We are entering a new stage of app development. While, until now, requirements for architecture were left to the discretion of companies, developers and their target audiences, recent legal changes in the European Union and the United States have brought a new player to the table: regulations.
Most notably, the EU’s General Data Protection Regulation (GDPR) is a much-needed update to 20-year-old legislation that also enshrines into law groundbreaking new principles that were until recently only the talk of policy circles.
Taking a bold stand for individual privacy, the GDPR limits what data processors and data controllers can do with the information they collect and gives EU data subjects unique rights, such as the ability to revoke consent for data processing or request that their data be erased.
The GDPR places all responsibility for data protection firmly on the shoulders of businesses and holds them accountable in the eyes of the law for any data breaches and leaks that may occur. The fines the regulation imposes for non-compliance are no joke: up to US$24 million or 4 percent of a company’s global annual turnover, whichever is higher.
But there is one stipulation in the GDPR that directly affects developers: Apps from now on should be built with data protection by design. What this essentially means is that, while until now the decision concerning the level of security of an app or service was left in the hands of the company or the development team building it, under the GDPR, it will be mandatory for security features protecting data to be included into the design, from the first stages of the development process.
In truth, when it comes to applications, security has always taken a back seat to features more likely to boost a product’s user-friendliness and saleability, such as attractive UIs, enhanced tools, unique features, etc. It was – and still is — considered more important for a product to be appealing rather than secure.
In its 2017 Application Security Statistics Report, WhiteHat Security reported that almost half of all applications are vulnerable on every single day of the year. From the 13 industries it looked at, the report found that approximately 60 percent of applications in the Utilities, Education, Accommodations, Retail, and Manufacturing sectors are always vulnerable.
With most applications requesting access to personal information and requiring in-app payments, it’s no surprise the GDPR has decided to dedicate an entire article to adding new data protection standards to the development process.
The challenges to boosting app security
According to WhiteHat Security’s report, most organizations are unable to resolve the vulnerabilities found in their applications. This means that it’s not so much a matter of choice that they decide to forego security features, but that their development teams lack the necessary skills to add them to their applications. Security is, after all, a niche unto itself. Specialized personnel are needed to accurately apply security guidelines and compliance profiles.
Companies are thus faced with two choices: to hire security engineers or to train their own developers and familiarize them with best security practices. Both options imply high costs and neither ensures success. On the one hand, security engineers are few and far between and there’s no guarantee a company will easily find and hire one, let alone a team. On the other hand, although developers may be taught the finer points of secure app development, the chances are high that they will only be able to create basic or subpar security features in the applications they build.
There is also the issue of maintenance. Security is never a one-off affair. It’s not enough for security to be added in the development phase. Protection profiles have to be constantly updated to the latest requirements and new features have to be added as new threats, attacks and vulnerabilities are discovered. This means a lot of extra work for developers.
So how can companies efficiently build their applications to include data protection by design while keeping costs down? A third option, provided by technology, has begun emerging in recent years: cybersecurity APIs.
Rise of the data loss prevention APIs
Given the mounting pressure to secure applications and prevent data leaks and theft, it is no wonder that cybersecurity APIs have started being developed — with giants like Google and Amazon leading the way.
After first adding DLP features to Gmail in 2015 and then extending them to the entire G Suite, Google launched its Cloud Data Loss Prevention (DLP) API in fall 2017, with the aim of helping organizations protect and regulate sensitive data. Aimed at developers, it can be integrated with external data sources and used to scan large datasets in Google Cloud Storage, Datastore, and BigQuery.
Amazon took things further by adding Macie to its offering, a DLP service for AWS S3 that uses machine learning and natural language processing (NLP) to identify, classify, monitor and protect sensitive information. Built using the AI-based algorithms developed by startup Harvest.ai, which Amazon acquired last year, Amazon Macie acts as an alerting engine, but that, integrated with other Amazon services, can automatically respond to incidents and apply remediation actions.
At the same time, veterans of the information security sector have extended their product lines to include APIs with a strong focus on DLP and compliance policies. Aiming to broaden DLP APIs’ capabilities, products such as sensitivity.io and CloudLock offer more diverse implementation methods, moving beyond cloud storage, towards local native SDKs and Security as a Service. They also provide integration options for everything from apps to popular infrastructures, clouds and services.
DLP APIs eliminate both the need for companies to invest in additional staff or training as well as the man-hours needed to maintain applications’ security features. Cybersecurity APIs can ensure compliance with regulations such as GDPR, GLBA, HIPAA and the like, while constantly adding new features and policies depending on how the regulations themselves are updated or changed.
Towards data protection by default
Security is now a mandatory aspect of app development for anyone falling under the incidence of the GDPR. Companies will have to be able to prove that data protection features were added to their applications during development for any new product built after the regulation comes into force on May 25. This can be done through the guidance of security engineers or through the use of cybersecurity APIs that both hold the necessary expertise to correctly enact these policies at app level.
Nor should companies that need not worry about the EU’s new regulation ignore security. Any popular app, especially one whose vulnerabilities can be easily exploited, is one eager cybercriminal away from being compromised and the company behind it can lose all credibility and a significant number of users overnight.
In the age of endless exploits, data trafficking and websites dedicated to leaks, data protection’s place will no longer be only on company networks and computers, but at the very heart of all applications and services.