Micro Focus is now part of OpenText. Learn more >

You are here

You are here

Why you need to get your team up to speed on privacy-aware development

Rob Lemos Writer and analyst

With the first fines being imposed under the European Union's General Data Protection Regulation, privacy is set to become much more important and will likely become another requirement for developers.

For a view into the pressure that the European Union's privacy regulation may have on developers, take the case of British Airways. In July, the UK's Information Commissioner's Office (ICO) notified the airline that the government intended to levy a nearly $230 million fine against the carrier under the EU's General Data Protection Regulation (GDPR).

Initially, the ICO investigated what appeared to be a compromise of the company's website by the Magecart group, which injects scripts into the target's e-commerce store to collect customers' financial data. Investigators, however, found that "a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details, as well [as] name and address information," according to a statement from the ICO.

British Airways is not alone. Four other companies, including Google, have been targeted with fines. In total, 60% of the cases have been due to privacy errors that could have been caught by developers. Because GDPR puts companies on the hook for securing the applications that collect customers' information, developers will likely have privacy as part of their responsibilities.

While the link is not clear now, two decades ago, application security was not on developers' radar, but now they have responsibility for creating secure code, said Dan Cornell, chief technology officer of Denim Group, an application-security consultancy. 

Here's what developers need to know about how the new privacy rules affect their work, and what privacy-aware development looks like.

Fines will rise quickly in developed nations

"The law is clear—when you are entrusted with personal data you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."
—UK Information Commissioner Elizabeth Denham

Not only will breach costs increase over time, but increasing fines will be a much larger portion of future costs. Juniper Research has predicted that breach damages will top $5 trillion a year in 2024, driven primarily by increasing fines for data breaches as regulation tightens.

If costs do skyrocket to this degree, the business side of the company will undoubtedly make privacy-aware programming a requirement for developers, said Adam Hunt, chief technology officer and chief data scientist with security firm RiskIQ

"This move toward more privacy-aware development is taking shape because, when poorly developed software is the cause of major disaster, companies grind to a halt and demand resources from every department, not to mention the potential financial and reputational catastrophes."
Adam Hunt

Privacy-aware programming is about design

Security groups have talked about shifting security left—toward developers—for many years. Developers should expect that privacy will be added to that directional shift as well. Rather than implementing secure coding patterns, however, privacy-aware programming is more about application design: minimizing data retention, extensively encrypting data, and limiting access to critical systems.

"Think of developing and privacy as a partnership. Developing in a vacuum can be a disaster, but collaborating helps scale in a safe and effective manner," Hunt said. "[Working with security professionals when developing new products] will save time, money, and resources in the long term."
—Adam Hunt

Security matters even more when fines are higher

Code security will remain perhaps the most significant developer role in creating privacy-aware applications. In the 2019 Application Security Risk Report, Micro Focus Software Security Research found that almost every application scanned by the company's Fortify static analysis service had at least one issue of any severity that could open a company to being fined under Europe's GDPR.

More than six in 10 applications had a severe flaw that could have allowed indirect access to sensitive data, 57% had a severe vulnerability resulting in insufficient data protection, and more than half had a severe access violation flaw, according to the same report.

Getting security right should still be developers' first priority, said Luther Martin, distinguished technologist at Micro Focus. A previous consulting job regularly demonstrated to him how difficult security can be.

"The reason people are getting breached is because they are not doing Security 101. We had never, ever had a client where there was not a server, somewhere, that had the username and password as 'company name,' 'company name.'"
—Luther Martin

Privacy policy will become programming

Prepare for privacy policies to reign supreme in programming; they already figure prominently in legislation.

Take right-to-be-forgotten clauses, which are included in both the GDPR and the California Consumer Privacy Act (CCPA). The clauses require companies to quickly identify data on their systems that are covered by the privacy regulations and delete the data after the prescribed period of time has passed.

All data being held by companies—even machine-learning data—may be impacted by the policy, said RiskIQ's Hunt.

Sometimes these records can be spread across databases, data warehouses, backups, and spreadsheets, he said.

"If the user's information was used to train a machine-learning model to serve them ads, that model may or may not need to be retained if a single user requests to be forgotten," Hunt said. "But what if 650,000 users file requests? If they represent a similar demographic, the model would certainly need to be retrained in order to truly 'forget' about those users."

When privacy is no longer an afterthought

Developers will need to work with privacy and security professionals to determine where these requirements should be implemented in the code. Developers may not want to think about privacy, but the realities of current policy will require it of them.

"At the end of the day, I would hate to put that on developers—not in the same way that I would put the responsibility for security on developers," said Denim Group's Cornell.

Yet, he added, the role of developer is changing.

"Over the last 15 years that I've been in the application-security space, we have evolved what it means to be a developer. So it's fair to ask if this is another piece that needs to be included. There is certainly a good argument that it should be."
Dan Cornell

Keep learning

Read more articles about: SecurityApplication Security