An Agile Framework for Building GDPR Privacy and Data Protection Requirements into SDLC

Presented at AppSec USA 2017, Sept. 22, 2017, 3:30 p.m. (45 minutes).

The consequences of not complying with the requirements of General Data Protection Regulation (GDPR) is immense for all international data processors. The fines and penalties even for small companies can be as high as 20 million EUR, and GDPR requires data protection by design and by default. Most IT companies do not have in-house expertise to identify the required features for full compliance. This work provides a valuable vendor and technology-agnostic toolkit for building GDPR-complaint software with minimum cost and effort. The toolkit is based on a tag-based approach for identifying required features and tasks. After reviewing various privacy regulations, including GDPR, and coding their content, we arrived at a set of tags that fully capture the principles and notions of privacy requirements relevant to software development, deployment and operation. The tags are organized in 14 classes and include sub-tags, and variants. Any list of privacy and security controls can be evaluated using these tags to ascertain if they adequately enable the desired level of privacy. As a case study we will develop the first publicly available agile scrum template, using the proposed tagging system, for the development of an IoT system that transmits private information across the international borders. The tagging system and the approach could be easily customized for any other agile methodology and framework. The talk will expand on some of the recent stories and case studies of how missing the tags can create non-compliance and as a result, huge liability.


Presenters:

  • Mina Miri - Application Security Researcher - Security Compass
    Mina has several years of experiences in IT field and is particularly attuned to the need of enterprise level software which demands dependability and well-developed security characteristics. She has Masters in IT Security and a Bachelor degree of engineering in IT Business. In her current position as an application security researches at Security Compass, she provides different researches and secure development techniques in various security and privacy contexts.
  • Farbod H Foomany - Senior Security Researcher (Tech. Lead) - Security Compass
    Farbod H Foomany is a senior application security researcher (technical lead) at security compass. He has a bachelor degree in electrical engineering (control systems), Masters degree in artificial intelligence and robotics, and has completed a PhD with main research on security aspects of using voice-print and other biometrics in criminological and security applications. Farbod is currently involved in projects that aim to investigate and formulate security and privacy requirements of software development in various contexts. Farbod has published and presented his work on signal processing and security in several conferences and journals such IEEE conferences/journals, ISACA journal, crime science conference, OWASP AppSec conference, and IAPP conference.

Links:

Similar Presentations: