How DevSecOps Can Help Your Mobile App Be Compliant With GDPR and CCPA

The “General Data Protection Regulations” (GDPR) and the “California Consumer Privacy Act” (CCPA) are two of the most frequently mentioned subjects in the past few years. And one of the hottest areas of discussion is the steps needed to comply and the difficulties they present.

DevSecOps –another trending subject in the past few years – is a best practice that can help you along the way to compliance with GDPR, CCPA, and any future data regulations.

‍

‍

Spurred by a seemingly endless string of scandals, breaches, and hacks that happened to companies of all sizes and industries, data privacy and security have become a huge concern to consumers, companies, and governments alike.

And while this may have been overdue, increased consumer awareness, and new government regulations have forced businesses to rethink the way they handle data and give a greater priority to privacy and security.

‍

Data protection regulations

Although it came with ample notice, the landmark GDPR caused a lot of disruption for many companies as they struggled to comply with its terms. Many companies argued that compliance is virtually impossible, and in fact, less than 50% of businesses are compliant with GDPR according to a survey by the International Association of Privacy Professionals. However, it has undoubtedly made companies give greater thought and a higher priority to privacy, with 76% of them taking steps towards compliance according to the same survey.

More importantly, GDPR has opened the way endless similar regulations, like California’s CCPA, being passed or proposed by many states and countries. This has shattered the hope of some companies that have no business in the EU to maintain business-as-usual and encouraged others to apply their security measures across all their markets rather than restrict it to EU residents.

‍

DevSecOps

The term DevSecOps first started to appear in 2015 at around the same time the EU parliament was working on proposing GDPR and has been rising in popularity ever since. It might not have received the same amount of attention, but it has sparked its fair share of discussion among developers and security professionals. Now, DevSecOps is increasingly accepted as a best practice and seeing increased adoption, with Gartner predicting 80% adoption among rapid development teams by 2021.

As a concept, DevSecOps takes DevOps one step further by developing “security-as-code” and shifting security to the left by involving security teams in all phases from planning to production. It requires security to be viewed as everyone’s responsibility and should be baked into the development process from the beginning rather than limited to a series of lengthy tests. By rethinking security’s traditional role as a gatekeeper that is viewed as a hurdle, it promises enhanced security while maintaining an agile development pace.

‍

‍

Adopting DevSecOps doesn’t automatically make you compliant with data protection regulations, but it ticks a lot of the boxes. It promotes a security-aware mindset that can easily adapt to existing and future regulations without sacrificing development speed.

Involving security teams in the early phases of application development gives them a much better understanding of the app and a good opportunity to apply principles like data minimization. Done with the GDPR in mind, this will satisfy “privacy by default and by design”, a major requirement of the regulation.

Another important requirement is implementing “appropriate technical and organizational measures” to ensure the security of customer data. DevSecOps takes care of this by automating security testing and integrating it into the CI/CD pipeline, enforcing strict role-based access controls, and increased security training and awareness across all teams.

Proactive monitoring and logging are also among the core tenets in the DevSecOps manifesto to enable early detection and response to any unauthorized actions. However, this can also be used to demonstrate compliance with GDPR –another requirement–  by logging the access to and processing of customer data.

Beyond complying with GDPR, CCPA, and any other data protection regulation, DevSecOps helps you build a better app and deliver it quicker. With appropriate security training, making everyone responsible for security, coupled with frequent automated security tests will decrease your vulnerabilities and allow you to catch more issues quicker. This translates to a great cost-benefit for the company since the earlier an issue is caught, the easier and cheaper it is to fix it.

‍

‍

The days of unrestrained collection, processing, and storage of data are behind us and data protection regulations are here to stay and will only get stricter. However, despite all the difficulties it presents, this should be seen as an opportunity to advance and upgrade software development methodologies instead of just trying to adapt to regulation.