Secure By Design: Preparing for GDPR Should Begin With Software

May 10, 2018 By Brian Fox

4 minute read time

Software is no longer written from scratch -- it’s assembled.

In fact, 80-90% of a modern application is built using open source software components. These free, packaged bits of reusable code are downloaded each year by the hundreds of billions. Every development team uses them to accelerate production and deliver new innovations. Every software application you use, at work or at home, is made up of them.

In today’s application economy, innovation is king, speed is critical and open source is center stage. While organizations are delivering software innovations at a quicker pace, one aspect of delivery is being gravely overlooked: security. Our research estimates that 1 in 18 open source components downloaded last year had a known security vulnerability. The security defects in these components are being assembled into finished goods in medical, defense, entertainment, financial services and every other industry, which leaves applications and their data, our privacy -- and potentially our health -- at risk.

When the innovation race is being run without proper oversight, getting to the finish line safely will require greater (and faster) care. That’s set to be a major challenge for organizations developing software under the forthcoming EU General Data Protection Regulation (GDPR). 

Article 32 of the GDPR states that organizations must “implement appropriate technical and organizational measures” to “ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.” When combined with Article 25, which mandates that data protection measures be implemented “by design and by default”, it’s clear that privacy and security must become ingrained in every element of IT infrastructure.

If you fail to follow these rules and known software vulnerabilities end up inadvertently helping hackers steal sensitive consumer data, you could be on the hook for seriously big fines: up to €20 million, or 4% of global annual turnover -- the greater of the two. 

A Cautionary Tale

In today’s economy, data is the new oil. It’s no wonder that applications are the top attack vector for hackers -- data lives within applications. With attacks on the rise, businesses can no longer afford to ignore their poor software hygiene practices.

In 2017, it took attackers three days to find their way into Equifax, in what would result in the most notorious heist of the year. Data on over 145 million British and American customers was pilfered after hackers took advantage of a known security vulnerability in the Apache Struts2 open source software component.  Had GDPR been in place, the company’s predicament would have been even worse. Under GDPR rules, companies must notify the public within 72 hours of discovering a breach or face penalties of up to €10M ($12 million) — or up to 2% of prior year revenue — whichever is higher. Equifax’s decision to wait 40 days before notifying the public would have led to a $60 million fine on top of the reputational damage it incurred.

Hardwiring Security From The Beginning

To ensure GDPR compliance, appropriate safeguards must be put in place across the entire software lifecycle. Just as development practices have accelerated, so have the safeguards. Where tollgate types of compliance were once the norm, automation is now being used to apply high-speed guardrails within software development practices to keep innovation moving at the right pace.

The Value Of Embedded Intelligence

How can developers stay GDPR compliant and continue to deliver competitive innovations in a secure manner? In short, by embracing DevSecOps principles aimed at building in quality. In DevSecOps practices, governance and compliance guardrails are embedded early and throughout the software development lifecycle. Once manual reviews of component governance have been automated, developers will have transparent access to digital guardrails integrated with their own native tools — an approach that ensures security is being built in without slowing developers down.

The digital guardrails exposed to developers surface component intelligence instantly, telling them which components are good and which ones have security defects. When defects are flagged, developers are guided through remediation with automated intelligence that helps to identify safer component alternatives to use. These instant feedback loops detailing good or bad components have been shown to increase developer productivity by as much as 48% (registration required). 

Today’s DevSecOps solutions deliver embedded analysis and intelligence across the entire software supply chain. Over time, this approach ensures developers procure the best open source components from the best suppliers, while continuously tracking components across the entire lifecycle.

The application economy can grow and prosper in regulated environments if it's managed properly. Organizations that embrace DevSecOps practices across their software supply chains will not only accelerate innovations but will also stay secure, compliant and competitive.

A version of this article originally appeared in Forbes

Tags: data protection, gdpr, Open source governances, secure by design

Written by Brian Fox

Brian Fox is a software developer, innovator and entrepreneur. He is an active contributor within the open source development community, most prominently as a member of the Apache Software Foundation and former Chair of the Apache Maven project. As the CTO and co-founder of Sonatype, he is focused on building a platform for developers and DevOps professionals to build high-quality, secure applications with open source components.