Like all luxury giants, Maison Chanel is carrying out its digital transformation and has internal development teams for its e-commerce sites and applications. A few years ago, the famous brand was concerned about the security of the applications produced by its teams and created the position of application security manager.
It was Rémi Lavedrine who was responsible for the security of these “in-house” applications: “there are a lot of developers within a company whose software is not the core business. However, today, when we produce software, we must ensure security. Even though the developers are doing their best, there are bugs in the code produced and my role is to be sure that we will take care of these vulnerabilities as early as possible.”
Before the appointment of a dedicated manager, application security depended on the goodwill of developers, knowing that they were more or less involved in this issue. They did not yet have any tools and had little or no training. It is difficult in these conditions to assess the Cyber debt of the application park.
In this context, Rémi Lavedrine launches the deployment of the Veracode solution, but above all initiates an AppSec program to instill Secure DevOps concepts in teams and processes: “the more a security problem is taken upstream, the less complicated it is for the developer to solve it and the cheaper it is for the company.
The manager estimates that there is a ratio of 1 to 30 between detecting a vulnerability in the development phase and in production: “my role is to detect vulnerabilities as early as possible and this involves tools, processes and people. My role is to organize this whole security strategy and this AppSec program.”
Chanel relied on Devoteam for its DevSecOps program
Chanel called on Devoteam to support it in implementing this approach. Before even embarking on the implementation of a new process, the ESN team began by auditing the functioning of its client’s development teams: “we start with a maturity audit, within the framework of which we interview members of the different teams in order to see what they have in common and the practices that may be different from each other”, summarizes Laurent Lajugie, Leader of Devoteam’s SecDevOps offer.
This done, he continues, “we identify what works, what does not work and what were the initiatives and the results obtained. We also look at the entire documentary part, everything that is traced and what documentation a new arrival in the company has, what they will be trained on.”
This first phase of analysis made it possible to develop a short, medium and long-term roadmap based on the priorities set by Chanel and make this transition to Security by Design as smooth as possible. “It is very important to detect vulnerabilities, to assess where we are in the process, but the final objective remains to reduce the level of risk, the number of vulnerabilities and to improve the level of maturity and the level of security,” adds Laurent Lajugie.
Critical applications first
The transformation program is launched on a limited scope, on the applications deemed the most critical before scaling up in a second step.
Rémi Lavedrine believes that we must know how to capitalize on the obstacles encountered to prevent other entities from also encountering them. What he considers to be a mistake was to set up a team of cybersecurity experts responsible for helping the development teams: “in reality, this approach does not work because the development teams have a certain reluctance to onboard security people. They consider that they will stick their noses into their affairs, raise wolves…”
Rémi Lavedrine then changed his approach. The project management and technology specialists still report to the security manager, but are seconded within the development teams: “they are fully part of these teams and comply with the team rituals. By being fully part of the teams, they learn things about how development teams actually work. This is how we realize that certain processes are carried out in a certain way by some and differently by others, that certain risks can be taken because they are poorly understood.” For the manager, the tools and the organization are the means to very significantly reduce the security debt.
“The key is to have people who are committed to security, but who are seconded to the development teams. It’s a Game Changer in the ability to anticipate security issues. »
Rémi Lavedrine, Head of Application Security, Chanel.
On the tooling side, the deployment of the Veracode solution which had been initiated is being accelerated. For Laurent Lajugie, the most important part of a DevSecOps transformation remains the employees: “we train and support people, but beyond traditional training, above all we put ourselves in their place. Firstly, we assume this role of Security Champion in their place to show them that it is not that complicated and that we are behind them to help them. Little by little, they become independent, they acquire the right reflexes and we can start to withdraw and take care of other teams.”
The expert’s position is to minimally impact the working habits of developers: “if they are used to using all the tools from their IDE, we will ensure that they do not have to open Veracode. We are not changing the way they work, but we are adapting the processes to their daily lives so that it is the easiest for them to take charge of security.”
The other key aspect remains the implementation of processes to clearly define who does what in the CI/CD chain with regard to Cybersecurity.
Safety must be an integral part of quality assurance
For Rémi Lavedrine, application security should not be considered as something different from software quality and the security program must be included in quality assurance: “a critical vulnerability is nothing other than a major bug and should be treated the same. If tomorrow the purchasing funnel no longer works, management will ask that the problem be dealt with very quickly. There are processes in place to deal with this type of problem very quickly. If we manage to integrate security into this same type of process, a critical vulnerability detected very early on will be easily corrected.”
Another very important point for the maintainer is to quickly fix vulnerabilities that are detected in the code. “The longer it takes to detect a vulnerability, the more complex it is to correct because the developer who developed the code and who is asked to come back to it 3 months later will need more time to re-appropriate it” .
The team is now planning for the second phase of the program, the dissemination of DevSecOps to other development teams and ensuring the scaling up of DevSecOps to all teams. “Once the teams are onboarded, we only manage 10% of the problems,” indicates Laurent Lajugie. Thus, “we can then rely on them to spread the good word and acculturate other teams, or even other entities”.
The idea is that developers are the most legitimate to promote these best practices to other developers than to members of the security team itself. They can now rely on the guides, training programs, tools and processes that have already been put in place.
Comments collected during the InCyber 2024 Forum.
A connoisseur of the digital marketplace and a master of the written word, this 30-year-old English expert brings to the table a wealth of knowledge rooted in the sale of digital products and a passion for blogging that resonates with an audience seeking expertise and insight in the online realm.
Their insights are drawn from hands-on experience navigating the intricacies of e-commerce and content creation—leading the forefront of digital innovation and communication. Whether it’s breaking down complex marketing strategies or sharing tips on how to captivate an online audience, their work stands as a testament to a career built upon successful digital engagement and savvy business acumen.
Stay tuned to absorb compelling content from a voice that not only understands the digital landscape but also shapes its future through every blog post and digital strategy.
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
