App dev & the GDPR: three tenets for effective compliance
According to the official EU GDPR website, http://www.eugdpr.org, “The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years.”
This may well be true. The GDPR includes unprecedented penalties connected to data breaches, it reaches across international borders, and it targets both data owners and 3rd party service providers that process/manage that data.
While data governance inside IT and DevOps orgs have (justifiably) been the primary focus of GDPR compliance efforts, application development organizations should also recognize that they have been put on notice as well.
If your software might, perhaps even at some point in the future, process EU personal data (whether or not your company is the organization running that software) – you and/or your clients will also likely be subject to GDPR obligations and potential penalties.
If you fall into this very wide net, the following three app dev GDPR tenets probably warrant your immediate consideration:
1. Development organizations can be held accountable for data breaches where attackers capitalized on avoidable software gaps or vulnerabilities.
A personal data breach, as defined by the GDPR, includes data damage, loss, or unauthorized access resulting from application tampering, monitoring, or vulnerability exploit.
The GDPR personal data breach definition includes “the unlawful alteration, loss, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed” (formatting added here for emphasis).
Many data breaches begin with an application vulnerability exploit (elevation of privileges for example) or application tampering (bypassing identity or other security checks using a debugger in a production setting to manipulate app data or runtime logic for example). In both of these examples, an attacker is able to subvert the controls and restrictions that an application would normally impose.
Recommendation: These risks and their corresponding mitigating controls need to be included in GDPR assessments and, as appropriate, remediation processes. This would apply to both software developed in-house and to supplier risk assessments when software is licensed or used as a service.
2. 100% vulnerability free applications 100% of the time is an unattainable standard.
Exploiting application vulnerabilities to gain unauthorized control over private data is a widely recognized, common attack technique.
In an ideal world, development would release vulnerability-free applications that were also immune to native and managed debugger hacks, profilers and reverse-engineering tools. We do not live in an ideal world.
Secure coding practices informed by subsequent static analysis and security testing are often effective in striving for this ideal, but even in the best case scenarios, can never guarantee a vulnerability-free application. Further, secure coding practices do not address risks stemming directly from unauthorized debugging, tampering, or reverse engineering hacks (since these do not rely upon vulnerability exploits for success).
Recommendation: Controls to prevent vulnerability discovery and exploitation in production settings are necessary compliments to those that minimize the likelihood that vulnerabilities are introduced in the first place.
3. Application hardening is a recognized control to minimize risks stemming from unauthorized use of debuggers to compromise production applications (and, by extension, the data that flows through them).
In June of 2017, 400 development organizations were asked if they had controls in place to mitigate these kinds of production attacks on their applications.
- 51% reported having preventative controls
- 35% reported having detective and defensive controls, and
- 23% reported having reporting controls. *
* It is also worth noting that the percentages across all categories were higher for development organizations serving manufacturing, financial, and healthcare industries. In short, independent of GDPR requirements, these kinds of controls are widely deployed.
Recommendation: Application hardening can play a vital role in an effective GDPR compliance program and should be evaluated for inclusion within existing application and cybersecurity control frameworks. Further, as the survey responses show, application hardening is generally known to be effective against these kinds of risks and, as such, may be considered by regulators and the courts to be "reasonable" precautions that should - by implication - be in place.
PreEmptive Solutions will be publishing risk assessment and project implementation templates to help enterprises and System Integrators evaluate and, when appropriate, implement application hardening GDPR controls.
If you would like to preview these templates to provide feedback (or learn more about our particular application hardening software), please email firstname.lastname@example.org.