In a previous blog post, we discussed how the proliferation of data breaches has caught the attention of regulators, which are increasingly focused on cybersecurity and application security. Case in point: Two recent major regulations – the EU Global Data Protection Regulation (EU GDPR) and NY State Department of Financial Services (NY DFS) Cybersecurity Regulations – are unprecedented in their scope and depth. In my last blog, I examined the trends these two major regulations point to in terms of application security standards. In this post, we consider some best practices organizations should consider adopting in the face of this changing regulatory environment.
In the end, it’s better to have a system in place that eases and streamlines compliance with regulations, rather than trying to address each emerging regulation or request in an ad hoc fashion.
Best-practice organizations create a single, central repository for information about software weaknesses, as well as proposed, accepted and rejected mitigations. This approach both streamlines compliance and maximizes the effectiveness of security assessments by consolidating the results of multiple testing methods (for instance, static analysis, dynamic analysis and manual penetration testing) in one place.
Application security testing, both static and dynamic, is a critical part of cybersecurity regulations. However, recent regulations, including the NY DFS’ and the EU GDPR, are moving away from a focus on security testing only to include secure development practices. This trend points to the growing recognition that effective application security requires assessments throughout the software development lifecycle — from development through to production. It’s also an indication that enterprises should include secure development practices in their application security programs.
Many regulations are recommending training developers in secure coding practices. Consider eLearning for its flexibility and ability to get developers the information they need when they need it, supplemented by instructor-led training for more in-depth learning.
The EU GDPR includes a requirement for “security by design,” which, for application security, incorporates activities like threat modeling, secure design and ensuring that developers are not only coding securely, but also identifying and remediating security-related defects in their code — as they’re writing it. Solutions like Veracode’s Greenlight will help address this requirement.
A key aspect of several recent regulations is the provision that an organization must protect personal data managed both internally and by a contractor or vendor. Consequently, a business must ensure that cryptography used by an application remains intact and is implemented correctly, and it must work towards a program that holds third-party software to the same security standards as internally developed software.
A platform that automates workflows, reduces communication overhead and delivers a secure audit trail for compliance processes is key. This, in turn, necessitates the need for a robust policy management framework to document and communicate a security policy. The ability to integrate with other key systems to share critical information, such as application security scores, listings of all discovered flaws and flaw status information (new, open, fixed or re-opened) also facilitates this process.
New regulations like the EU GDPR and NY DFS cybersecurity regulations include requirements surrounding notification of breaches or breach attempts and the creation of an audit trail. Runtime protection technologies help companies meet mandated standards by providing an automated solution that detects and prevents web-based attacks.
On the NY DFS Cybersecurity Regulations: 5 Things You Should Know About the New NY DFS Cybersecurity Regulations
On how Veracode can help you with regulation compliance: Streamline Compliance With Industry Regulations