Phone icon +45 45 34 44 00
Book meeting

Documentation

2. Prepare Your IT Development

The principles for protection of personal data must be integrated into IT development from the design phase to protect the privacy of the persons whose data you will process. This gives them better control over their data and limits errors, loss, unauthorized changes, or misuse of their data in applications.

Methodological Choices

  • Put privacy protection at the center of your development by applying a Privacy By Design methodology.

  • If you use agile methods in your development, you should integrate security at the core of your process. ANSSI has published a guide “digital security & agility” (only in French) that describes how to conduct development in an agile context while considering security aspects. Let yourself be inspired by this guide.

  • For any development aimed at the general public, you should consider privacy settings, including default settings, such as the visibility of user content by default.

  • Conduct a Privacy Impact Assessment (PIA). For certain types of data processing, it is mandatory. In other cases, it is a good practice that allows identifying and managing all risks before development begins. CNIL has a special section on their website and offers free software dedicated to this type of analysis.

Technological Choices

Architecture and Features

  • Include privacy protection, including data security requirements, already in the design phase of the application or service. These requirements should influence choice of architecture (e.g., decentralized vs. centralized) or functionality (e.g., short-term anonymization, data minimization). The application’s default settings must meet minimum security requirements and comply with legislation. For example, the preset complexity of passwords must at least comply with CNIL’s recommendation on passwords.

  • Maintain control of your system. It is important to have control over the system, both to ensure correct operation and to maintain a high level of security. A simple system is easier to understand, and thus easier to identify weaknesses in. If some complexity is necessary, it is recommended to start with a simple, well-developed, and secure system. Complexity can then gradually be increased while new features are secured on an ongoing basis.

  • Do not rely on only one line of defense. Even if all precautions are taken to design a secure system, later added components may contain vulnerabilities. To minimize the risk to end users, the system should be defended in depth. For example, validation of data in an online form is part of the outer defense mechanisms. If this line of defense is bypassed, protection of database queries can take over.

Tools and Practices

  • Use programming standards that take security into account. Often there are lists of standards, best practices, or coding guides that can improve security in your development. Additionally, tools can be integrated into your development environments ("IDE") to automatically check that your code complies with applicable standards and security principles. You can easily find lists of best practices for your preferred programming language online. For example here for C, C++, or Java. For web applications, specific guides exist, such as those published by OWASP.

  • Technological choices are crucial. Some parameters to consider:

    • Depending on the application’s area and functionality, one programming language or technology may be more suitable than another.
    • Well-proven technologies and programming languages are generally more secure, as they have undergone audits and have been fixed for known vulnerabilities. However, you should always ensure that you use the latest versions of your technological building blocks.
    • Avoid developing the final solution in a programming language you have just learned and do not fully master. Otherwise, you increase the risk of security breaches due to lack of experience.

  • Set up a secure development environment with version control of the code by following the dedicated guide in this guide.

Need a penetration test?

Contact us for a no-obligation conversation about your security needs.

Contact us