The Intersection of DevSecOps and GDPR.
Data Security has been in the news of late, for all the wrong reasons. With huge amounts of personal data floating around with organizations, chances of use and misuse is huge. It’s no wonder that the European Union has passed the “General Data Protection Regulation” or GDPR to be effective from 25th May 2018. Since Businesses worldwide need and use personal data of its customers; Businesses are affected, wherever they might be because of the huge contribution of the EU to Global Business and because of the extra-territorial nature of the regulation. While many industries would be deeply impacted by GDPR, the focus in this note would be on one aspect related to Software Development.
So how does GDPR affect the Software Development Community?
Software development has evolved as a profession from the early 1960’s. Software development practices have had multiple attributes, related to stability, speed of development, cost, security and usability amongst others. From the Waterfall development methodology, or the linear approach to software development; the world has moved onto the agile methodology emphasizing the rapid delivery of an applications in complete functional components.
Further still; from the Agile methodology the world has moved onto the Devops landscape, encompassing a seamless approach to deployment of applications from development stage to operationalizing the software and continuous operations. One can say that Devops is a culture and practice that aims at uniting software development (Dev) with its deployment and software operation (Ops). As with any technical progress; in time, inherent conflicts in approach emerge. One such conflict witnessed in Devops delivery methods is the conflict between the need for speedy delivery and the need for security. In a recent Gartner whitepaper some of the key challenges listed were
- DevOps compliance is a top concern of IT leaders, but information security is seen as an inhibitor to DevOps agility.
- Security infrastructure has lagged in its ability to become "software defined" and programmable, making it difficult to integrate security controls into DevOps-style work flows in an automated, transparent way.
- Modern applications are largely "assembled," not developed, and developers often download and use known vulnerable open-source components and frameworks.
The resulting need to ensure security while retaining agility has seen the adoption of such practices as DevSecOps. The aim of DevSecOps is to introduce security early on in the lifecycle stage of application development. As stated at devsecops.org “The goal of DevSecOps is to bring individuals of all abilities to a high level of proficiency in security in a short period of time. Security is everyone's responsibility.”
So part of the solution is to “Train all developers on the basics of secure coding, but don’t expect them to become security experts.” Essentially a mindset of security needs to be brought in. This has echo’s of the “Privacy by Design” concept emphasized as part of GDPR.
The concept behind the Privacy by Design is quite old. In one paper on this concept Ann Cavoukian, Ph.D., wrote privacy “cannot be assured solely by compliance with regulatory frameworks; rather, assurance must ideally become an organization’s default mode of operation.”
Essentially DevSecOps and GDPR are now talking of the same thing, “the need of inculcating a culture of security across the organization and not just limited to few pockets.