Launching Privado Open Source for Privacy Compliance
Privado is an open-source, free, and one-stop solution to automate compliance with privacy laws like GDPR, HIPAA, SOC, and ISO compliance controls and manage privacy and data security threats in the code.
Who should read this post?
If you are an engineer who has:
- Filled Privacy Impact Assessments(PIA) and Data Protection Impact Assessments(DPIA) sent by Privacy and Data Protection teams
- Reviewed your app's code manually for privacy threats
- Analyzed code for data flows to third parties
- Identified and fixed sensitive data going to logs
- Integrated GDPR, HIPAA, SOC, and ISO controls into your app's code
- Managed your organization's data security and compliance initiatives
- Investigated security tools that could be repurposed for data security and privacy
- Put Privacy by Design into practice
this post is for YOU!
How static code analysis helps ensure Data Security and Privacy?
Developers build applications by writing 1000s of lines of code. Code dictates how a customer's data gets collected, sanitized, encrypted, logged, stored in databases, and shared with third parties. And variables in code help guide how data is carried from the user to the database.
Like veins that supply blood to various parts of your body, your code repositories process and distribute data to different internal and external business applications.
Data is the blood of your organization, and code repositories are its veins.
To answer what data the code is processing and what's happening with the data, an engineer must scan and map these veins. Engineers rely on their memory or manually review the code to do it, and despite their best efforts, this can be laborious and prone to human error.
What if, instead of relying on memory or manually checking the code, the engineer could ask contextual questions like:
Now imagine a tool that allows you to ask these questions across thousands of repositories at scale.
We now have access to a tool that finds sensitive data, maps it and shows you where in your code it flows - all without executing any code. Identifying and fixing the issues early in the software development life cycle is the key to solving the Privacy and Data Security nightmare.
The following use cases can be solved with such a technology:
- Identify and remove data leaks
- Improve data storage security by identifying and fixing insecure practices
- Finding and fixing unaccounted third-party sharing of data
- Generate and maintain Data map and Article-30 Reports
- Automate the generation of data-flow diagrams
- Establish and enforce Data Protection and Governance policies
- Incorporate various GDPR, CCPA, SOC, ISO, HIPAA, PCI controls
- Implement Privacy by Design
This is 100% real. This is why we have built Privado.
Privado scans the code and provides answers to thousands of pre-defined contextual questions related to the sensitive data.
Our platform empowers the developers to secure data and implement compliance controls without affecting the speed of delivering the business value. It’s simplicity and predictability eliminates the friction between different stakeholders such as Security, Legal, Privacy, Data Governance and Development Teams.
Scan a code repository
Understanding output JSON
Privado creates /.privado/privado.json inside the repository folder.
The json contains the following structure:
It is an array of PII data elements detected in the code. It lets you know what PII data is being touched in your code repository.
This array contains all the instances where data elements are processed.
This is an array of dataflows. The dataflow represents how the PII data is sent to sinks. For Compliance and Data Security, sinks are classified as Leakage, Storage, Third Party, or Internal APIs. Dataflows are important to understand your risk vector and enforce your legal commitments.
- When PII data is stored in logs, there is a risk that it will be exposed to unauthorised individuals. A security engineer will either mask or remove the PII data when it's logged.
- Tokenize and encrypt sensitive data like credit cards if they are being stored.
It is an array of collections. In a code, a collection is a point where data is accepted from outside.
Example: In Spring-based Rest APIs, it would be a method marked with @PostMapping or @PutMapping annotation. You can use this to check if the data collection was done with consent.
There are two types of issues.
Privado aggregates privacy and data threat definitions from multiple sources such as OWASP, NIST, MITRE. Developers must fix these vulnerabilities in order to protect customer data and privacy.
Example: Sensitive data going to log files or user input text boxes are not masked for sensitive fields.
You can define policies related to compliance or data protection. There could be a policy to restrict the use of certain sensitive data to specific applications or not to share the data with third parties such as Google Analytics.
Visualizing the results
For visualizing results, Privado provides a rich dashboard out of the box as a default. Just run Privado and wait for a link to appear. Click it and you can now view your results. You can configure if you want to use the dashboard or not by turning the result upload on or off.
Privado CLI can be integrated into your CI/CI pipelines for continuous monitoring.
Java is the first language we support. As part of the Enterprise offering, Privado supports all languages. To open source a language, the architecture change is required so that community contributions can be made easily. We are working on open sourcing support for the other languages.
Prashant is the CTO & Founder of Privado
Privacy by Design