Embedding GDPR in the secure development lifecycle (SDLC)

Did you know that the GDPR and SDLC re-inforce each other and that the GDPR can be used as the ideal business case to start with SDLC? Siebe and I explained how and why during the OWASP AppSec Europe conference in Belfast. Couldn’t attend? You can find the presentation in our previous blog, or begin by reading the introduction below.

We all know that in less than a year the GDPR (General Data Protection Regulation) enters into force to unify the privacy legislation within Europe and the UK and improve the protection of personal data and data subject rights. And I don’t need to tell you that the secure development lifecycle (SDLC) method is thé go to methodology when planning for, designing, building, testing and delivering information systems. But if you play it smart, you can improve your SDLC by including GDPR activities and use SDLC artifacts to demonstrate compliance with GDPR.

A lot of articles in the GDPR specifically refer to security. Article 25 for instance, on privacy by design & default, article 32 on Security of Processing and article 35 on DPIA’s all specifically mention the security levels and assessments that should be considered. The most efficient way to comply with these GDPR security requirements when developing (new) applications, is by integrating them into your Secure Development Lifecycle.

You can find more information on the OWASP Software Assurance Maturity Model (SAMM) and how it can be integrated into any existing SDLC here. For now, it suffices if you know that OpenSAMM is defined in different levels.

  • At the highest level it is divided into four tasks or concerns to consider while developing or using software. They align well with a typical organisational structure, and this is how software security typically ties into an organisation.
  • At a lower level, several security practices are defined that should be considered for improving software security.
  • At the lowest level, every security practice consists of a set of activities, ordered in maturity levels or objectives.

The GDPR articles related to security fall perfectly into these activities. Just check out this table:

SAMM domains


So, when you divide for example the GDPR requirements on Policy & Compliance into three objective levels, this is the result:


More examples and details can be found in the presentation in our previous blog. Or get in touch!


How compatible is the GDPR with public cloud?

Are the requirements for the GDPR compatible with the use of public cloud? That interesting question does not only live amongst our customers, but is also on the mind of the readers of the ICT Magazine Smart Business. I made a thorough analysis considering not only the rules and regulations, but also the feasibility and overhead costs. You can read my conclusions on the website of Smart Business, in Dutch.


Presentation “Embedding GDPR in the SDLC” available for download

Last week Thursday we delivered our presentation “Embedding GDPR in the SDLC” at the OWASP AppSec Europe conference in Belfast.
The presentation is the outcome of various projects where we encounter both privacy and application security challenges.
Siebe De Roovere (one of our privacy specialists) and myself have worked on integrating GDPR compliance requirements in a secure development life cycle.

SAMM – GDPR mapping

For secure development life cycle projects we use the OWASP Software Assurance Maturity Model (SAMM). This is an excellent maturity model with concrete guidance on application security activities. You can integrate these activities in your software governance, development, testing and operations. We identified the GDPR requirements and deliverables and mapped these on the SAMM activities.
This way we improve both software security activities and can demonstrate GDPR compliance with the security deliverables. One example is a documented threat model , that includes the outcome of a data privacy impact assessment.


There was a lot of interest for our session and we had great questions and feedback at the end of our presentation.
The slides of the presentation are available for download here: TOREON_Embedding_GDPR_into_the_SDLC_OWASP_AppSecEU_Sebastien_Siebe_V20170511
We will let you know when the video of the presentation is available.

We decided to donate the SAMM/GDPR mappings to the OWASP SAMM project and will organize a working session during the upcoming OWASP Summit in June to develop this further.

In the mean time: we do encourage you to provide us feedback and/or input to improve the current mappings!

Kind regards,

Seba & Siebe

7 ways to create trust by implementing the GDPR

The GDPR brings many challenges, but it is also an opportunity to create and leverage customer trust. When people trust a brand, they are more likely to recommend it and are even willing to pay more for its products or services, studies show. This is especially true in data-driven industries. So when companies whose main competitive advantage is customer data, gain a track record of being trustworthy, they will outperform their competitors.

But how can we create trust when it comes to processing personal data? These seven principles are all required by the GDPR. But if handled well, they can be used to boost customer trust in your business significantly.

  1. Ask for permission, not for forgiveness
    You should always ask permission for the collection of all types of personal data and explain the purposes of data processing. This also means that covert methods for obtaining personal data (such as cookies) should be avoided without informing and getting approval from your customers first. Be clear about the data you collect and how it is treated and stick to your own rules!
  2. Limit yourself
    Do not ask customers for more information than necessary. Requesting unnecessary information is often seen as a red flag. Buying customer data also negatively affects trust and should be avoided.
  3. Deliver value in exchange for personal data
    If you are able to show your users that by sharing their data, their experience improves, they will be willing to provide their information more easily. Make sure this is a fair trade.
  4. Give customers control
    The best way to build trust is by giving people direct control over their information. You can achieve this by providing a platform on which your customers can easily rectify and delete their personal data and manage their privacy settings. Or at the least you should provide customer centric processes that make it easy for customers to execute their rights.
  5. Adequately protect
    Consumers will never be able to trust you with their data if you cannot prove that their data is secure. So it is of the utmost importance to implement a security management system within your organisation. Obtaining security certificates (such as ISO27001:2013) are a good way to show that information security best-practices are implemented within your organisation.
  6. Be honest
    Your incident response plan should incorporate an incident communication strategy that informs affected people and data protection authorities correctly. Withholding information or trying to cover up incidents will have long-lasting negative consequences on your company. Handling a breach well and communicating effectively can show maturity and responsibility, especially if you can show that the breach happened despite strong security measures.
  7. Educate your customers
    Users can’t trust you if they don’t know what you are doing. To maximise the trust gained from your implemented control measures, inform users about your personal data practices trough infotainment advertisements. Companies that think it’s sufficient to simply provide disclosures in an end-user licensing agreement or present the terms and conditions of data use at sign-up, are missing an opportunity. They may be addressing regulatory requirements, but they are doing little if anything to educate consumers and build trust.

These seven principles can never be obtained & maintained within an organisation without the implementation of an eight principle: Governance. Governance is the principle that rules the other principles. It can be explained as the implementation of a set of rules and control measures through technological solutions, roles, policies and processes. This leads to the establishment of a privacy management system within your organisation which allows you to monitor and manage the effectiveness of the other implemented principles. If you communicate effectively and in simple terms about your measures, this will convince your customers that you care and that their data is in good hands.

Toreon partners up with Nymity for GDPR compliance

We’ve signed an agreement with Canadian firm Nymity Inc., the global privacy research company, which allows us the use of their specialised privacy management platform. Consequently, we will be able to even better support the delivery of implementation services to comply with the EU’s General Data Protection Regulation (GDPR), which comes into force in May 2018.

What is the GDPR?

Of course you know what the GDPR is and you are almost completely compliant, but just in case you don’t/aren’t: the GDPR will replace the Data Protection Directive 95/46/ec. Its aim is to harmonise the current data protection laws across all EU member states. It gives citizens back the control over their personal data, but it’s also a much-needed update as it will simplify data protection routines for businesses operating in the EU.

Many companies have already adopted several privacy processes and procedures in alignment with the Data Protection Directive. However, the GDPR contains a number of new protections for EU data citizens. Moreover, there will be significant fines and penalties for non-compliant data controllers and processors.

The route to compliance

Information security and data protection are indispensable to live and work with trust in our digital society. Companies need to reinforce the mechanisms they have designed to protect personal data as a result of many regulations in the world. From the GDPR compliance perspective, there will be three types of companies: the non-compliant, the compliant and the ones that can demonstrate compliance. Ideally, your company becomes type 3.

New privacy service

Since Nymity offers information on the regulations all over the world, we are happy that we can share the knowledge of their analysts with our customers. Moreover, we will use the Nymity AttestorTM platform as dashboard to help us help you become a type 3 company.

Are you ready to show your compliance to GDPR? Or could you use a hand?