As new local and international data protection laws come into force, organisations running high-velocity software development practices must tighten up their governance and risk-management policies, or run the risk of facing severe legal penalties.
The European Union’s General Data Protection Regulation (GDPR), taking effect in May, as well as South Africa’s incoming Protection of Personal Information Act (PoPI), should heavily influence the way that we build new software applications, which need to safely house the data that falls under the ambit of these new laws.
Perhaps the area of biggest concern is developers’ use of open source software components. Research by open source governance company, Sonatype, represented locally by 9TH BIT Consulting, indicates that some of the largest development practices consume around 240,000 open source components across all their applications. In fact, the building blocks of up to 80 percent of all enterprise applications feature some form of open source code.
With so many open source components being used to create the applications that will eventually keep customer data safe, governance and risk professionals must find ways to ensure that vulnerabilities don’t creep into applications. In the realm of open source, without the right tools, weaknesses in code can be notoriously difficult to detect.
The Equifax lesson
Both the GDPR and PoPI (which are harmonious in that compliance with GDPR automatically means compliance with PoPI) aim to regulate the processing of personal information.
The GDPR places responsibility squarely on the shoulders of companies, to process data in a fair and secure manner, to ensure the integrity and accuracy of personal data, and to only retain it for as long as is necessary. Organisations must adopt stringent measures to protect data against unauthorised access or accidental loss.
When we look back over the past few years and note all the major cyber-security attacks, the importance of this new legislation becomes clear. In one of the worst breaches, where 145 million customer records were stolen from the US credit bureau Equifax, vulnerabilities in open source software were at the root of the problem.
The Equifax incident helped to expose the risks inherent in using open source without proper governance controls to guide the way that code is injected into broader enterprise applications.
The GDPR’s reach extends ‘extra-territorially’ to affect South African companies that hold records of individuals and businesses in European Union member states, offer goods or services into the EU, or have any form of partnership with an EU company. Penalties for non-compliance are severe (up to four percent of annual turnover).
Ensuring you stay on the right side of the law
With new legislation striking fear into executives in all industries, the burden falls squarely on the CIO to quickly evolve from a basic DevOps approach to software creation, towards a more secure, more controlled approach termed DevSecOps.
DevSecOps embeds stringent governance and security checks into software development from the ground up, remediating any potential vulnerabilities as code gets compiled (including, of course, open source code). It balances the need to develop software at speed, with the need to ensure absolutely iron-clad security controls.
Instead of security being an afterthought, or quickly checked via a basic penetration test at the completion of an application, it is a philosophy and a set of practices that are embedded in the entire development lifecycle at every stage.
A leading light in this arena is Sonatype’s Nexus Lifecycle tool – providing the most precise open source component identification and analysis. Using intelligence gathered in real-time from the global Sonatype data research team delivered directly to developers in their IDEs, companies can understand how a particular component will interrelate with an application’s broader codebase, whether any vulnerabilities could emerge, and gain clear guidance on remediating any potential issues.
Organisations harnessing such tools are able to safely fall into line with the requirements of the new legislation, as they detect any flaws long before applications ever reach business users or end-customers.
The cadence of delivery isn’t hampered by new layers of governance (as using automated security audits allows for real-time testing as new code is developed). And with accurate audit trails, organisations can prove the extent to which they have gone, to ensure secure code that culminates in safe and compliant applications.
Data is certainly the ‘currency of the future’, and so in an era of rampant cybercrime and identity theft, it’s essential to have global and local laws which demand far stronger control over our personal information.
For software developers in particular, complying with new legislation doesn’t need to be a headache: with the right tools, it becomes possible to build applications which incorporate huge amounts of open source, to create bullet-proof applications which generate strong trust from users.
By Barry de Waal, chief executive of strategy and sales at 9TH BIT Consulting