The General Data Protection Regulation (GDPR), is just around the corner: it comes into effect on May 25, 2018. If you feel a refresher on this far-reaching privacy law is in order, we’ve got a lot of great content to help you and your organization get ready.
Now, how do most organizations collect personal information from users these days? Web applications, of course! And as we know, GDPR requires that information to be stored securely; furthermore, if your web application does get breached and your users’ information is stolen, there are breach reporting requirements to adhere to (as your lawyer would no doubt tell you—don’t take our word for it!).
Fortunately, there are application testing tools and managed application security services available that will not only help you secure your web applications, but also provide you with invaluable context during an incident response that could make all the difference in knowing how a breach occurred and what data was impacted.
DAST, or Dynamic Application Security Testing, tools methodically crawl and attack your running web applications to identify potential application vulnerabilities like SQL injection, cross site scripting (XSS), and cross-site request forgery (CSRF); all of these are avenues for an attacker to compromise your application and steal information. Having the right tools is only half the equation, though; security and development teams must partner to identify and fix application vulnerabilities together since the critical risks in apps tend to lie in proprietary code written by internal development teams—and therefore must also be patched by those teams. Rapid7’s InsightAppSec is especially effective at bridging the gap between security and development teams, with flexible scan scheduling, blackout periods, and interactive HTML reports with attack replay specifically designed to give developers the information and tools they need to isolate the security bug and create a fix.
DAST tools aren’t just effective in reducing your applications’ attack surface; they are also an important piece of your incident response toolkit. Web application attacks have been the number one source of breaches, according to the Verizon DBIR (Data Breach Investigations Report) from the past two years. As such, in any IT security incident, checking whether the attacker came in through one of your web apps should be part of your incident response playbook. Determining root cause analysis is also a vital step of incident management. Using a SIEM like InsightIDR, you can centralize your application’s visitor logs and search against your InsightAppSec DAST scan results to determine if the attacker leveraged a web app vulnerability to get in.
Of course, securing your web applications is just one piece of the GDPR puzzle; Rapid7 is here to help you get prepared across the board:
Looking for more GDPR readiness information? Check out the GDPR toolkit!