Starting May 25, 2018, the EU General Data Protection Regulation (GDPR) will harmonize data privacy laws across all EU states by providing a framework for organizations to handle the personal data of all EU citizens.
As organizations rush to deploy encryption technologies to secure data, we at Micro Focus Fortify Software Security Research would like to caution our customers against overlooking the importance of application security to help achieve GDPR compliance.
A crucial clause of the GDPR framework requires businesses to protect their systems and applications from “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data” (GDPR Article 32) by taking into consideration, “appropriate technical and organizational measures” (GDPR Article 25). These technical measures must include a formal process of application security and vulnerability assessment, if a comprehensive data security solution is to be achieved.
Presence of software vulnerabilities will undermine any protection mechanisms and processes deployed to ensure data security. Application vulnerabilities such as defects in the implementation of encryption technology, errors in key management, injection vulnerabilities, as well as configuration and maintenance errors in systems and networks that store or process personal data, can all result in the compromise of personal data.
In an effort to help our customers who are working to investigate and comply with the GDPR requirements, we have correlated the Micro Focus Fortify Taxonomy to GDPR compliance as it relates to application security. The vulnerabilities have been divided into four logical groupings to help identify weaknesses that can impact GDPR compliance.
The four logical groupings are:
Privacy Violation vulnerabilities include errors that result when an application simply fails to encrypt or pseudonymize personal data before transmitting, storing or writing to an external device.
Insufficient Data Protection vulnerabilities are a result of implementation flaws in the use of encryption technology to protect the confidentiality and privacy of personal data. Examples include use of a weak encryption algorithm, errors in configuring encryption parameters or the use of faulty key management practices. This will all undermine the benefits of encryption and compromise data security.
Access Control vulnerabilities include flaws in the implementation and configuration of authentication, authorization and access policies for an application, which allows unauthorized access to restricted resources leaving personal data vulnerable to misuse.
Indirect Access to Sensitive Data includes a large set of software vulnerabilities that are often overlooked but are critical in maintaining system and data integrity. These vulnerabilities if successfully exploited may result in giving the attacker control of the system resources and access to sensitive data. For example, injection vulnerabilities may allow attackers to run malicious script on servers, which would result in exposing sensitive system data and resources.
This set also includes software vulnerabilities in external third party and open source software components that interface with your application. Presence of any vulnerabilities in these components can compromise your application. It is therefore crucial that vulnerabilities such as unpatched application and web server misconfiguration be addressed with the same urgency as vulnerabilities in your application code.
The above correlation shows that it is imperative for organizations to ensure that all the systems, services and applications that handle sensitive data are themselves secure to achieve GDPR compliance.
All Micro Focus Fortify customers can access the benefits of this compliance template by downloading the recently announced 2018 R1 release.
Fortify Software Security Research (SSR) is pleased to announce the immediate availability of updates to Fortify Secure Coding Rulepacks (English language, version 2017.4.0), Fortify WebInspect SecureBase (available via SmartUpdate), Fortify Application Defender, and Fortify Premium Content.
The Micro Focus Software Security Research team translates cutting-edge research into security intelligence that powers the Micro Focus Security Products Portfolio.
This blog delves into vulnerabilities found in the SAP Authorization concept, specifically in those applications developed in Advanced Business Application Programming (ABAP), SAP’s proprietary programming language.
Java deserialization issues have been known for a long time, and we have been analyzing them and making mitigation recommendations for years. On Friday at RSA 2016, we presented new research during our talk on “SerialKiller: Silently pwning your Java endpoints.” We offer the technical paper here to provide further information and recommendations for improving the situation.