January 28 is Data Privacy Day. It is a great opportunity to remind ourselves to cover our cybersecurity blindspots and also highlight the importance of secure coding practices when it comes to protecting personal information.
In the digital age, data is like gold. It has tremendous value, and just like gold, it needs to be mined, transported and stored securely. In the same way that a bank vault keeps gold secure, secure coding practices help keep our data safe.
However, unlike gold, data can be easy to replicate and distribute, making it even more important to ensure that we protect it properly. As developers, it’s our responsibility to make sure that we’re not inadvertently putting people’s personal information at risk.
One of the key things to keep in mind when it comes to protecting privacy in secure coding is the principle of least privilege. This means that we should only give our code access to data and system resources that it needs to do its job, and no more. This helps to limit the damage that can be done if a hacker manages to exploit a vulnerability in our code. In the context of privacy, this also includes the principle of data minimization: only collecting information that is directly relevant and necessary to accomplish a specified purpose. Consider the infamous case of the popular Strava fitness tracker in 2018 where overly broad data collection capabilities used in the generation of their global fitness heatmap revealed high-resolution maps of secret military bases.
Another important aspect of privacy is the principle of making a system secure by default – which includes privacy by default. End-users may not be fully aware of the data being collected and used by an application and may not update their privacy settings to protect it appropriately. It is critical to protect user data as much as possible with just the default settings. In the aforementioned Strava incident, lax security settings in the leaderboard functionality made it possible to identify and ‘de-anonymize’ individual soldiers at military bases by uploading fake routes claiming to run the same routes as the targets. And despite Strava adding in privacy features to mitigate this problem, the same attack happened again on a smaller scale in June 2022! Note that we are not just picking on Strava here – privacy by default is a problem in general when it comes to any kind of tracking software.
And of course, vulnerabilities in the code related to input validation, authentication and authorization can all lead to privacy issues. As a recent example, broken authorization in Twitter’s Android client, reported in January 2022, could reveal the phone number and email addresses of its users – even for people who have hidden these fields via privacy settings. This vulnerability had devastating consequences: in July 2022, criminals went on to sell the personal details of 5.4 million Twitter users they obtained by exploiting the vulnerability back in 2021.
In addition to protecting personal information and adhering to laws and regulations, privacy compliance also involves ensuring secure coding practices are in place. Organizations should develop and implement secure coding standards and guidelines, and regularly train developers on best practices. They should also conduct regular code reviews and testing to identify and address vulnerabilities in the software however, we maximize the impact when we prioritize people over tools.
The ultimate measure of privacy compliance that business leaders should ensure is building a resilient application from data to code, and continuously assessing and improving their data privacy practices, including secure coding practices, to protect personal information and build trust with customers and stakeholders.
Overall, secure coding is an essential part of protecting personal information and should be at the forefront of every developer’s mind. By keeping the concepts of least privilege, data minimization, and secure by default in mind and following best practices with input validation, authentication and authorization, we can go a long way towards keeping our data safe and secure.
Let’s all take this Data Privacy Day as an opportunity to refresh our knowledge and make sure that we’re doing everything we can to protect the personal information that we handle. Let’s celebrate this special day by committing to a more secure digital future through the practice of secure coding.
What steps do you take to prioritize software security in your digital business?