Table of Contents
We spoke to Zakaria Rachid, CISO of leboncoin. He told us about the group’s security, his anarchist philosophy of order and his commitment to hackers.
In France, everyone knows about leboncoin. Your parents, your friends, everyone. The site is so deeply rooted in the French web landscape that you’d think it had always been there, like a good friend who’s always there when you need him. A friend so familiar that you’d almost forget that he’s not just yours, but also a friend to over 40% of the French population every month.
According to the Mediametrie NetRatings France barometer, leboncoin attracted nearly 27.5 million unique visitors in May 2023, making it the 9th-most-visited site in France, well ahead of Netflix (19th) and far ahead of Vinted and LinkedIn (32nd and 34th). And the situation is nothing out of the ordinary, since leboncoin has rarely left the Top 10 most-visited sites each month in the past few years.
Now, let’s zoom out a bit. leboncoin isn’t just a website, but also a group that gathers other well-known marketplaces, such as Videdressing, Locasun, Agriaffaires and L’argus. A group belonging to a conglomerate, Adevinta, whose galaxy of brands made it the 10th-most-visited group in France last May, ahead of Webedia and France Télévisions (the French national public television broadcaster).
We’re not telling you all this for the sake of numbers, but to underline the gigantism of leboncoin’s empire. And with an empire come borders to defend. When you welcome more than one in three French citizens every month, you owe them the utmost security.
This is the mission of Zakaria Rachid, CISO at Adevinta France.
Security challenges for leboncoin
There are many cybersecurity challenges for the leboncoin group, but they all revolve around the same objective: the safety of its users. The CISO explains:
“The crown jewels are our users and their data. This is very important at leboncoin — we don’t have customers, we have users of our platforms. Everything is thought out around that.“
As for many e-commerce players, the top priority is to guarantee the availability, confidentiality and integrity of user data. “It’s unthinkable that someone could install a virus through us” insists Zakaria, before continuing:
“We sacralize our ecosystem, with which we have drawn a square where everything is secure, everything is sacred — and everything outside this square is profane. We encourage our users not to leave this ecosystem, by clicking on an external link for instance, because we want to make them as safe as possible.
“Of course, there are a lot of security issues to consider, such as securing our infrastructure and ensuring a 99% uptime. But all these issues always stem from the main one: user security.“
A cross-functional security team
To ensure the overall security of the company and its users, the CISO can rely on a cross-functional security team built around three pillars:
- Governance, risk, and compliance (GRC).
- Offensive and defensive security, with a cross-functional SOC and OffSec team.
- Application security, with an AppSec team responsible for monitoring the security level of platforms and applications.
The leboncoin group has no compliance obligations, and no authority requires it to undergo any particular security certification. Nonetheless, the CISO sees no reason to skimp on GRC.
“We don’t have any compliance requirements — except for L’argus, where several of our customers are major automotive manufacturers — but we enforce the same stringent standards. We have an in-house framework that follows the NIST, ISO and OWASP Application Security Verification Standard [ASVS]. Using these three standards, we assess our internal rating and the degree of maturity of the applications, the parts of the information system and the company in general. Nobody’s asking us to, but tomorrow we could easily achieve ISO 27001.” — Zakaria Rachid, CISO, leboncoin
Leboncoin applies the same rigor to its partners and service providers, thanks to an efficient third-party cyber risk management policy.
“There are questionnaires for third parties, and we assign them scores to qualify the risk. We ensure the security of third parties at contractual level, but more importantly we follow it up with concrete actions. We ensure the real security of projects and technical implementations, with joint reviews and pentests for example. It’s all well and good to include security in the contract, but you have to make sure that third-party security is operative, and not just theoretical.“
A continuous watch on the attack surface
Next comes the security team, “who do both offensive and defensive tasks,” explains Zakaria. Among other things, they are responsible for monitoring the group’s attack surface.
“The defensive team is organized as an SOC, with a 24/7 rota. They monitor any incident, any security event that happens on our assets, from both inside and outside.
“Regarding the inside, we receive fairly standard alerts on our SOC. It’s none of my business if an employee goes on YouTube or other sites that morality would forbid, as they don’t present a real security risk. But if someone accesses the network from Paris one minute and goes to hacking forums in Russia the next, then I want to know about it! The team is proactive, even going so far as to track down weak signals to make sure that the attacker isn’t there, or that they haven’t been able to get in using this or that technique.“
The security team therefore keeps a close eye on the group’s information system and platforms, but also on its various brand images, “which are equally important assets,” stresses the CISO.
“We work with companies that monitor the entire web. If an employee accidentally pushes something onto GitHub, Pastebin or a dark web forum, it will create an alert. We have a monitoring system for all our brands, and for their use too. If someone creates a fraudulent site with an address similar to leboncoin.fr, with an extra dash for instance, our defensive teams will detect it and proceed to shut it down.“
The third pillar of the group’s security: the AppSec team, for Application Security. Experts who monitor the security level of Adevinta France platforms and applications. “Everything we develop, but also everything we buy, whether it’s a piece of code or a company like eBay a short while ago,” explains Zakaria, before adding:
“We assess, monitor and improve product security all along our development pipeline. We have multiple releases every week, and security is there from start to finish. We really do have end-to-end security — as consultants like to say, but in real life!“
Security as close as possible to production
Given the need for agility, application security cannot be the sole responsibility of the AppSec team. A group this size develops and distributes on a continuous basis, so security must be delivered as close as possible to the production chain.
“leboncoin is an agile company, everything is automated. We integrate security as closely as possible with CI/CD pipelines, to which we add security milestones. Vulcan, for example, which is an internal Adevinta tool for orchestrating all the security scanners, including several open-source solutions that we use a lot. [Editor’s note: here’s the Vulcan GitHub repo for the curious.] Behind it, we’re plugged into Slack, where we receive all the alerts.
“On top of that, there’s also static code analysis, reviews and all the best practices you can imagine.” — Zakaria Rachid, CISO, leboncoin
Automation is welcome, but it shouldn’t be the only safeguard. Always carefully considering security when it comes to the products, Zakaria advocates the empowerment of development teams.
“We have Feature Teams, and these teams have the ‘ownership’ of their features. We’re not in an old-fashioned kind of company, with the bad guys from security showing up to tell them what to do. Teams are responsible for their products, so they’re also responsible for their vulnerabilities.
“When a team finds vulnerabilities, we ask them to prioritize. We don’t just impose things — we discuss, we empower. This sense of responsibility makes Feature Teams more committed to monitoring and correcting vulnerabilities.“
“Security is like anarchy — absolute order”
However, empowering teams doesn’t mean making them bear full responsibility for security. AppSec team is always closely involved in product security, with a watchful eye on deliveries.
“I’m going to quote a dictator — thank goodness it won’t be made public! — but trust does not exclude control. I have absolute confidence in our teams, but that doesn’t mean we can’t rely on the AppSec team and on Agile best practices.
“For example, at the start of each quarter, we take the time to sit down with the Engineering Managers (EM) and Product Owners (PO) — we call them the POEMs, we have a bit of a Baudelairean vibe at leboncoin… We ask about the features they plan to launch and, depending on the situation, we recommend risk analysis, threat modeling, more advanced pentesting…
“Agility does not mean chaos. Élisée Reclus defined anarchy as the highest expression of order. Well, security is like anarchy: absolute order. Everyone is responsible for the common order. Security isn’t just an authority, it’s also a coordinator and simplifier.“
No wonder, then, that this dedication to order is echoed throughout the whole security journey of the applications produced by leboncoin. As the saying goes: a place for everything and everything in its place.
“Each application goes through a whole security tunnel, and there’s not a single step I’d want to remove. They don’t compete with each other, but complement one another.
“At the very beginning of a feature, the PO does threat modeling — we sketch risk analysis on the walls, they’re all covered with it here! We draw a lot of our inspiration from the Rapid Risk Analysis/Assessment (RRA) approach, created back in the day by friends at Mozilla. We also rely on best practices, namely our in-house Cheat Sheets and those of OWASP.
“Once a feature has been coded, there’s a peer review. Developers review each other’s code, and if necessary correct any vulnerabilities. Then there are code and dependency scans, followed by vulnerability scans after committing. Then comes the pentest stage, carried out by our security teams.
“And when it’s finally time to put it into production, and it’s available on the Internet, we have a sweet Chaos Monkey entering the scene: Yogosha.”
Bug bounty as the last line of defense
True to its tech DNA, leboncoin has been running a bug bounty with Yogosha for several years now. The idea is simple: the hackers of the Yogosha Strike Force (YSF) try to identify vulnerabilities in targeted systems. If they succeed, leboncoin pays them a reward. It’s an approach that would make most risk-averse CISOs wary, but not Zakaria, who has been immersed in hacking for quite some time.
“How did I get into bug bounty? It came to me! I’ve been in security since I was 17, and I still consider myself a hacker. I started out very hands-on and I’ve always known security and hacking as a French community. I saw the emergence of the country’s two major bug bounty platforms, including Yogosha, and I’m very proud that we have that in France. Shame on me, but I’m very chauvinistic!
“I’ve always considered bug bounty to be a relevant practice, and have done so since the start of my career in security, whether as an engineer, auditor or CISO. It always allows you to find things you’d never have thought of, to challenge internal positions and to offer another perspective on security.“
As fervent an advocate of bug bounty as he is, it wasn’t Zakaria who decided to work with Yogosha. When he took up his post in 2021, a program was already in place. But there were a few adjustments to be made…
“There was already a bug bounty in place when I arrived. But the scope was only auth.leboncoin.fr, on Wednesdays after sunset, and only with French researchers from the southwest of the country! I’m exaggerating, of course, but you get the idea…
“The scope was so restricted that it was uninteresting, the origin of the bug hunters was ridiculously narrow, and the conditions and amount of the incentives made bug bounty impossible. We could almost turn it into a conference — ‘How to fail your bug bounty!’“
As you can imagine, if we’re writing these few lines today, it’s because things have changed. The first thing to do was to reassure the teams, especially the OffSec ones who may have seen bug bounty as competition to their work. Zakaria recalls:
“In reality, there was a lack of maturity on the subject. There was a reluctance to change on the part of the OffSec team, who saw it as a duplication of their job. The real challenge was to reassure people, to explain that bug bounty is a continuity of pentesting and not a punishment for these teams. The two exercises are complementary in the search for vulnerabilities. Bug hunters have a very different approach to that of a pentester, which is more methodological.“
Eventually, a few meetings and adjustments later, the program began to deliver the hoped-for results.
“With bug bounty, there’s a maturity effort to be had on the company side. It’s all very simple, but we’ve opened up the perimeter and widened the origin of the researchers, and we’ve started to receive a lot more reports!
“No really critical technical vulnerabilities — our platforms are solid enough that no one will find SQL injections or XSS — but some superb logic loopholes. Researchers have figured out how to bypass business logic, and that’s what we’re interested in. These aren’t vulnerabilities that scanners can spot, or that internal pentesters think to look for. But the bug hunters do.“
E-Book: Bug bounty, the ultimate guide to a successful program
Learn how to build your Bug Bounty program, make it attractive and leverage hackers to identify high-risk vulnerabilities.
“It’s a world away from traditional methodology, and that’s what makes Yogosha researchers so interesting.”
leboncoin’s CISO has no hesitation in vouching for the expertise of the security researchers in the Yogosha Strike Force, a private community whose members are trial-selected. “We are pushing code all the time, and there are always people who manage to challenge us with interesting things,” recounts Zakaria, before continuing:
“I have an anecdote to convey the quality of Yogosha’s researchers. We once had a bug hunter with a mechanic brother-in-law who asked him for his business account, registration number, and all the rest in order to write a contextualized vulnerability. He wrote the whole POC [Proof of Concept] like that, to demonstrate a scenario where he managed to do this and that. He even asked our permission beforehand so as not to make any faux pas.
“To be able to do this, you have to know the country-specific inner workings, be interested in it, create an account, do some selling… It’s a world away from traditional methodology, and that’s what makes Yogosha researchers so interesting.
“With this type of report, the hackers not only deliver a vulnerability, they deliver a context. In these cases, we often pay a bonus higher than the vulnerability score. This intellectual work shouldn’t be neglected, it’s invaluable.“
Rewarding the best reports with a bonus is not the only best practice applied by Zakaria. Today, the leboncoin group sets an example in the management of its program, and could easily give a conference on “How to make your bug bounty a success.”
“We try to do a specific communication to bug hunters at least once a quarter, to tell them what we’ve newly put into production at leboncoin. It gives a little boost to the bug bounty and encourages researchers to look at these features in particular.“
The company also leverages its in-house expertise, as the security team is responsible for sorting out the vulnerability reports sent in by hackers. “They know the context of our applications very well, and we need their perspective,“- confides the CISO.
“I strongly urge all companies to implement bug bounty.”
This brings us to the paragraph where we should be praising the merits of bug bounty as a security test, and telling you just how valuable it is for organizations. But instead we’ll give the floor to Zakaria, who is truly a seasoned bug bounty ambassador (we offered him a job on our marketing team, but he refused).
“I strongly urge all companies to implement bug bounty, all the more so if there’s any production involved. As soon as there’s a product development lifecycle, there has to be a bug bounty somewhere. And it doesn’t matter what policy and measures are already in place, whether there are in-house scanners and pentesting or not.
“What’s really important is to contextualize the bug bounty and the writing of the program according to the company’s maturity, security objectives and remediation capabilities. Bug bounty can be carried out on an ad hoc or continuous basis — as we do — and in a more or less global manner. Whoever controls the program controls the entire bug bounty and all the resulting detections.“
leboncoin and Live Hacking Events
The group’s dedication to bug bounty extends well beyond the frontiers of the digital world. In March, leboncoin took part in RootedCON in Madrid, a Live Hacking Event during which Adevinta security teams met the bug hunters in the flesh. And this wasn’t the first time the group had attended.
“This was our second RootedCON, and we always enjoy going there. Security is a small world. For example, Adevinta Spain’s security teams include people who used to work for Blueliv [Editor’s note: now Outpost24] or other cutting-edge Spanish tech startups. And it’s the same for us in France, everyone knows everyone else. Plus, I myself have a strong link with the RootedCON organization — I know what they’re capable of, what they can deliver.” — Zakaria Rachid, CISO leboncoin
Live Hacking Events are an opportunity for organizations to test their systems live, in conditions as close to the real thing as possible. For a whole night, the YSF hunters attacked the defenses of leboncoin applications, in the hope of finding a vulnerability and receiving a reward. Meanwhile, Adevinta’s security teams, who traveled from all over the world, were responsible for qualifying the reports.
“There was on-site report qualification, with validation and live payments. The reports were highly relevant. Some bug hunters even found vulnerabilities on ‘invisible’ things, so to speak. The quality was top-notch, as usual!“
If the results were so interesting, it’s also because leboncoin willingly lends itself to the game of Live Hacking.
“The number of detections is out of the ordinary during a Live Hacking, and we encourage hackers as much as possible. We have a fairly mature site and applications, so it’s not easy to find something. So for this type of event we double or even triple the bounties. Researchers are all the more motivated to look for vulnerabilities. It’s more interesting for them and for us.“
In addition to generous rewards, the group maximizes the benefits of the event by allowing researchers to test numerous perimeters. The larger the playground, the greater the chance hackers have of uncovering a vulnerability.
“We offered a fairly broad scope, since it involved all the websites of the leboncoin group. This year we even expanded the scope, adding iPhone and Android mobile applications. In a way, it was a bug bounty program kick-off.
“And to tease things out a bit, it’ll be the same for the next Live Hacking with Yogosha — we’ve planned a specific program launch for the occasion… We’re trying to gamify security, to give bug hunters more room to play.“
Don’t think of Live Hacking Events as formal meetings, with everyone staring at their screens. Beyond security topics, these events help to create bonds between security researchers and internal teams. Zakaria confirms:
“Another reason we take part in these live hacking events is that we’re very close to the hacker community. These events enable us to maintain contact, and even reconnect when necessary. As I’ve already said, there was a time when it was complicated with our pentesters, who didn’t see the added value of bug hunters. But sitting down with them to talk security all night long with Red Bulls and fajitas while listening to Spanish techno, it brings people together!“
And, as in real life, some of the best encounters go further than just one night. “We’ve met three researchers who we plan to invite as VIPs or speakers at our private tech events, so that they can share their vision and experiences!” says Zakaria.
“That’s how you fight the real pirates — by reaching out to the people who know”
It’s important to understand one thing about leboncoin and its CISO. Although the collaboration with Yogosha is going well — and we’re happy about it — it’s primarily ethical hacking in general that they’re advocating. When Zakaria defends bug bounty, it’s not so much Yogosha as the hacker community he’s promoting.
“We’re involved in ‘zero bullshit’ communities. This year we were sponsors of RootedCON, but also of leHACK in France. We defend an approach to security by the people who know how to do it, by the hacking community — in the best sense of the word.
“That’s how you fight the real pirates — by reaching out to those who know and by encouraging the young and the not-so-young. We’ve got to give tech and hacking enthusiasts the chance to do what they love in the most legal way possible.
“For leboncoin, bug bounty goes far beyond the search for vulnerabilities — it’s our commitment to the hacking community. And I know it’s the same for Yogosha. In fact, we have an in-house person who hunts for Hack4Values. [Editor’s note: a charity bug bounty program for nonprofits and NGOs, created by ManoMano, Yogosha and Communication Without Borders.]
“Just as we pay our taxes in France and work with French employees without outsourcing to other countries, we choose to work with a French company and sponsor the French hacking community through these events. Did I ever tell you I was a bit of a chauvinist?“
— Zakaria Rachid, CISO, leboncoin
Looking for more? Meet Zakaria Rachid on Riskintel Média to discuss cybersecurity and digital retail — in French, as you may have guessed.