Logo and page links

Main menu

Software development with Data Protection by Design and by Default


This activity will enable developers to write secure code by implementing the requirements for data protection and security.

It is important that the company choose a secure and common methodology, both for coding and for enabling the developers to detect and remove vulnerabilities from the code. Automated code analysis tools should be introduced, and the company must have established procedures for static code analysis and code review.

The target group for this activity is primarily developers, secondarily data protection officers, security advisors, and testers.

Use approved tools and frameworks

To ensure consistent practice, a list of approved and permitted tools, processes, and frameworks for software development and roll-out must be defined and documented. In addition, it must be clear what the different tools may be used for. This entails describing approved tools and associated security features that can help to automate and enforce security procedures in the coding. The list should also include which supporting components, and third-party components and development tools, are permitted for use during development. Tools and supporting components should be risk-assessed and analysed for vulnerabilities. The list should be agreed upon and approved by the security advisor, and must be updated regularly. It should be a goal to use the latest versions of approved tools to take advantage of the opportunities provided by new security features. For example, the list may include the approved encryption technology and cryptographic key length. The list should be updated regularly with the most recognized and up-to-date algorithms and methods, and what key length is deemed sufficient.

Software today is often composed of several collaborating services. This means that a significantly greater number of programming languages, libraries, and frameworks are used in software development now than in the past. Code, libraries, and infrastructure are often merged into more static containers. This is why it is so important for regular scanning for vulnerabilities to be set up in all parts of the code, both in the underlying libraries and in the container setup. Examples of such tools can be found on GitHub and Docker Security Scanning.

Disable unsafe functions and modules

Many functions, APIs, third-party libraries and modules can be unsafe to use based on current threat levels. An analysis should be performed on all functions, APIs, third-party libraries and modules used during software development. Those that are unsafe should be forbidden, while those that are outdated, or contain known vulnerabilities, should be updated. When a blacklist is available, the code should be checked (including inherited code) to replace blacklisted features with safer alternatives. This can be done using code scanning tools. In addition, the code should be checked to deactivate unnecessary tracking, logging, and collection of personal data. For example, unsafe functions and modules can in some cases be handled by tools such as OWASP Dependency Check.

Static code analysis and code review

Static code analysis and code review should be performed on a regular basis. Static code analysis ensures that guidelines for secure coding are being followed and can be measured to ensure controls are working. You should use automated code analysis and code review tools as much as possible. Additionally, the code should be manually reviewed to ensure that any weaknesses that could lead to improper use or leakage of personal data are caught. For example, it may be difficult to identify patterns because data alone does not necessarily constitute personal data, but connections between different types of data can provide personal information. In order to ensure data protection, it is important to map where in the software personal data is stored. A review of the code should particularly examine where personal data is written. A common weakness is to write personal data in application logs with insufficient security.