Putting privacy on the developers' front burner

By Colleen Frye, News Writer 29 Jan 2007 | SearchVB.com

.NET Essentials Channel Digg This!     StumbleUpon     Del.icio.us

The TJX data breach scandal has demonstrated that information security breaches, particularly those that involve the theft of personal information like Social Security or credit card numbers, are nightmares for businesses and their customers. As the heat from the spotlight on the security of software applications and Web sites gets hotter, developers are being asked to add another item to their checklist: privacy.

Developers can play a central role in addressing [privacy], but they also need guidance to implement privacy-conscious development practices Microsoft

While many large corporations have internal guidelines for handling private data, other organizations are still grappling with building security and privacy-conscious practices into their development cycles. To advance the discussion, Microsoft late last year released a set of privacy guidelines for developing software products, Web sites and services.

"A lot of companies understand the importance of privacy but are struggling with how to best help ensure their products and services actually empower customers to control the collection, use and distribution of their personal information," said a Microsoft spokesperson. "Developers can play a central role in addressing this concern, but they also need guidance to implement privacy-conscious development practices."

Diana Kelley, a vice president at Midvale, Utah-based Burton Group, said security and privacy have not been on the minds of developers. "Traditionally developers spend a lot of time focusing on getting code written quickly, and getting it to work effectively," she said.

For example, developers obviously know credit card information should be protected. However, if something goes wrong with a transaction, it might get put into a log file -- which now includes the credit card information -- and is now vulnerable to a breach, said Brian Chess, founder and chief scientist at software security product company Fortify Software Inc., in Palo Alto, Calif. "A developer might not think it all the way through if they're not told to focus on how to keep information private."

Microsoft's Privacy Guidelines for Developing Software Products and Services are based on the privacy practices incorporated in the Microsoft Security Development Lifecycle (SDL) as well as global privacy laws. The privacy guidelines cover topics such as:

• Definitions of different types of customer data that include personally identifiable information,
• Guidelines for notifying users that their personal data may be collected, and offering them ways to consent (or not),
• Guidelines for disclosing to users how their personal information may be used,
• Reasonable steps to protect personally identifiable information from loss, misuse or unauthorized access,
• Control mechanisms for users to express their privacy preferences, and
• Strategies to prevent data leakage by minimizing the amount of personal information that needs to be collected.

Many large organization already have privacy guidelines that are "much more specific to the business they're in and the regulations they have to deal with," Chess said. "[H]owever, there are a lot of companies making software that are smaller and don't have a privacy department. "

More on .NET application security DevPartner SecurityChecker 2.5 does just that for ASP.NET sites Best Practice: Enforcing password complexity

Having a baseline set of guidelines is beneficial, Chess said, but individual companies will have to address privacy at a deeper level specific to their own businesses. For example, he said, "before you take private information from a user and put it into the system, you have to ask permission. How does that map into your system? What is private? It will be specific to each system. What does a program that protects privacy look like? This will be a step further of refining."

Kelley said some privacy issues can be addressed as part of the software development lifecycle -- particularly during the requirements phase -- "but that doesn't mean you can solve every problem. The baseline Microsoft has created is not all you'll ever need to think about, and they state clearly that's it's a beginning."

In the Microsoft guidelines, Kelley said she liked discussion of how to expose consent to users and provide notification that private data is being collected, and the reminder to only store what you need. "Getting people to think -- do we need to collect and store this data? -- is critical. How long do you need to store it? In the case of a credit card, it could be just a few seconds."

Formalizing these types of privacy policies will ultimately be beneficial to everybody, she said.

Tags: .NET Framework security best practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT .NET Framework security best practices New features in Windows 7 bring new UI considerations for developers Podcast: Windows CardSpace authors speak Book excerpt: Java EE and .NET security interoperability Book excerpt: Advanced Windows Debugging Book excerpt: Pragmatic unit testing in C# with NUnit Security interoperability with .NET/WSE and WebLogic Workshop 8.1 Windows Developments: Product news, December 2007 How to avoid regression bugs while adding new features VB code: New additions, November 2007 VB code: Application security downloads

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary common test platform  (SearchWinDevelopment.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary