Maybe you have noticed it. Privacy is an issue. A bit strange since there are only 16 days left until the new EU General Data Protection Regulation (GDPR) will become fully enforceable throughout the European Union.
So before end of May 2018 all organizations that process data of EU citizens must comply with this General Data Protection Regulation. Determining how to design and improve your systems to meet the GDPR is not straightforward. But before you are done it is advised that you perform a view simple privacy tests. Especially on your website(s).
Before getting notified by others on unwanted privacy issues on your site, you should have a good view yourself on how your site is scoring against obvious security and privacy checks. If you are going to perform tests to check if your site is compliant with the GDPR and if your site meets basic security requirements (e.g. OWASPs top 10) you should use good OSS tools.
A promising tool is PrivacyScore. PrivacyScore is an automated website scanner that allows you to investigate Websites for privacy and security issues. You can scan individual websites, or enter a list of related websites to see how they compare against each other. PrivacyScore is composed partially by integrated many existing OSS privacy and security solutions. PrivacyScore gives very detailed results with a clear explanation on how the score is created. Including the limitations. One of the nice features of PrivacyScore is that besides running it on a single website you can create a category of sites with a ranking per site to improve awareness of site owners.
PrivacyScore and many other tools can only check and report on technical security and privacy measures that can be analyzed automatically. So within your SDLC (Secure Software Development Life Cycle) processes you should also embed a periodic evaluation of your security and privacy policies, procedures and governance process.
This blog post will be added (after rewrite) as an extension on the ‘Open Reference Architecture for Security and Privacy‘. We are working on an renewed version. Please join us!