Teiss guest blogger Colin Domoney, consultant solution architect at Veracode, considers how information security should be built into apps by design and default.
Many organisations are still finding their feet when it comes to understanding how to ensure compliance with the upcoming European Union's Global Data Protection Regulation (GDPR). However, with fines for non-compliance reaching as high as four per cent of a company’s global turnover, or €20 million, it’s clear that any business that competes globally must begin preparing a framework that delivers the necessary level of compliance now.
To date, data storage and management have dominated a large part of the discussion. However, boosting cybersecurity protections, including application security, will be crucial to ensure future compliance.
One key element of GDPR that requires greater consideration is the requirement to implement 'data protection by design and by default'. This means that data security and privacy must be considered from the outset, data protection safeguards must be built in, and data processing methods must be privacy-centred by default.
Also of interest: Brexit and GDPR
The 'by design' clause requires that security and data protection be front of mind from the start of the development process. Organisations will have to build a 'secure by design' culture in application development, something that many organisations are starting to implement.
This means several things: secure design and threat modelling; training developers on secure coding best practices; ensuring that they are coding securely; and identifying and remediating any security-related defects in their code – preferably, as they are writing it.
That's perhaps the briefest outline of how best to achieve secure application development practices I’ve ever given. I’d thoroughly recommend that anyone involved in application development and/or application development management read up on all the those techniques. That's because GDPR presents a challenge beyond 'doing it right' in terms of secure design of applications. Companies must also be able to prove that the entire application security development process is compliant in and of itself.
Are you application security initiatives compliant?
As well as developing applications more securely, a significant challenge for many organisations post-GDPR will be the ability to prove compliance with the new and more stringent requirements for data protection, some of which affect application security (appsec) practices.
Unfortunately, with less than a year to go until GDPR comes into force, many organisations will struggle to meet GDPR standards for code review and partner verification because they lack the time, budget and staff. It will prove essential to tap into solutions that can address these new requirements. A check-box approach is unlikely to meet the needs of an auditor. Instead teams need to embrace a more strategic, best-practice compliance framework for application security.
Also of interest: Who owns your data?
So, how do you achieve this? Here are four best practice steps to help ensure your appsec initiatives remain compliant.
1. Track code flaws, reviews and compliance through a single platform
Creating one central repository for all information relating to software weaknesses, as well as any proposed, accepted and rejected mitigations, streamlines compliance processes. Organisations can also maximise the effectiveness of security assessments by consolidating the results of different testing methods (i.e. dynamic analysis, static analysis and manual penetration testing) in one place.
2. Achieve continuous compliance monitoring
It's important to recognise that compliance isn't the end goal. Regulations should be part of a greater, holistic security framework that aims to better protect systems and data. Any cybersecurity initiative should prioritise continuous and ongoing compliance. In terms of application security, this can be achieved by:
- Integrating security testing into the software development lifecycle (SDLC)
- Regularly running discovery scans of web applications within an organisation's entire web perimeter, including international domains, temporary marketing sites, and sites obtained through mergers and acquisitions
- Continuously monitoring the production of web applications for vulnerabilities
- Virtually patching web application firewalls using the security intelligence from application assessments
- Auditing and actively defending against actual cybersecurity events that are targeting common vulnerabilities
3. Keep non-public data safe, whether it’s in internal applications or vendor systems
Another key part of GDPR is that an organisation must protect personal data that is managed both internally and by external contractors or vendors. Ensuring that the cryptography used by an application is implemented correctly and remains intact is crucial. So is building a programme that requires third-party software to be held to the same security standards as that developed internally.
4. Automate and audit compliance workflows
Organisations will significantly benefit from deploying a platform that can automate workflows, reduce communication overhead, and deliver a secure audit trail that can be used for compliance processes. However, this then necessitates a robust policy management framework that documents and communicates a security policy. Having a platform that can integrate with other key systems for the sharing of critical information, such as listings of all discovered flaws, application security scores, and flaw status information (i.e. new, open, fixed or re-opened), will further facilitate this process.
As with all aspects of IT, security and data management, GDPR has massive implications for application security. Going beyond just ensuring that security processes are brought up to scratch throughout the SDLC and post-production, these regulations require organisations to think about the potential data management challenges that they face throughout this cycle.
Agile and DevOps adoption is accelerating, with many organisations already looking at their development processes to ensure that security is being integrated in a way that support more secure applications without impacting the delivery deadline. As organisations start building these new processes that will enable them to achieve the coveted accelerated time-to-market of secure applications, it’s crucial that they keep the internal data protection challenges front of mind to ensure that any new processes will remain fit-for-purpose post-May 2018.
Image courtesy of thinkstockphotos.co.uk, copyright m-imagephotography
Colin Domoney is consultant solution architect at Veracode, the end-to-end application security company.
Originally an embedded systems developer working on military grade secure communications systems in South Africa, Colin has over 20 years of development and security expertise in the telecommunications, consumer, medical and financial service industries. His most recent experience has been as the technical expert leading a large scale application security programme in a large multinational investment bank. He was responsible for the deployment and operation of the Veracode service, and leading the remediation programme, and deploying a RASP solution within the organisation.