Video


Continuous security and GDPR checks in the application development

Posted: by Marcin Michalski

Category: development | gdpr |

Hackers are constantly looking for vulnerabilities in systems to make a devastating attack. Read about ensuring continuous security of application and compliance with the GDPR to ensure that your business is secure.

From the article you will learn:

  • on which areas of cyber security should your company focus,
  • how you can avoid or minimize the cybersecurity risks,
  • how to ensure the security of your resources and systems,
  • what a continuous pentesting is and why it can be crucial for you.

While you are running the business in the XXI century, you become more and more technology aware. If you are in the process of digital transformation because you are either developing web/mobile application or changing the existing one, you might realize (or not) that with great opportunities that high technologies bring to your business they also bring great risks that need to be faced… Cyber attacks and issues related to GDPR compliance might be a huge headache of contemporary digital products in the form of web or mobile apps, SaaS platforms, IoT. And there is nothing to suppose, because it really is.

Security of small, medium and large companies

On average, a hacker attack occurs every 39 seconds. And what is more 43% of cyber attacks target small companies and the cybersecurity company Lemlock confirms that fact. It was observed how not only large companies like (i.e. Maersk or Renault) but also small ones (i.e. attack on Green Ford Sales, car dealership in Kansa or attack on Wright Hotels, a real estate development firm) become a target of cyber crimes. Such hacker attacks are devastating for the company regardless of its size, influence or reputation. It doesn’t even matter whether your business originates from logistic, finance or e-dating sector as long - as it is related with money, it is related with benefits that the hacker might get while taking advantage of your vulnerabilities.

Moreover, with the advent of GDPR, you also need to face additional thread related to proper care of your users' privacy. Google was already forced to pay €50 mln EUR fine for not properly disclosing to users how their data is collected across multiple services. It is a large player on the market and it would seem that it is able to adequately protect its resources or systems not only against suspicious and criminal actions, but also against irresponsible data management, data breach, and non-compliance with GDPR laws. As it turned out, money can't buy happiness (or luck!) and even Google fell victim to sloppy care for the privacy of users.

Cybersecurity in application development

It is worth asking yourself a very important question here: how can you avoid or at least minimize the risks that your system can be hacked? And another one: will you be able to properly take care of users privacy? To answer this question, imagine such situation and ask yourself: what do you do if you are going on a long Holiday to warm the sunny Canary Islands and you don’t want anyone to break into your house once you are out? The simplest answer is you go and check if all the windows (not to mention the door...) are locked.

It was just a metaphor to make you realize that you can do the same thing with your digital products. You can check if your apps are “locked” properly by performing a security audit (aka penetration testing or pentest) against your system. Such pentest is a verification method which bases on performing real cyber attacks by dedicated cybersecurity firm or specialized agencies, in order to tell you what are the weaknesses of your system and how to address them. Getting back to our home example, asking for the support of a cybersecurity company is the same situation when you are in the car just before you want to go for a holiday and ask your wife or whoever of household members who is just leaving the house - “Could you check if I closed all the windows?”.

And now you know that you can check whether my system is properly locked from the cyber attack, so probably you are wondering if you can also check whether the user privacy is handled correctly too, right? Yes, you are right. Some cybersecurity firms provides service which allows you to check whether your system architecture, databases, servers, backups, etc. address GDPR requirements like Privacy by design and default or user provisions. But what if you are in the middle of the application development process?

How to add new features to the application in a secure way?

That’s fine, again going back to our metaphor with holidays and home, so you check that all the doors and windows are locked and you can go for your dream holidays. But what if while you are on holiday you have ordered some workers to renovate your bathroom. Let’s say that you did that on purpose to have it done while you are away because you didn't want to stay in a house without a bathroom for several days. So you took the opportunity to have it done while you are away. But maybe you are wondering if after the employees finish their work, will they remember to close all the doors and windows in your home? You're not so sure, so you ask your neighbor if s/he can check every time they leave if everything is properly closed.

Security audit and GDPR compliance audit

So now we will transfer above case to the situation with your digital product or application. Let’s say you want to go live with your app. So in order to do that in the secured way you ask cybersecurity agency to do both security and GDPR checks to avoid the unpleasant situation in the future. The agency provides you with the reports containing all the things you need to do to increase the security of the application and also recommended to repeat the check after 6 or 12 months (depending on the type of your system). So you have all the issues from the report fixed and you are happy because for a longer period the cyber protection aspects of your platform will be fully addressed.

Continuous Integration and Continuous Delivery in application development

However, it is quite common that during the application development process you have already gone public with your app long before it was finally finished and you plan to keep adding new features to your system. This is a common scenario especially if you are taking Continuous Integration, Continuous Delivery and scrum approach into consideration where you deliver your product on the market within small iterations instead of creating it all at once. This approach allows to minimize the risk of failure and better adapt the application to end users, as well as enable more effective introduction of new features to it. Those new features, due to the dynamics of their development, are often not taken into account during the application security audit, and thus pose a potential threat.

The importance of Continuous Security in application development

So, what is worth doing in situations when we are constantly developing the application with new functionalities? Is it worth to perform an application audit every time a new release takes place? Well probably that would be the best option but if we compare it to our vacation example is like getting back from your holiday everyday to check if the doors are locked. This might take a lot of time and increase your Time To Market not mentioning the costs

Ask your cybersecurity agency, if they can support you in a “continuous way”. At this point, I am thinking of constantly popular service of continuous pentesting and continuous GDPR check. If your agency does it, then they know your system very well and can focus on new functionalities. Moreover they have most likely prepared some scripts while they were doing initial security test so they can also verify in a quick way whether new functionalities affect security of the existing one (so-called regression testing). In addition, the cybersecurity company can provide the developers team with recommendations and instruct them how to add new functionality to the application with the cybersecurity in mind.

Is it worth constantly checking the security of the system?

This helps you to address your needs in a lean and quick way and makes your cybersecurity partner an integral part of your team. It also allows you to reduce costs as you don’t have to perform heavy application security audits each time you release a new version but handles your cybersecurity and GDPR challenges in an ongoing way.

The issue of continuous security should not be neglected, especially that our application can change dynamically as the needs of our customers or market needs. The hackers are also dynamically acting, still looking for new vulnerabilities. That is why it is always worth having continuous cybersecurity support or a neighbor with you who will not let thieves break into your home. And you will be able to rest peacefully on your vacation.

Lemlock ebook. Expert Guidebook: Three vievs on cybersecurity
Udostępnij
Read more:
Step-by-step preparation for GDPR - checklist
GDPR

Step-by-step preparation for GDPR - checklist
An overview of the Regulation and its most frequently discussed issues
GDPR

An overview of the Regulation and its most frequently discussed issues
How was GDPR introduced? Facts.
GDPR

How was GDPR introduced? Facts.
Are you interested in a comprehensive solution
for your data security?
Consent to  data processing for contact purposes
I confirm that I have read the  information clause of Sagiton Sp. z o.o.

I hereby give consent to the processing of my personal data by the Personal Data Controller (hereinafter: "PDC") – Sagiton Sp. z o.o. ul. Fabryczna 19, 53-609 Wrocław, within the scope of: full name, e-mail address or telephone number, for the purpose of sale of products and services of Sagiton Sp. z o.o. and for the purpose of sending me feedback and making contact with me by Sagiton Sp. z o.o.

At the same time, I acknowledge that: at any time I can request the removal of my personal data from the PDC Sagiton Sp. z o.o. database, by sending an e-mail to [email protected], or a letter to Sagiton Sp. z o.o., ul. Fabryczna 19, 53-609 Wrocław, with a statement containing the relevant request, which shall result in the deletion of my personal data from the PDC Sagiton Sp. z o.o. database; I have the right to access my data; providing my data is voluntary, however refusal to provide it is tantamount to not receiving information regarding sale of products and services of Sagiton Sp. z o.o., as well as not receiving feedback and making contact with me by Sagiton Sp. z o.o.

In accordance with Art. 13 section 1 of the General Data Protection Regulation of 27 April 2016, (GDPR), we would like to inform you that the controller of your personal data is Sagiton Sp. z o.o. with its registered office at ul. Fabryczna 19, 53-609 Wrocław, e-mail: [email protected].

Your personal data shall be processed within the scope of: full name, e-mail address and/or telephone number in order to answer your question/request for contact and send feedback – pursuant to Art. 6 section 1 (a) of the GDPR, i.e. consent to the processing of personal data.

The data controller would like to inform you that your personal data shall not be disclosed to third parties.

Your data shall not be transferred outside of the European Economic Area or to international organizations.

Your personal data shall be processed until you withdraw your consent to the processing of data, as well as if the purpose for processing this data shall no longer be applicable.

You have the right to access your personal data, rectify it, delete it, restrict its processing, the right to transfer it, as well as the right to object.

In the case of giving your consent, you have the right to withdraw it at any time. Exercising the right to withdraw the consent does not affect the processing carried out before the consent was withdrawn.

You have the right to lodge a complaint with the supervisory body, i.e. the President of the Office for Personal Data Protection, ul. Stawki 2, 00-193 Warsaw.

Providing your personal data is a prerequisite for making contact with you by Sagiton Sp. z o.o. with its registered office at ul. Fabryczna 19, 53-609 Wrocław. In the case of not providing your personal data, Sagiton Sp. z o.o., shall not be able to contact you.

The Data Controller, Sagiton Sp. z o.o., would like to inform you that they shall not use your personal data for automated decision-making, which is based solely on automated processing, including profiling, and has legal effects for you or affects you significantly in a similar way.

Let's stay in contact