Table of Contents
In an era of accelerating digital transformation, cybersecurity concerns are shifting to the beginning of the development cycle. For large companies, it’s no longer just about reacting to vulnerabilities but anticipating and fixing them even before an application goes into production.
The pressure on IT teams is intensifying : software deliveries are becoming more frequent, cloud-native architectures are expanding the attack surface, and regulatory requirements (GDPR, DORA, NIS2, CRA, etc.) are increasing the need to document every action. Security can no longer be a final checkpoint : it is becoming a driver of agility, compliance, and competitiveness.
This is also the direction the market is heading :
- By 2026, 40% of companies will have integrated automated security tests directly into their CI/CD pipelines. This trend reflects a shift from one-time cybersecurity to continuous cybersecurity, integrated from the development stage.
- 70% of security managers are turning to collaborative security models like bug bounty or crowdsourced pentesting. This approach involves using a specialized platform to mobilize a global community of security researchers to perform penetration tests and test their systems, especially against AI-related threats.
Glossary
Bug Bounty: A collaborative security program where security researchers are invited to identify vulnerabilities in a system. Researchers are paid based on the vulnerabilities they find. This method offers diverse skills and continuous testing.
Crowdsourced Pentest: A penetration test conducted via a specialized platform that mobilizes a global community of pentesters on demand. More flexible than a classic audit, it allows for a quick start and access to a variety of skills depending on the scope of the test.
How can a critical platform be effectively secured without slowing down time-to-market or adding cumbersome processes?
This was the challenge Sopra Steria and its former subsidiary SBS faced in 2019 when developing a new banking solution. To address it, the group gradually integrated offensive security practices from Yogosha – first through Bug Bounty, then on-demand pentests – before generalizing this model across several entities.
This collaboration has yielded several key benefits, now shared by the various user entities:
- Strong agility, allowing a pentest to be launched in just a few days, without administrative heavy lifting.
- Direct collaboration with researchers, which involves technical teams and promotes a culture of offensive security.
- A high level of expertise, with clear, contextualized deliverables and the ability to quickly retest after a fix.
- A simple and suitable purchasing process, which is essential in a group with siloed structures and distributed budgets.
A Partnership Built on Agility, Expertise, and a Desire to Industrialize Cybersecurity
Securing a Platform Before Its Deployment: The SBS Case Study (formerly Sopra Banking Software)
In 2019, SBS (formerly Sopra Banking Software) – then a subsidiary of the Sopra Steria group specializing in banking software solutions – was preparing to deploy the SBP Digital Core platform for the cloud-native Core. Developed from scratch and cloud-native, this solution was intended for use by large financial institutions. One of the key requirements for a project of this scale was to conduct in-depth security of the platform before it went into production.
The company already had a solid security foundation, with pentests performed internally or through other partners. At this stage of the project, the teams decided to go a step further and adopt a next-gen approach. They called on Yogosha to launch a Bug Bounty campaign on a witness environment – a secure copy of a production environment used for testing with fake or anonymized data. The goal was to test complex attack scenarios.
“Testing a banking platform directly in production is truly very complicated. In a highly regulated sector, where you can neither simulate clients nor manipulate fake data, the pre-production environment becomes the only possible way to conduct serious testing.”
Frédéric PRON, former CISO at SBS
Why Turn to Bug Bounty?
An Approach That Is More Open and Realistic Than a Scoped Pentest
Although SBS already had a solid pentest system in place, the project team quickly saw Bug Bounty as a different, more open, and adaptive approach.
Unlike a pentest, where tests are guided by a well-defined strategy, Bug Bounty involves opening the application to a community of independent researchers, each with their own specialties, tools, and methodologies. This diversity is the added value of the model.
“With Bug Bounty, ethical hackers have carte blanche to test the application. This allows us to identify potential new vulnerabilities thanks to the diversity of their experiences and specializations, in terms of tests, environments, methods…”
Frédéric PRON, former CISO at SBS
The approach is not limited to a single perspective. Several ethical hackers can work on the same scope, with completely different attack angles.
But that’s not all. The Bug Bounty model is based on performance : researchers are paid only when they discover and report a valid vulnerability. Rewards vary based on the criticality of the vulnerability, which encourages in-depth research and the reporting of exploitable findings, while also ensuring a better return on investment for the company.
This helps overcome the limitations of a single test, often restricted by the initial scope, and uncover unexpected vulnerabilities, sometimes related to real-world usage context.
From Audit to Collaboration: Engaging Technical Teams
Beyond vulnerability detection, Bug Bounty introduced a deeper change at Sopra Steria: security ownership by the product teams.
In many large corporations, security is still seen as an external control, or even as a barrier to delivery. Here, Bug Bounty reversed that dynamic. Developers communicate directly with researchers, can ask questions, re-qualify findings, and request retesting. Security becomes a dialogue, not a punishment.
“It’s much more motivating for the technical teams. They’re no longer just undergoing an audit; they’re participating in real-time product improvement.”
Loïc LE METAYER, Information Security Officer at SBS
This collaborative approach also leads to lasting skill development. Internal teams better understand attack logic, what makes a flaw critical, and adopt Security by designpractices – the practice of integrating protective measures and security controls from the application’s conception, rather than adding them later. This is a key point for CISOs: Bug Bounty becomes as much a tool for acculturation as a testing tool.
Industrializing Pentests Without Rigidity
Given the quality of the interactions with researchers and the relevance of the findings, the relationship strengthened. The Sopra Steria teams decided to also rely on Yogosha for their pentests. As a complement to Bug Bounty programs, penetration tests conducted through the platform offer significant time savings compared to traditional methods. Yogosha makes it possible to launch a pentest in just a few days, independently. The teams appreciate this responsiveness, combined with a high level of expertise and immediately usable deliverables.
“With Yogosha, we can launch a pentest in just a few days. The setup is so fast that, often, we’re the ones who have to keep up. Unlike traditional providers where you have to follow a procedure that can feel cumbersome (quote, validation, scoping meeting…). Here, we get started right away.”
Loïc LE METAYER, Information Security Officer at SBS
The pentest and bug bounty duo then naturally integrated into the software development processes. Now, every major release is tested within a rigorous yet flexible framework, as part of a continuous testing approach. This approach aligns with Sopra Steria’s DevSecOps practices, which involve integrating security from the first stages of the development cycle, by closely combining it with traditional DevOps practices.
“We have very competent cyber teams, but they are often mobilized for our clients. Being able to quickly activate a test via Yogosha, without waiting for staffing cycles, is a real operational freedom.”
Frédéric PRON, former CISO at SBS
This “as a service” approach is also a way to break down silos. Each entity remains autonomous in its security management while relying on a shared infrastructure. The model thus makes it possible to standardize quality, accelerate coverage, and reduce dependence on internal teams, in a context where specialized cybersecurity profiles are rare and highly sought after.
Generalization Across the Group
In April 2024, the initiative took on another dimension: other Sopra Steria group entities – Real Estate, Financing Software, HR, etc. – showed interest. What was once an isolated use case became a joint project, managed at the group level. The objective is clear: pool resources, accelerate test cycles, and industrialize offensive security.
A subscription to the Yogosha platform is open to all subsidiaries, with direct integration into CI/CD pipelines. Developers can thus launch tests themselves—bug bounty or pentests—independently, according to the needs of their roadmap.
“By partnering with Yogosha, we are moving from a statement of principle to a measurable action in service of demanding European cybersecurity. Their approach – continuous testing, private bug bounty programs, responsible disclosure – is changing practices and raising our standards. Concretely, for our clients: better-monitored attack surfaces, targeted campaigns, and shortened remediation times, with transparent reporting. Betting on Yogosha also means supporting European talents and standards that sustainably raise the level of security. This alliance is finally part of our risk management strategy – proactive detection, better control and responsiveness to the detection of vulnerabilities in our products, and strengthened compliance across the entire chain. As a leading group, we prioritize partnerships that produce tangible results and strengthen the resilience of the entire ecosystem.”
Thierry LORHO, CISO at Sopra Real Estate Software
Today, even more entities are in the process of onboarding. The collaboration is expanding.
“By supporting Yogosha, we affirm our commitment to an ambitious and innovative European cybersecurity. Yogosha embodies a new generation of players capable of shaking up traditional approaches and imposing more demanding standards. As a leading group, we are keen to promote this type of strategic partnership, which strengthens our collective resilience and contributes to the influence of technological excellence.”
Socheat CHHAY, Managing Director at Sopra Steria Ventures
Since 2019 :
- 30 testing campaigns conducted (combining Bug Bounty and pentests)
- 3 entities active on the platform
- 216 findings reported
- 6 days on average to start a test
While offensive security has historically been a complex topic to evolve in large organizations, Sopra Steria has found a fluid way to industrialize it here, without overloading existing processes.
A Partner Aligned With Sovereignty Requirements
Beyond the technical and operational criteria, the collaboration with Yogosha is also part of a logic of trust and control over sensitive environments. The choice of a French, independent player rooted in the European ecosystem meets the growing expectations for digital sovereignty and regulatory compliance.
The Researcher Community as a Lever for Performance
One of the differentiating elements of the partnership between Sopra Steria and Yogosha lies in the quality and diversity of the security profiles mobilized. Whether for Bug Bounty or Pentest-as-a-Service, the same community logic is at work.
Unlike a firm that assigns a single team, Yogosha relies on an international community of specialized researchers, who can be activated based on the project context: critical APIs, legacy systems, cloud environments, authentication, etc. Each test thus benefits from a variety of perspectives, with profiles tailored to the scope.
“We’ve seen researchers capable of automating their tests with scripts specific to our platform. Conversely, some tests that were too generic provided little value. This diversity is what makes the difference.”
Frédéric PRON, former CISO at SBS
The platform also helps structure this diversity: controlled access, clearly defined scopes, tracking of exchanges, technical triage, and retesting. For the CISO, this ensures they can leverage targeted expertise without losing operational control.
This model also helps avoid redundancy from one pentest to another, by changing profiles, you also change perspectives. An ideal approach to avoid the gradual “blindness” associated with repeated audits by the same consultants.
And Tomorrow? Automation and Scalability
The adoption of Yogosha was not conceived as a one-time project but as a strategic building block in the group’s security architecture. The objective is clear: to integrate offensive tests into a smooth, repeatable model that is compatible with the cadence of modern delivery.
Today, Sopra entities can already:
- integrate testing campaigns into their CI/CD pipeline,
- track vulnerabilities in the form of correlated tickets,
- remove duplicates, archive findings, and document exchanges.
But the ambition goes further. In the coming months, the group wants to deepen work on security performance indicators, consolidated reporting, and resource rationalization. In short: to make Bug Bounty and pentesting an integral part of security governance, just like monitoring tools or compliance frameworks.
“We don’t just want to do testing. We want to be able to industrialize, compare, correlate. And most of all, automate as much as possible to focus on what really matters.”
Frédéric PRON, former CISO at SBS
“If we have to time ourselves with a stopwatch to see how long it takes to run a hundred meters to know our speed, it can’t work well because it’s too tedious. That’s why we need more automation, first in operations, then at the reporting level.”
Loïc LE METAYER, Information Security Officer at SBS
In a context where regulatory requirements are intensifying and AI is disrupting practices, organizations that have not made this shift will lag behind competitors.
The train has left the station. And in cybersecurity, it waits for no one.
Offensive Security Put to the Test in the Field
The partnership between Yogosha and the Sopra teams is part of a pragmatic approach:integrating new offensive security practices into already well-established processes. The goal was not to reinvent what already existed but to enrich the group’s security posture with more agile, flexible, and collaborative solutions.
“With Sopra Steria, which was already very advanced in integrating security into its development processes, we co-created a service offering perfectly adapted to software publishers. It allows for a smooth and continuous integration of security tests, without slowing down delivery cycles.”
Christophe MARNAT, SVP Sales Europe & Africa at Yogosha
In an environment where development speed, regulatory pressure, and resource scarcity are intensifying, Sopra Steria demonstrates that it is possible to integrate Offensive Security into its workflows without making its processes more complex. A clear, industrializable approach aligned with the new standards of DevSecOps.
If you too would like to industrialize Offensive Security without rigidifying your processes, contact us.
