Privacy code scanning: How privacy software is catching up with information security

The idea of bodily privacy can be referenced in various religious or ancient texts and its basis has not changed with the introduction of technology. The big changes over the past couple of decades come from how much value we are placing on this privacy as we struggle to figure out where technology intersects with humanity. The concepts of privacy and how we are applying privacy have existed for a long time; companies are just now having to figure out how to implement it so they can gain consumer trust.

The trends companies are following to build privacy mirror what has already been accomplished for information security. So instead of trying to “reinvent the wheel,” let's examine the progress made in information security and see how that relates back to advancements in privacy.

Privacy programs are following the same trends as information security

Information security started out as an uphill battle where practitioners were pushing to implement the bare minimum. Little things like requiring passwords on work devices were scrutinized for wasting money. Google spends an approximate $3.78 million per year in man hours having people log into their work devices (assuming $60k average salary per Glassdoor, 182,000 total employees, spending 10 seconds to input a password and MFA per workday [250 workdays per year] equates to $3.78 million). In the privacy world, the bare minimum is developing a privacy policy. In both situations, the organization has not really implemented strong security or privacy practices.

Information security continued to mature and began implementing the Secure Software Development Lifecycle (SecureSDLC), which integrates more security checks and tests into applications. Privacy saw a similar push with the advent of Privacy by Design, as practitioners saw a need to integrate privacy into the design of systems.

Throughout this time, applicable software and tooling for information security and privacy teams have expanded. For information security, static code analysis tools have become staples along with endpoint security, firewall management, device managers, security as code platforms, data loss prevention, and so much more. The industry exploded with different tools that provide niche value to organizations as the risk of security breaches became too large to ignore.

Privacy technology is moving in a similar direction. Starting out, the privacy industry saw the rise of a few large players that entered the market early and began expanding to try and cover every possible need for privacy programs. We’ve seen those leaders start to slow down as they’ve spread themselves thin across a broad feature set and not kept up with advancing technology and research.

Now, new and better privacy vendors are coming into the space that don’t just look from the outside in on your privacy program, but can integrate more closely with your technology stack. Just like how information security teams’ tools touch every inch of an organization, we’ve seen privacy technology expand from just a cookie banner into consent solutions that check every data flow throughout an organization for compliance.

Privacy tools are specializing and maturing 

At the center of most modern organizations is the codebase that they rely on and their engineers continue to build on. For information security teams, results from code scanning solutions such as Static Application Security Testing (SAST) tools provide invaluable insights on the security risk posture of the code being deployed.

Following this trend for privacy, Privado aims to provide similar functionality for privacy programs. There is only one source of truth in how applications work, the source code. Privado’s privacy code scanning solution uncovers how data flows through applications and highlights privacy dark patterns or risks associated with unsecured personal data.

Additionally, the biggest challenge privacy programs face is not just doing a one-time Privacy Impact Assessment (PIA) of a product, but continuing to monitor that application for changes and auditing/validating that the risks identified in an assessment have been resolved. Privado’s solution allows for continuous monitoring of the codebase and integration into the CI/CD pipeline to alert privacy teams about new risks or existing risks that have not been addressed.

If Privado is the first to operationalize privacy code scanning, what will be the next trend that the privacy industry will develop? Are we going to start seeing the migration from Security Operations Centers (SOCs) to Security and Privacy Operations Centers (SPOCs)? Or will organizations start developing privacy penetration testing? As the industry continues to mature, there will be more markets available for these vendors to further specialize and that is when more technical innovations will happen.

The Author

Jake Ottenwaelder is the Principal Privacy Engineer at Integrative Privacy LLC, a boutique privacy consulting firm that provides bespoke privacy recommendations and implementation services to international organizations. They take a human-centric, holistic approach for not just considering data subjects but also for the employees of an organization to drive better adoption and education. Integrative Privacy is an independent, objective organization and does not receive compensation for public statements.

This is not a paid advertisement; Integrative Privacy LLC did not receive any compensation for this post by Privado.ai.