What is GDPR Compliance in Web Application and API Security?
This blog post explains what GDPR compliance involves, the business impacts of the security risks this international standard highlights, and illustrates how Probely can help you detect and mitigate them in your website applications and APIs.
What is GDPR Compliance in Web Application and API Security?
GDPR compliance is required by the General Data Protection Regulation, an EU law that is binding on both EU member states and those countries that trade in the EEA (European Economic Area). The GDPR contains many principles for processing, collecting, accessing, rectifying, erasing, and transferring personal data. But it is its specific regulations on securing and protecting data that concern those responsible for organizational information and data security.
What is GDPR Compliance?
The basis of GDPR compliance are the principles of processing personal data that are contained in Chapter 2 (Articles 5-11). These principles prescribe that all personal data should be processed lawfully, fairly, transparently, purposefully, adequately, accurately, and limitedly. The relevant principle for web app and API security is ‘integrity and confidentiality’ which states personal data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing” using appropriate technical measures (5.1.f).
These principles are then expressed in the form of various rights that data subjects have over their own personal data, whether it has been collected from them or not. These data rights, as set out in Chapter 3 (Articles 12-23), include:
- Right of access – the right to obtain confirmation that your personal data is process and, if so, why and how (15)
- Right to rectification – the right to have inaccuracy personal data corrected (16)
- Right of erasure – the ‘right to be forgotten’ or have personal data erased on certain conditions (17)
- Right to restriction – the right to obtain restrictions in the way your personal data is processed (18)
- Right of notification – the right to be informed when personal data is changed, erased or restricted (19)
- Right to data portability – the right to receive and transfer personal data from one controller to another (20)
- The right to object – the right to object to having personal data processed, given the situation and compelling legitimate grounds (21)
However, it is in Chapter 4 (Articles 24-43) on ‘Controller and processor’ that GDPR compliance explicitly connects with issues related to web application and API security. Article 25 states that data protection should work “by design and default”. This requires data controllers to implement technical measures that are designed to uphold those data principles and rights mentioned above. They must also integrate necessary safeguards into their processing methods to meet GDPR compliance requirements.
In software engineering, these two terms have different but compatible uses.
- Security by default refers to default software settings configured for maximum security rather than user-friendliness.
- Security by design means that software is designed to be foundationally secure, as security issues are considered at the beginning of the development process and built into every layer. Malicious attacks on software are assumed and vulnerabilities are anticipated by the use of scanning software such as Probely.
Article 32 on ‘Security of processing’ requires both data controllers and processors to “implement appropriate technical” measures so that a level of security that matches the level of risk is achieved. Two relevant ways to achieve this are by “the ability to ensure ongoing” system integrity (1.b), and “a process for regularly testing” or assessing and evaluating the effectiveness of technical “measures for ensuring the security of processing” (1.d).
But ensuring security and providing measures against what?
Among the examples mentioned by GDPR is the risk of unlawful and unauthorized access to personal data, either in transmission or storage (32.2). The intention of such a malicious hacker might be the “destruction, loss, alteration” or disclosure of this data. Security requires that the risk of such a “breach” (Article 33) is assessed, with measures implemented not just at a technical but an organizational level. As Article 33 mentions data breaches rather than software bugs, vulnerability identification and scanning are of paramount importance.
It is the task of the data protection officer or DPO to ensure these measures are implemented in an organization. The DPO’s position must possess the power and independence to perform their job properly (Article 38). Among the tasks of the DPO is monitoring GDPR compliance and other regulations or policies. This not only includes oversight of relevant staff training but also “audits” (Article 39.1.b) and “impact assessments” (39.1.c).
What Business Impacts Does GDPR Compliance Have?
The business impacts of GDPR compliance depend on what you need to do. This in turn depends on such factors as how you currently process data, the nature of your existing security measures, and the service your business provides. Another important factor is whether your company has its own in-house cybersecurity team or is dependent on Development or DevOps to perform security functions for your organization.
For web application and API vendors, GDPR compliance entails two main challenges: coding and testing. The second challenge flows from the first.
Deploying Safer Code
This means that security must be integrated into your development process. The gap between development and security must be narrowed, and security made an intrinsic part of your web app development life-cycle. This means switching from a DevOps focus to DevSecOps, or, as GDPR calls it, secure software “by design”. Security testing for vulnerabilities and weaknesses from the earliest stage of development is vital for this.
Conducting Regular and Frequent Security Tests
Many software vulnerabilities have GDPR implications. For smaller organizations or those without their own security team, this means finding a scanning solution that is easy to use, quick to deploy, maximally automated, provides evidence that detected vulnerabilities are real and supplies extensive instructions on how to fix security flaws. For larger enterprises, this means using a security scanner with specialist functions (e.g. Single-Sign-On or Pause & Resume Scans), a UI that can manage a high volume of targets, and multiple integration options. For all sized organizations, scanning results free from false positives are important for providing evidence of adherence to compliance standards.
How Does Probely Help You with GDPR Compliance in Your Web Applications and APIs?
The GDPR’s Article 32 and its requirement for secure processing is not a theoretical requirement. The GDPR website shares a report about an online platform that was fined €50,000 for leaving its users’ data vulnerable to attackers in breach of this article – one of several hefty financial penalties that have made the headlines. The platform was warned to address its vulnerabilities but failed to do so adequately. Specifically, they failed to:
“Regularly test, assess, and evaluate the effectiveness [of their] technical and organizational security measures — Companies must continuously test their IT security as new and different vulnerabilities emerge.”
Article 32 Requirements
Probely can help you fulfill the requirements of Article 32, and deploy safer, compliant web applications and APIs. Probely enables you to run continuous, automated and security tests at scale on both your rich web apps and your APIs. This includes standalone APIs that are based on either Open API (Swagger) schema files or Postman collections. This means that you will expose vulnerabilities quickly, along with evidence that they are real.
Evidence of Testing and Fixing
Testing is necessary for compliance but not sufficient. You must provide proof of tests and fixes. Probely tests are accompanied by vulnerability scanning reports that provide summaries of findings, an exhaustive test list, and detailed finding descriptions. The Scan Report contains a scan summary that provides an overview of findings, as well as a Technical Summary that summarizes all findings, ordered by severity.
The Detailed Finding Descriptions of the reports presets scan finding in more detail than the summaries. As well as more technical information such as the CVSS score and HTTP method, it also displays crucial information on the evidence for each finding. This is evidence that it is possible to take advantage of a vulnerability.
The Category Descriptions section of the Probely reports contains detailed descriptions of each vulnerability, including its impact, causes, and prevention methods. There is also guidance on how to fix any vulnerabilities based on technologies found in your website applications and APIs.
You can employ these tailored reports for your organization to mitigate vulnerabilities, showcase your security to clients, demonstrate your compliance to auditors, and encourage an ongoing security dialog within your company. While there is not currently a specific Probely report for GDPR compliance (unlike PCI-DSS and OWASP), there are other ways Probely products and reports can significantly aid the work of CISOs and CSOs in their quest for compliance, minimal risk, and maximum security within budgetary restraints.
In the business of security, time is money. Probely products do not require a significant time investment to upskill, use, monitor, or interpret findings. Results are already prioritized and filtered, reducing your product’s time to market. Since Probely encourages you to embed security scanning into your SDLC, there is less reactive vulnerability fixing, leaving security teams more time to participate in the design and development phases.
Examples of What To Do Right Now
How exactly you implement GDPR directives depends largely on your sector and business. Here are some actions you can take immediately to improve your organization’s security posture:
- Conduct an information audit to discover what information you currently process and who has access to it.
- Create a list or record of these processing activities that you can show upon request to clients, regulators, and other relevant parties. (Article 30)
- Where risks are high to other people’s information, carry out a full Data Protection Impact Assessment. (Article 35)
- Build awareness and conduct training for your team members around your internal security policies.
- Know what to do and which authorities to contact in the event of a data breach.
- Ensure that all personal data you hold is secure whenever possible by encryption, pseudonymization, anonymization, or some other method.
- Designate a single person responsible for GDPR compliance and appoint a Data Protection Officer if required. (Articles 38-39)
- Make it easy for customers to exercise their data rights, especially the right to secure data. (Articles 12-23)
- Perform security tests on your web applications and APIs. Reach us for a free trial or to request a demo.
Complete guide to GDPR compliance from Proton AG
See our Compliance page