Starting May 25, 2018, the EU General Data Protection Regulation (GDPR) will harmonize data privacy laws across all EU states by providing a framework for organizations to handle the personal data of all EU citizens.
As organizations rush to deploy encryption technologies to secure data, we at Micro Focus Fortify Software Security Research would like to caution our customers against overlooking the importance of application security to help achieve GDPR compliance.
A crucial clause of the GDPR framework requires businesses to protect their systems and applications from “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data” (GDPR Article 32) by taking into consideration, “appropriate technical and organizational measures” (GDPR Article 25). These technical measures must include a formal process of application security and vulnerability assessment, if a comprehensive data security solution is to be achieved.
Presence of software vulnerabilities will undermine any protection mechanisms and processes deployed to ensure data security. Application vulnerabilities such as defects in the implementation of encryption technology, errors in key management, injection vulnerabilities, as well as configuration and maintenance errors in systems and networks that store or process personal data, can all result in the compromise of personal data.
In an effort to help our customers who are working to investigate and comply with the GDPR requirements, we have correlated the Micro Focus Fortify Taxonomy to GDPR compliance as it relates to application security. The vulnerabilities have been divided into four logical groupings to help identify weaknesses that can impact GDPR compliance.
The four logical groupings are:
Privacy Violation vulnerabilities include errors that result when an application simply fails to encrypt or pseudonymize personal data before transmitting, storing or writing to an external device.
Insufficient Data Protection vulnerabilities are a result of implementation flaws in the use of encryption technology to protect the confidentiality and privacy of personal data. Examples include use of a weak encryption algorithm, errors in configuring encryption parameters or the use of faulty key management practices. This will all undermine the benefits of encryption and compromise data security.
Access Control vulnerabilities include flaws in the implementation and configuration of authentication, authorization and access policies for an application, which allows unauthorized access to restricted resources leaving personal data vulnerable to misuse.
Indirect Access to Sensitive Data includes a large set of software vulnerabilities that are often overlooked but are critical in maintaining system and data integrity. These vulnerabilities if successfully exploited may result in giving the attacker control of the system resources and access to sensitive data. For example, injection vulnerabilities may allow attackers to run malicious script on servers, which would result in exposing sensitive system data and resources.
This set also includes software vulnerabilities in external third party and open source software components that interface with your application. Presence of any vulnerabilities in these components can compromise your application. It is therefore crucial that vulnerabilities such as unpatched application and web server misconfiguration be addressed with the same urgency as vulnerabilities in your application code.
The above correlation shows that it is imperative for organizations to ensure that all the systems, services and applications that handle sensitive data are themselves secure to achieve GDPR compliance.
All Micro Focus Fortify customers can access the benefits of this compliance template by downloading the recently announced 2018 R1 release.