Tuesday, May 10, 2016

Common Data Security Mistakes in Application Development


Recently, I was performing a routine audit of a client’s SDLC for an application in development, in view of routine compliance audit, and in the process of reviewing test cases, I was shocked to find real PII data in the requirement; I mean the whole enchilada…not just name and address, but date of birth, driver’s license, and even SSN.  Apparently, the client had included a screenshot of an employee’s human resources record as part of the BRD, and sent it by email to an offshore developer team.  Rule #1 in data security: Never use real PII data for development or testing purposes.

I wish I could say that such was an isolated incident, but believe it or not, the practice is common, as clients often provide non scrubbed data and artifacts with real PII data during requirements gathering, and unwitting BAs, business owners, and developers simply distribute the same, seemingly without a care in the world. This shows how unaware most people are when it comes to data and information security; often it is the little things that lead to the big things. Likewise, minor security threats often lead to big ones, as a result of negligence that often stem from ignorance or lack of policy guidelines.  Fact is, majority, over 80%, of the data breach and identity theft that occur are perpetrated by employees who have access to sensitive data, whether intentionally or otherwise. Individuals who do not understand how important it is to protect data, their personally identifiable information (PII) or the PII of others, put the security of their sensitive information and those of others at risk.  We have work to do to educate people on the importance of securing data and how to do so. Developers should never have access to real PII data for development and testing purposes.

No comments:

Post a Comment