The following post is a contribution by Brian Dean of SecureState, a global management consulting firm focused on information security. At SecureState Brian is a Manager of Audit & Compliance, he works within SecureState’s Audit & Compliance Team as Practice Manager, ensuring value and accuracy.

Developing Applications in an Over-Regulated World

RegulationSoupInterpreting development specs is challenging enough, but writing code without analyzing the regulatory business ramifications rarely ends well. Typically the process assumes your business leaders and partners understand the regulatory environment, the impact to application functionality, and that they can successfully articulate the requirements to the development team. But often the message is muddled, because of a lack of understanding. So put on your red cape (blue tights optional), and read some compliance strategies to take your career to the next level.

[WEBINAR] PCI, HIPAA, GLBA and an Acronym Soup of Regulations…Can’t we just develop anymore?

Start with a new paradigm: development teams offering secure coding options, privacy requirements, and sufficient detail to obtain executive buy-in. In recent years, we have seen development work outsourced. Now more than ever adding value beyond sitting behind your keyboard churning out lines of code can provide you with upward mobility and more importantly job security. Outsourced developers often lack the business acumen and understanding of the organization’s core business model to provide this insight. Investing a little time to determine laws and regulations that apply, industry best practices, and consumer expectations differentiates your skill-set in an increasingly commoditized industry. To jump start this process continue reading for a pragmatic approach to building privacy and security methodologies into your code development process and application build, differentiating yourself, and doing the right thing for consumers who trust you with their sensitive data.

#1 Know the Rules

Complying with numerous federal laws, international and domestic, plus state law, industry standards, and contractual obligations can be difficult. Unlike the European Union and other countries with robust privacy laws, the U.S. lacks a single regulatory framework regarding securing consumer data. Filling the void, albeit insufficiently, are a patchwork of industry specific regulatory requirements, such as the Graham Leach Bliley Act (GLBA); Health Information Portability Accountability Act (HIPAA) , Payment Card Industry (PCI), Sarbanes Oxley (Sox), etc. Adopting development practices to adhere to a single framework is often challenging for developers who typically do not have, nor want, a legal or compliance background. Using a generic framework, such as Generally Accepted Privacy Principles (GAPP) will position your code well for compliance with numerous regulations, but a more focused regulatory approach may be needed based on risk.

#2 Get Executive Buy-In

Recall the old project management 101 three legged stool: scope, resources, and schedule? For example, if you add scope (e.g., secure coding requirements) it will consume more resources and/or take more time to code and test. You need to show how this improves risk posture, customer experiences, reduces cost of ownership and/or better positions you for regulatory compliance. Articulating this message will ideally result in buy-in and career advancement. Developers who can think beyond just writing code move beyond the commoditized developers. Add value and increase your value!

#3 Don’t Boil the Ocean

Crafting “guiding principles” from the applicable laws or generically from GAPP can begin the process. Small wins will reinforce the return on investment (ROI) compliance posture argument discussed in executive buy-in. For example, questioning why an application accesses an entire table, instead of just the needed records and better yet required fields within those specific records. Introducing these concepts during a maintenance release gets the project management team and business owner thinking, and leads the discussion along the lines of industry relevant privacy concerns.

#4 Know Where the Data Lives and Breaths

Network diagrams are a great start for documenting data flows and where data is stored, but it needs to include business logic, such as, who has access to the data, is the data access role based and can it be downloaded, printed, etc? A brief whiteboard session can identify and uncover downstream data stores with weak or missing controls. The development team can then make risk based decisions to include additional controls for these data stores.

Privacy by design and security by design, in the past, have been considered niceties, but given the number of breaches each year that are published in mainstream media and social media, the cost of those breaches, and the regulatory scrutiny, these are now manifesting themselves into development requirements. A data breach can result in penalties, public castration, and even legal action (e.g., you are contractually required to protect data that somehow is breached). If the business owners are not driving this change, the development team can and should be the voice of reason. So if your application creates, accesses, processes, or transmits sensitive consumer information consider privacy by design. It is good for business, a good career move, and more importantly good for the consumer – we are all consumers.

[Watch Now!] PCI, HIPAA, GLBA and an Acronym Soup of Regulations…Can’t we just develop anymore?

Sample List of Regulations/Industry Best Practice Frameworks

EU Directive Adopt 7 principles for data emanating from the 27 EU countries: notice, purpose, consent, security, disclosure, access, and accountability. 27 EU countries and partially Switzerland only required for receiving countries not meeting adequacy requirements.
GAPP Adopt 10 trust principles for personally identifiable information (PII): management, notice, choice, collection, use, access, disclosure, Security, quality, and enforcement. Business who wish to illustrate good citizenship regarding consumer data, not a regulatory requirement.
GLBA Confidentiality and integrity of personal financial information stored by financial institutions. Financial institutions as broadly defined by the regulation.
HIPAA Confidentiality, integrity, and availability of health care information. Healthcare providers, health insurance, healthcare clearing houses, and any service provider receiving PHI.
PCI Protecting credit-card holder data (CHD). Merchants and service providers who store, process, or transmit CHD.
Sarbanes Oxley Adopt guiding principle for certain systems: Confidentiality, Integrity, Availability, Access Controls, Auditing and Logging, Change Management. Financial data for material business systems of publically traded corporations.

PCI, HIPAA, GLBA and an Acronym Soup of Regulations…Can’t we just develop anymore?

Join SecureState’s Brian Dean, CIPP, QSA and Privacy Officer, as he discusses how developers can effectively manage applicable regulations throughout the development process.

During this webinar Brian will discuss:

  • The prominent domestic frameworks developers must adhere to and the international implications.
  • Strategies for data discovery, its implications, techniques for compliance, and methods for seeking management support.
  • How this holistic approach can best position your SDLC, should an EU-like regulation become law, and more importantly introduce sound development processes that better protect customer data.

About Neil DuPaul

Neil manages the blog pipeline at Veracode, often by fending off eager contributors with a stick. He manages much of the Veracode web presence while also motivating the more introspective Veracoders to be social. Lover of sports and outdoors, and a SERP enthusiast, hit him up on Twitter here.

Comments (1)

Sabbas | July 17, 2013 2:45 pm

Great info, Neil. In forums I've been in, people say application security testing is not necessary because developers should make their applications secure in the first place. WRONG! As you mentioned, developers often lack the training required to create adequate configurations, resulting in reduced effectiveness or much worse. It's extremely important to consider security during the entire software product development and deployment life cycle. Black Diamond Solutions is currently offering a complimentary application security scan for those looking to identify vulnerabilities and secure their applications, without having to give up source code or intellectual property. We, at Black Diamond solutions, are also a partner of veracode.

get free application security scan</a>

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.