had already adopted a conservative approach, to use and store only the data needed to build our products, no more.

The protection of this data is the basis of the relationship of trust that binds us to our customers. The major banks we work with have very high standards - and rightly so.

"We're a young company operating in a sensitive market. We have no right to make mistakes when it comes to the security of transmitted data: if we knew of a major flaw, we wouldn't get a second chance. As the company becomes more visible, so do the threats. We need to maintain and push our level of requirements constantly to guard against them. In concrete terms, this means making technical choices that place security at the heart of everything we do.."

Secure by design: Algoan's approach to security

Spearheading security issues is an integral part of Algoan's DNA - the advantage of having two co-founding engineers, probably! All our technical choices are based on the DevSecOps approach, which includes Shift Left. Let's explain them quickly:

• DevSecOps: perhaps you've heard of DevOps. This approach unifies software development and IT infrastructure administration. Why? To integrate deployment constraints right from the programming phase, rather than as an afterthought. By extension, DevSecOps brings security closer to programming. Security diagrams are created simultaneously with functionalities. This makes it possible to identify points of vigilance right from the product's inception, and to add security tests at every stage of development.
• Shift Left This approach also aims to break down existing silos. Literally "to the left", it allows tests - and in our case, security tests - to be carried out as early as possible in the product development cycle, rather than at the time of production release. The key advantage? Avoid sending vulnerabilities into production. From a security point of view, this is very interesting, but also from an economic point of view. According to a common adage in the tech community, a bug X caused by a security flaw costs 10 at the development stage, 100 at the QA stage and 1,000 once in production.

"At Algoan, we have fully embraced one of the Leitmotivs of DevSecOps: expect the best, prepare for the worst. The idea is, right from the creation of products and functionalities, to think about possible flaws and respond to them in anticipation."

To provide proof of our technical efforts, we are applying for certification to certain official labels. In particular, ISO 27001 in early 2022, which will validate our actions and reassure our current and future customers.

Work with recognized experts in their field

"The values of our tech team are: to be state-of-the-art, to be agile and to contribute to the tech community - via open source in particular."

Open source is at the heart of our technical culture at Algoan. Collaborative by nature, we have sought out the expertise of leading organizations. Algoan is still a small company, and collaborating with these market leaders enables us to benefit from their experience and save time in our developments:

• When we were building our data model, questions arose about storage, form, etc. We called on Digital & Ethics to help us benefit from best practices. We called on Digital & Ethics to provide us with best practices.
• Google cloud, our hosting provider, has a considerable impact on open source, with various tools like Kubernetes or even Tensorflow on data science. We benefited from direct support from their teams on architecture issues thanks to the Startup Program in 2017 and 2020.
• We're very open source-oriented, so we also need tools to protect us from potential security flaws. That's why we use Snyk, which automatically detects flaws in open source dependencies before we use them internally. This also meets a compliance objective, to ensure that we don't use dependencies that have a proprietary license.

"Snyk plays a key role in our technical organization. They share the same open source vision as we do. They fit in perfectly with our DevSecOps and Shift Left approaches, to help developers in the design of our products."

Surrounding ourselves with these tools enables us to detect flaws and correct them more quickly than if we remained isolated in our developments. We always keep in mind the logic of Pay it forward, the basis of open source. We in turn contribute to the community: sharing open source dependencies we've worked on Github, for example. At the same time, we rely on a highly qualified and passionate team.

Building an expert and passionate team

None of our safety objectives would be achieved without the team we've managed to assemble. Fabrice is the CTO and responsible for security. Paul, co-founder of Algoan, manages the data compliance aspects. We have a DevOps department that makes sure we ask the right questions, right from the creation of the infrastructure, to ensure there are no loopholes(Shift Left, always). Our other techies are divided into teams, headed by a Tribe leader and two Lead developers.

At every stage of development, the aim is to add a security aspect: conceptualization natively includes this part. We carry out automatic security tests upstream, in production, using tools to monitor our infrastructure and make sure there are no intrusions, etc. We also carry out intrusion tests on our own system to identify any possible vulnerabilities. We also carry out intrusion tests on our own system to identify any possible flaws, with internal reports. This creates a paper trail, which we can provide to auditors during certification... and which we can pass on to our customers if we detect any vulnerabilities on their premises!

In our team, one recruitment was key: that of Achraf, our DevSecOps and pentester. He holds several certifications and has received multiple awards in pentest competitions.

"Often, the pentester is outsourced or hired at a later stage in the company's development. Hiring Achraf when Algoan was founded was a strategic choice. Having a person dedicated to security issues right from the company's inception brings considerable added value. Whenever decisions are made within the technical team, Achraf brings his expertise to bear to ensure that security is an integral part of them."

Recruiting the team is only the first step in building a strong in-house safety culture. Then it has to be nurtured. How do we do this? Every two months or so, Achraf and Fabrice give presentations to the entire production team. They often choose current events and analyze how they could have been anticipated. It's also an opportunity to present new developments in safety.

Beyond these sessions, training courses are highly recommended. In particular, two MOOCs on OpenClassrooms, on cybersecurity and pentest management.

"We also run Game Days. Think of them as firefighter training: we simulate security breaches that could occur, and the team has to find the solution. This ensures that the team is organized, cohesive and would know how to react in unison in the event of a difficult situation at Algoan."

A collective already put to good use in normal times: as soon as an incident occurs in production, the alarm bells go off - just like the Andon Cord at Toyota. Everyone stops what they're doing and gets organized to identify the problem and solve it as quickly as possible.

For a company like Algoan, securing our customers' data and guarding against external threats is of central importance. We strive to be state-of-the-art in this field, thanks to strategic technical choices, collaboration with leading organizations and a qualified, passionate team. Fabrice and Achraf continue to work on an ever more ambitious roadmap, to pursue the investments initiated on DevSecOps and Shift Left. Even more automation and innovation are on the way, to ensure maximum infallibility.