In this post I will explain the concept of security/privacy by design with regards to software development, the GDPR and the PCI DSS.
Security by design in PCI DSS
In the PCI DSS requirement 6.3, one of the sub requirements state:
Develop internal and external software applications (including web-based administrative access to applications) securely, incorporating information security throughout the software-development life cycle.
Privacy by design in PCI DSS
Similarly, the GDPR states in article 25:
“…the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles…”
What do the requirements mean?
What is basically implied here is: Think of security first, start developing later. Both the PCI DSS and the GDPR demands that security should permeate the entire SDLC – starting from the elicitation of requirements to maintenance. Security measures that should be accounted for are, for example, risk analyses, secure coding practices and encryption in order to implement data-protection principles such as confidentiality, integrity and data minimization.
A very common business practice today is to not incorporate security throughout the SDLC. Businesses want their applications to get to the market as fast as possible, before the competition. Making an application secure takes time, therefore, security is added after the product hits the market through patches or add-ons as vulnerabilities are discovered. This will no longer be acceptable for organizations wishing to process personal data, security is not an add-on.