Back in June I wrote some practical guidance on GDPR and application security and made the following comments:
…..as many applications we develop have commonalities, we are able to create architectural risk patterns that can be applied to other applications.
The key to simplification is to break down the application into individual architectural patterns – for example the registration form – and then ask ourselves pertinent questions in relation to GDPR requirements.
Within our IriusRisk Threat Modeling platform we have done the hard work for you. If you indicate that your application will process PII data and this data relates to data subjects within the EU, then GDPR standards and risk patterns will be applied.
IriusRisk does not simply import the entire GDPR Standard and overwhelm security and development teams, but rather applies specific GDPR security requirements relevant to the service you are building.
For example, it’s only useful to import GDPR requirements relating to a user interface if your service includes one. IriusRisk ensures this is the case and only those measures that make sense are recommended.
The auto-generated GDPR requirements can be viewed by security teams and auditors within IriusRisk and can be uploaded to issue-trackers for developers to implement during the build process.
Communication between IriusRisk and issue-trackers is bi-directional allowing security teams and auditors to observe current adherence to – and progress of – GDPR compliance in near real-time. This has the additional benefit of facilitating communication between the relevant stakeholders.
The simplicity of this process is illustrated in the video below: