Security Research Blog
Get innovative research, observations and updates from the Micro Focus Security Research experts to help you proactively identify threats and manage risk.
Use the OPTIONS button below to subscribe

Security Research Blog

Micro Focus Contributor
Micro Focus Contributor

Starting May 25, 2018, the EU General Data Protection Regulation (GDPR) will harmonize data privacy laws across all EU states by providing a framework for organizations to handle the personal data of all EU citizens.  

As organizations rush to deploy encryption technologies to secure data, we at Micro Focus Fortify Software Security Research would like to caution our customers against overlooking the importance of application security to help achieve GDPR compliance.

A crucial clause of the GDPR framework requires businesses to protect their systems and applications from “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data” (GDPR Article 32) by taking into consideration, “appropriate technical and organizational measures” (GDPR Article 25). These technical measures must include a formal process of application security and vulnerability assessment, if a comprehensive data security solution is to be achieved.

Presence of software vulnerabilities will undermine any protection mechanisms and processes deployed to ensure data security.  Application vulnerabilities such as defects in the implementation of encryption technology, errors in key management, injection vulnerabilities, as well as configuration and maintenance errors in systems and networks that store or process personal data, can all result in the compromise of personal data.

In an effort to help our customers who are working to investigate and comply with the GDPR requirements, we have correlated the Micro Focus Fortify Taxonomy to GDPR compliance as it relates to application security.  The vulnerabilities have been divided into four logical groupings to help identify weaknesses that can impact GDPR compliance.

The four logical groupings are:

Privacy Violation vulnerabilities include errors that result when an application simply fails to encrypt or pseudonymize personal data before transmitting, storing or writing to an external device.

Insufficient Data Protection vulnerabilities are a result of implementation flaws in the use of encryption technology to protect the confidentiality and privacy of personal data. Examples include use of a weak encryption algorithm, errors in configuring encryption parameters or the use of faulty key management practices.  This will all undermine the benefits of encryption and compromise data security.

Access Control vulnerabilities include flaws in the implementation and configuration of authentication, authorization and access policies for an application, which allows unauthorized access to restricted resources leaving personal data vulnerable to misuse. 

Indirect Access to Sensitive Data includes a large set of software vulnerabilities that are often overlooked but are critical in maintaining system and data integrity. These vulnerabilities if successfully exploited may result in giving the attacker control of the system resources and access to sensitive data.  For example, injection vulnerabilities may allow attackers to run malicious script on servers, which would result in exposing sensitive system data and resources. 

This set also includes software vulnerabilities in external third party and open source software components that interface with your application. Presence of any vulnerabilities in these components can compromise your application. It is therefore crucial that vulnerabilities such as unpatched application and web server misconfiguration be addressed with the same urgency as vulnerabilities in your application code. 

The above correlation shows that it is imperative for organizations to ensure that all the systems, services and applications that handle sensitive data are themselves secure to achieve GDPR compliance. 

All Micro Focus Fortify customers can access the benefits of this compliance template by downloading the recently announced 2018 R1 release.

Read more
0 0 4,350
Reasearch Blog Welcome to the Security Research Blog!
Get innovative research, observations and updates from the Micro Focus Security Research experts to help you proactively identify threats and manage risk
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.