Background

The European Union General
Data Protection Regulation (GDPR)

GDPR is mainly associated with data processing and data collecting.

Project Manager

Testimonial Author

Nuradha Alwis

The EU’s General Data Protection Regulation (GDPR) was initiated a few years ago, and was adopted by the EU parliament on April 16th, 2016. After the 2 years post-adoption grace period, the legislation was enacted on 25th May 2018. The main objective of GDPR is to provide full control of personal data to its owners, and simplify the regulatory environment for international business by unifying the regulation within the EU.

Legislation is applicable for all organizations who are processing or holding EU citizens’ data, regardless of the geographical location of the organization.

GDPR is mainly associated with data processing and data collecting, the organizations who are in the information technology industry with software development related to data collection and processing is having a major impact.

All the software development organizations that are working with personal data of EU citizens, must upgrade or comply their existing products based on the regulation, and new developments must align with GDPR.

To meet the above requirement, GDPR defined Article 25, “Data Protection by Design and by Default”.

The main focus of art. 25 is data protection/ privacy by design, and data protection/ privacy by default. Those are two main central requirements in GDPR. Data protection legislation contains basic principles for safeguarding the privacy of data subjects. Data protection by design and by default helps ensure that the information systems we use fulfil these data protection principles, and that the systems safeguard the rights of data subjects.

In detail, “Data protection by design” means that appropriate organizational and technical measures to ensure personal data security and privacy are embedded into the complete lifecycle of an organization’s products, services, applications, and business and technical procedures. Data protection by default means that,

- Only necessary personal data is collected, stored, or processed

- Personal data is not accessible to an indefinite number of people

Software development should follow a methodology with a set of key activities to ensure that the final product is healthy enough to meet the requirement of article 25. There is some technical literature that focuses on security by design as part of developing software. However, there are major points that need to be considered as regards of data protection by design and by default as part of developing software.

Secure Software Development Life Cycle (S-SDLC) and Microsoft Security Development Lifecycle (MS-SDLC) are two main frameworks which are exploring how to incorporate data protection principles, subject rights, and the requirements of the GDPR into every step of the process.

Focus of the above mentioned two frameworks are to add security related activities in to SDLC. Such as writing security requirements alongside the collection of functional requirements, or performing an architecture risk analysis during the design phase of the SDLC and consider security when building/planning for test cases.

Most of the software development organizations are focused on MS-SDLC during the practical implementation.MS-SDLC is having seven main phases as below.stead of solving the actual problem. This can result in a less efficient system. Understanding your stakeholder helps achieve this.

Graph

Each phase has its own way of align the software development by considering the security aspects.

01. Training

Main goal of the training phase is a commitment to understanding security basics and the latest developments in security and privacy, which can greatly help organizations reduce the number and severity of exploitable software vulnerabilities, and react appropriately to ever-changing threat landscapes. In order to meet the above mentioned aspect, there are a set of tools and technologies that can be implemented/ practiced during the phase.

Core Security training is one of the main techniques where team members can be educated on all the security aspects that need to be considered when building better software, include secure design, threat modeling, secure coding, security testing, and best practices surrounding privacy. Continual improvement or assessment of team members’ knowledge on this training is highly important.

03. Design

Main goal of the training phase is a commitment to understanding security basics and the latest developments in security and privacy, which can greatly help organizations reduce the number and severity of exploitable software vulnerabilities, and react appropriately to ever-changing threat landscapes. In order to meet the above mentioned aspect, there are a set of tools and technologies that can be implemented/ practiced during the phase.

Core Security training is one of the main techniques where team members can be educated on all the security aspects that need to be considered when building better software, include secure design, threat modeling, secure coding, security testing, and best practices surrounding privacy. Continual improvement or assessment of team members’ knowledge on this training is highly important.

05. Verification

This phase involves a comprehensive effort to ensure that the code meets the security and privacy tenets established in the previous phases.

Performing runtime application behavior checks based on its functionality will guarantee there is no memory corruption, user privilege issues, and other critical security problems.

Introducing fuzzy testing will also make sure that the application behavior is meeting security requirements.

Intentionally introducing application failures and generating random data will also help the team test application stability against security threats.

Verification will take place as bucket verification in the agile development environment.

07. Response

This post-release phase focusses the development team being able and available to respond appropriately to any reports of emerging software threats and vulnerabilities. This is the time to activate incident response and management plan defined in release phase.

The above mentioned phases can be align with each and every traditional software development phases. But in Agile based software development, some of the below phases are only need to perform in each sprint separately.

Some are bucket practices (implemented on a regular basis and can be spared via few sprints at a time) and are therefore considered as one-time practices during the project lifespan.

The full implementation phase along with threat modelling, final security review, certified security review and archiving will become best practices for each sprint.

Full verification phase and defining quality gates are performing as bucket practice.

Establishing security requirements and design requirements, performing privacy risk assessments and creating an incident management plan is a one-time task for agile based development.

Integrating all seven phases with the software development process / methodology in the organization will deliver a highly secure product to the end-user, in full compliance with article 25 of GDPR.

02. Requirement gathering and analysis

This is the second stage of MS-SDLC where a set of activities are needed to be performed in order to ensure the product security at the end of development. During this phase, teams can mainly focus on foundational security and privacy issues and to analyze how best align quality and regulatory requirements with approximated costs and business needs.

The team will be able to define security requirements and create quality gates in terms, and perform privacy and security risk assessments to ensure the the final product is aligned with GDPR.

This is a one-time activity in agile-based software development environment.

04. Implementation

During the implementation phase, the main focus is on the end-users side. They can be informed of the decisions on the most secure ways to deploy the final product. Using approved tools and analyzing all functionalities and APIs of the application, along with the existing application statistics to reduce potential security bugs will also help improve security of the application.

Security aspects will be incrementally implemented during every sprint.

06. Release

The focus of this phase is readying the project for public release, including planning for ways to effectively perform post-release servicing tasks and address security or privacy vulnerabilities that may occur later.

Performing a final security release, certifying the final product and defining the incident response plan will make ensure that the product covers all security aspects and is well equipped to face future incidences as well.

As a post release activity, archiving all the materials is also a crucial task that needs to be performed by the technical team. This includes specifications, source code, binaries, private symbols, threat models, documentation, emergency response plans, and license and servicing terms for any third-party software’s needs to be archived.

Get in touch