While tech giants like Facebook and Google are taking a gamble on how they handle consumer data in Europe, the rest of the world is hustling to become GDPR compliant.
A few weeks ago, I wrote that GDPR places responsibility for data privacy squarely on businesses and that this will have a great impact on how businesses will have to focus on building security into their application from the ground-up in order to comply. Today, I’ll look at best practices for compliance and provide an example of how one platform for automated software analysis addresses GDPR requirements.
Assessing Legacy Applications
Using automated application portfolio analysis is particularly vital for companies running either legacy applications or applications built upon legacy apps. Often, the original application includes code so old that the average IT manager and most CIOs were in grade school when it was written. This means it’s highly unlikely that even the most senior members of the IT department will have had experience with the code used to write the legacy apps.
The problem this unfamiliarity goes beyond just trying to rewrite old code or untangle the system to transfer data to modern systems. Equally complex, if not nearly impossible, is figuring out where the old mistakes were – if nobody knows what’s right, how would they know what’s wrong? This makes finding fixes for old issues problematic at best.
Workarounds and just ignoring the issues, hoping they won’t pose a problem down the road, are the most frequent answers, but sidestepping the problem is no longer an option due to GDPR. Simply ignoring the problem or trying to get around it results in the poor structural quality that results in future breaches.
An automated assessment platform reviews hundreds of thousands of lines of code quicker and with a far better understanding of what it is looking for than a manual review. By automating the process of static analysis, companies can ferret out offending legacy code and give those responsible for the upgrade a solid structure upon which to build.
Employing this same platform of automated analysis and measurement to conduct continual architectural and code component reviews to find any new issues that arise ensures what is being build atop the legacy application interacts properly with the existing code.
Automated Application Portfolio Analysis in Practice
One example of how an automated application portfolio analysis platform works to uncover vulnerabilities, and therefore assist in GDPR compliance, is CAST’s Application Intelligence Platform (AIP), which creates a digital image of the internal composition of applications.
Unlike code testing, CAST applies system-level architectural assessments to examine how components interact, how they work across technology layers, data structures and end-to-end transactions -from user entry to data access. The result is a Data Protection Impact Assessment (DPIA) that provides a comprehensive understanding into complex software composition and unprecedented intelligence into its internal integrity.
The value of using a solution like CAST AIP in developing the DPIA is:
A platform like CAST’s Application Intelligence Platform is also important to maintaining ongoing compliance with GDPR. CAST:
With these investigations and reports in place, CAST AIP provides a solution for a number of the articles in GDPR, including:
GDPR is now the law in Europe and it or something like it is sure to be implemented in the U.S. The best way to avoid running afoul of that law is by employing an automated application analysis platform like CAST’s AIP to locate vulnerabilities and create the reports required for your company to comply with GDPR.
Erik Oltmans, an Associate Partner from EY, Netherlands, spoke at the Software Intelligence Forum on how the consulting behemoth uses Software Intelligence in its Transaction Advisory services.
Erik describes the changing landscape of M & A. Besides the financial and commercial aspects, PE firms now equally value technical assessments, especially for targets with significant software assets. He goes on to detail how CAST Highlight makes these assessments possible with limited access to the targetâ€™s systems, customized quality metrics, and liability implications of open source components - all three that are critical for an M&A due diligence.