This May, a new sheriff overseeing data privacy in the European Union began its watch, and its name is GDPR (General Data Protection Regulation).
“Sheriff GDPR” has sworn to uphold the privacy rights of citizens who provide their personal and financial information to companies in the European Union by limiting what those collecting data can do with it. It also gives individuals the right to rescind permission for their data to be used. They can even request that companies erase their personal data and not keep it on file.
While these regulations, which were originally adopted by the EU last year, currently only pertain to Europe, Varonis CEO and Forbes Technology Council member Yaki Faitelson pointed out in a December article that GDPR’s reach will most assuredly extend to U.S. businesses. He noted, “Any U.S. company that has a Web presence (and who doesn’t?) and markets their products over the Web will have some homework to do.”
Any doubts about Faitelson’s prediction that the General Data Protection Regulation simply strengthens the “long arm of the law” were answered the day it became a law, as reported by IDG Connect:
“The very same day GDPR came into force Facebook, Google, Apple, Amazon and LinkedIn were all targeted with multi-billion dollar lawsuits by privacy activists and consumer rights groups for not complying with their reading of consent under the new regulations. Twitter meanwhile, is blocking any user it thinks was under 13 years old when they signed up to the service (no matter what age they are now) in an effort to be compliant.”
One big point driven home by the lawsuits against these organizations is that it doesn’t take a breach for a company to be in violation of data privacy rules. Under GDPR, it’s no longer good enough for companies to install security software that alerts them after a breach takes place.
It’s now up to companies to proactively prevent data breaches from happening, or else face staggering fines.
But with so many hackers always finding new backdoor vulnerabilities in complex business software, how are companies supposed to secure their data? As discussed at a recent CAST user group in Italy, this privacy-sensitive environment calls for organizations to address software risk and application security in software design.
This represents a major shift in attitudes about enterprise software development. The industry has shifted towards DevOps for IT Modernization, which prioritizes speed and agility over software quality and application security. Pushing new features to market faster is more likely to have a positive impact on ease of use and sale-ability of end user applications, but it comes at a cost.
Flagging that cost, Computer Weekly reports that application security is more important than ever:
“Many application vulnerabilities are caused by architectural design flaws. As automation and smart software become an increasingly large part of IT systems across several industries, the way these machines are programmed needs to be carefully analyzed. Security is an essential requirement for any type of digital business. In a sense, it’s a hygiene factor. It must be present, although it seldom contributes directly to the primary business functionality of the system. However, poorly-chosen application security approaches can certainly impede usability and efficiency.”
The blasé attitude toward security across industries is a bit frightening, especially when you consider the ubiquity of application security vulnerabilities. A 2017 survey conducted by WhiteHat Security “found that approximately 60 percent of applications in the Utilities, Education, Accommodations, Retail, and Manufacturing sectors are always vulnerable.” The report also says most companies cannot even find the vulnerabilities…and as the great Muhammed Ali used to say, “You can’t hit what you can’t see.”
Obviously, if companies are going to be held responsible for fixing the vulnerabilities in their software to comply with GDPR, they need to start by shedding light upon where they exist. With the average application consisting of more than a million lines of code, this cannot be done manually. It requires automated application analysis to skim through the code and find the errors.
In part 2 of this series, I’ll discuss how automated application assessment makes GDPR compliance more feasible, without disrupting current software development processes.