Ensures information security and compliance with French security standards
Installation
Installer avec Codex ou Claude Copiez ce prompt, collez-le dans Codex, Claude ou un autre assistant, puis laissez-le vérifier la page du skill et l'installer pour vous.
Daily collection and analysis of event logs and alarms
Regular security audits and penetration testing
Immediate incident detection and response
Continuous threat and vulnerability monitoring
Personnel security awareness and training
Maintenance of continuity and recovery plans
✅ RGS Implementation Phases (Click to Jump)
Agent Workflow: Identify your project type from quick start above → Select applicable phases → Work through checklists → Reference detailed annex files
Phase Navigation Index
Phase
Focus Area
Applicable To
Key Deliverable
Phase 1
Risk Management
All projects
Risk assessment report
Phase 2
Authentication & Authorization
All user-facing systems
Auth architecture
Phase 3
Encryption & Cryptography
All projects handling data
Crypto/TLS configuration
Phase 4
Input Validation & Attack Prevention
Web apps, APIs
Validation rules
Phase 5
Audit Logging & Monitoring
All production systems
Log strategy
Phase 6
Vulnerability Management & Patch
All projects
Patch policy
Phase 7
Third-Party Risk Management
Projects with integrations
Vendor assessment
Phase 8
Incident Response & Continuity
All production systems
IR procedure
Phase 1: Risk Management
Focus Area: Foundational - Required for ALL projects Why This Matters: Without risk analysis, you don't know what you're protecting or why Quick Assessment: Do you have a documented risk register? Have threats been identified?
Risk Analysis Complete: Documented threats, impacts, and mitigation strategy
ISO/IEC 27005: Risk management methodology defined and documented
EBIOS 2010: Security objectives clearly expressed using EBIOS framework
Residual Risks: Accepted by authorized decision-maker
Focus Area: Critical for Web Apps, APIs, Microservices (⭐⭐⭐) Why This Matters: This is where users prove they are who they claim to be. Failures here = all other protections useless Quick Assessment: Can an unauthenticated user access any protected resource? Are passwords stored in plain text?
Focus: Verify entity identity and control access per RGS security levels
No downgrade: Always use strongest available mechanism
Hijacking mitigation: Token rotation, session binding, re-authentication on sensitive ops
Trusted Infrastructure (If using third-party auth):
Document trust chains explicitly
Validate third-party security qualifications (ISO 27001, SOC 2)
Ensure authentication level maintained through delegation
Audit third-party authentication logs
📌 Reference Documentation: See RGS-ANNEX-B3-DETAILED.md for authentication models, machine-to-machine protocols, person unlock mechanisms, session lifecycle, third-party trust, and comprehensive audit requirements.
### Phase 3: Encryption & Cryptography (RGS Chapter 3)
**Focus Area**: Critical for ALL projects (⭐⭐⭐)
**Why This Matters**: Encryption is the only thing that stops attackers from reading your data even if they breach you
**Quick Assessment**: Is all traffic using TLS 1.3? Are database passwords encrypted at rest? **See [RGS-ANNEX-B2-DETAILED.md](./RGS-ANNEX-B2-DETAILED.md)**
**Focus**: Protect data in transit and at rest per RGS Annex B2 requirements
#### Actionable Requirements
- [ ] **TLS 1.3+** for all communications (TLS 1.2 minimum with strong ciphers)
- Perfect Forward Secrecy (PFS) via ECDHE
- HSTS header: `max-age=31536000; includeSubDomains`
- [ ] **Approved Algorithms** (RGS Annex B2):
- Symmetric: **AES-256** (preferred), AES-192, AES-128
- Asymmetric: **RSA-2048+** or **ECDSA (P-256/384/521)**
- Hashing: **SHA-256+** (never MD5, SHA-1)
- Key derivation: **PBKDF2** (100k+ iterations), bcrypt, Argon2
- [ ] **Key Management Lifecycle**:
- Generate: Cryptographically secure RNG only
- Store: Level * = encrypted software; Level ** = hardware token; Level *** = HSM
- Rotate: Annual minimum (monthly for critical systems)
- Destroy: Secure deletion per NIST 800-88
- [ ] **Data Protection**:
- Database: Encrypt sensitive fields (PII, credentials) with AES-256-GCM
- Full-disk encryption where applicable
- Backups encrypted with separate keys
- Keys never in code, logs, or config files
- [ ] **Certificates** (if implementing signature/authentication):
- X.509 v3 from qualified PSCE (Prestataire de Services de Certification Électronique)
- Proper revocation checking (OCSP/CRL)
- Certificate chain validation to trusted root (IGC/A for French admin systems)
📌 **Reference Documentation**: See [RGS-ANNEX-B2-DETAILED.md](./RGS-ANNEX-B2-DETAILED.md) for comprehensive implementation guide covering algorithms, certificate types, timestamping, key management phases, and security level mappings.
---
```typescript
// ✅ AES-256-GCM encryption (RGS-compliant) — Framework-agnostic pseudocode
// Implementation varies by language (Node.js, Python, Java, Go, etc.)
const encryptData = (plaintext: string, key: Buffer): string => {
// 1. Generate random IV (initialization vector) 16 bytes
const iv = generateRandomBytes(16)
// 2. Create AES-256-GCM cipher with key
const cipher = createCipheriv('aes-256-gcm', key, iv)
// 3. Encrypt data
const encrypted = cipher.update(plaintext, 'utf-8', 'hex') + cipher.final('hex')
// 4. Get authentication tag (ensures integrity)
const authTag = cipher.getAuthTag()
// 5. Return IV:AuthTag:Ciphertext (needed for decryption)
return `${iv.toString('hex')}:${authTag.toString('hex')}:${encrypted}`
}
const decryptData = (ciphertext: string, key: Buffer): string => {
const [ivHex, tagHex, encrypted] = ciphertext.split(':')
const iv = Buffer.from(ivHex, 'hex')
const authTag = Buffer.from(tagHex, 'hex')
// 1. Create AES-256-GCM decipher
const decipher = createDecipheriv('aes-256-gcm', key, iv)
// 2. Set authentication tag (validates integrity)
decipher.setAuthTag(authTag)
// 3. Decrypt
return decipher.update(encrypted, 'hex', 'utf-8') + decipher.final('utf-8')
}
// ✅ PBKDF2 for password hashing (RGS-compliant)
// Pseudocode - use standard library or library like bcrypt
const hashPassword = (password: string): string => {
const salt = generateRandomBytes(32)
// PBKDF2 with SHA-256, 100,000+ iterations
const hash = pbkdf2(password, salt, 100000, 64, 'sha256')
return `${salt.toString('hex')}:${hash.toString('hex')}`
}
// ✅ TLS 1.3 configuration (framework-agnostic)
// Example: ExpressJS, NestJS, FastAPI, Spring, etc.
const serverConfig = {
keyFile: '/etc/ssl/private/server.key', // Private key
certFile: '/etc/ssl/certs/server.crt', // Certificate
minVersion: 'TLSv1.3', // Minimum TLS 1.3
ciphers: 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256', // Strong ciphers
enableHSTS: true, // HTTP Strict Transport Security
}
Phase 4: Input Validation & Attack Prevention
Phase 4: Input Validation & Attack Prevention
Focus Area: Critical for Web Apps & APIs (⭐⭐⭐) Why This Matters: Most attacks enter through input (SQL injection, XSS, CSRF). Validation stops them at the door Quick Assessment: Are all user inputs validated against a whitelist? Is CSRF token check implemented?
SQL Injection Prevention:
Always use parameterized queries (prepared statements)
ORM with proper query builders (TypeORM, Sequelize, Prisma)
Input validation against expected schema
Principle: Never concatenate user input into SQL
XSS (Cross-Site Scripting) Prevention:
Output encoding for HTML, JavaScript, CSS contexts
Content Security Policy (CSP) header enforced
Template frameworks with auto-escaping
Input validation: reject scripts in user input
CSRF (Cross-Site Request Forgery) Protection:
Unique CSRF tokens on all state-changing operations (POST, PUT, DELETE)
Tokens validated on server before processing
SameSite cookie attribute: Strict or Lax
Double-submit cookie pattern (secure alternative)
Input Validation (RGS recommendation):
Validate all inputs against strict whitelist schema
Length limits, format validation, type checking
Reject unexpected parameters
Logging of validation failures
File Upload Security:
Validate file type (magic bytes, not just extension)
Size limits enforced
Scan for malware (if applicable)
Store outside web root
Disable script execution in upload directory
Rate Limiting & DoS Prevention:
API rate limits (e.g., 100 requests/minute)
Login rate limiting (5 attempts/15 min)
DDoS protection at perimeter (CDN, WAF)
// ✅ Input validation (RGS-compliant) — Framework-agnostic example// Following principle: validate ALL inputs against strict whitelist schemaclassUserInput {
// Schema validation examples:email: string// Must be valid email formatusername: string// 3-50 chars, alphanumeric + underscore onlyage: number// 18-120country: string// Max 2 chars, uppercase onlyvalidate(): ValidationErrors {
const errors = []
// ✅ Format validationif (!isValidEmailFormat(this.email)) {
errors.push('Invalid email format')
}
// ✅ Length validationif (this.username.length < 3 || this.username.length > 50) {
errors.push('Username must be 3-50 characters')
}
// ✅ Pattern validation (whitelist allowed chars)if (!/^[a-zA-Z0-9_]+$/.test(this.username)) {
errors.push('Username can only contain letters, numbers, underscore')
}
// ✅ Range validationif (this.age < 18 || this.age > 120) {
errors.push('Age must be 18-120')
}
return errors
}
}
// ✅ CSRF token validation (framework-agnostic)// On every state-changing request (POST, PUT, DELETE):const validateCSRFToken = (requestToken: string, sessionToken: string): boolean => {
// Token must match - prevents cross-site attacksreturn requestToken === sessionToken && requestToken !== null
}
// ✅ XSS prevention - output encoding (framework-agnostic)// Encode output based on context:const encodeHTML = (text: string): string => {
// Replace special chars: < > & " 'return text
.replace(/&/g, '&')
.replace(/</g, '<')
.replace(/>/g, '>')
.replace(/"/g, '"')
.replace(/'/g, ''')
}
const encodeJavaScript = (text: string): string => {
// Escape for JavaScript stringsreturnJSON.stringify(text)
}
// ✅ File upload validation (framework-agnostic)const validateFileUpload = (file: UploadedFile): ValidationErrors => {
const errors = []
// Check file type (magic bytes, not just extension)const expectedMagic = { jpg: 'FFD8FF', png: '89504E47' }
if (!hasMagicBytes(file.data, expectedMagic[file.type])) {
errors.push('Invalid file type')
}
// Check file sizeconst maxSize = 5 * 1024 * 1024// 5 MBif (file.size > maxSize) {
errors.push('File too large')
}
// Check allowed extensions (whitelist)const allowedExt = ['jpg', 'jpeg', 'png', 'gif']
if (!allowedExt.includes(file.extension)) {
errors.push('File type not allowed')
}
return errors
}
Focus Area: Critical for ALL production systems (⭐⭐⭐) Why This Matters: You cannot detect or investigate attacks without logs. Logs are your evidence Quick Assessment: Are all login attempts logged? Can logs be tampered with? Are they retained 1+ year?
Audit Log Creation:
Event log for all critical actions: login, data modification, admin access, config changes
Log includes: timestamp, user ID, action, resource, outcome (success/failure), IP address
Format: Structured (JSON) for easy parsing
Log level: INFO for normal, ERROR for failures, WARN for suspicious activities
Focus Area: Important for ALL projects (⭐⭐⭐) Why This Matters: Known vulnerabilities are exploited within days. Patches prevent this Quick Assessment: When was the last dependency scan? Do you have a patch policy? How long until critical patches are applied?
Dynamic Testing: DAST tools and penetration testing
Responsible Disclosure: Security vulnerability reporting process
Phase 7: Third-Party Risk Management
Focus Area: Important for projects with integrations (⭐⭐⭐) Why This Matters: Your security is only as strong as your weakest vendor. A vendor breach can compromise you Quick Assessment: Do you have vendor security requirements? Are third-party services audited?
Vendor Assessment: Verify third-parties are secure
Data Processing Agreements: All vendors have DPA signed
Focus Area: Critical for production systems (⭐⭐⭐) Why This Matters: Attacks will happen. Well-prepared teams recover faster and suffer less damage Quick Assessment: Do you have an incident response plan? Who calls the response? How do you resume operations?