Did you ever receive an email from a company that was clearly meant as an internal test? I think you did. And it shows why our #2 recommendation to increase Application Security is to organize basic data protections. If you're doing business in the EU it's not even optional. The GDPR mandates it.
Organize basic data protections
- You need to understand the type and sensitivity of data your app processes.
- You need to implement basic controls to protect important data.
Start with understanding the type and sensitivity of the data your app processes. Where is personally identifiable information processed and stored? Do we process sensitive information like healthcare or financial information? What happens with backups of the data? Then you can think about controls to protect this information.
Take great care to prevent production data from ending op in test or development environments. While it can often speed up development or help debugging efforts to test on production data, you should never allow it without proper sanitization. Not only will you send out embarrassing test emails to real clients, a developer laptop is easier to steal than a cloud server.
Does your organization have basic data protections? Perform a full OWASP SAMM assessment to find out. We
developed a tool that will allow you to do it yourself.
Learn more about our #1 recommendation,
best-effort patching.
And be sure to follow our LinkedIn page to learn our newest
recommendations to improve Application Security.
