In order to understand the data flow & lifecycle of an application, destinations of data for sharing, storage & leakages have to be identified. This allows companies to have complete visibility over data and help identify privacy & data security issues in their products & applications. Here is a list of possible data destinations that Privado supports:
- Sharing:
- Third-Party Packages & Dependencies
- Javascript embedded inside the code
- API calls to third parties
- Storage:
- Local databases deployed along your application like Postgres, MongoDB
- Cloud databases offered by IaaS providers like AWS, GCP, Azure
- Internal Sharing:
- Internal API calls
- Messaging queues
- Log Leakages:
- Central logging systems & SIEM tools
- Application logs like log.error, console.log, etc.
- Processing: Any other operations other than those listed above are shown under the processing
Discovering Third Parties
For packages & dependencies, Privado does a software composition analysis to get a list of all packages & dependencies of your code. These packages are then filtered via Privado's proprietary database to give you a list of third parties where data sharing could happen. We also detect any javascript present inside the code.
For API calls, Privado detects all URLs present in your code including configuration files, and does a code flow analysis to determine if those URLs are passed in any API call. Once the URLs which are part of the API calls are determined, Privado enriches the details of the third party using the domain of the URL and shows it on the dashboard.
Third Parties have the following attributes:
- Name: Name of the Third Party discovered by Privado
- Domain: Company domain of the third party
- Hosting Type: Details of the hosting, Cloud or On-Premise
- Hosting Location: Details of where the data is hosted by the Third Party
- Company Location: The location where the company is incorporated
- Recipient Types: As defined under GDPR, values include:
- Vendor or Processor: Third parties that are processing data on your behalf
- Customer or Controller: Used if you are a B2B company and want to list your customers under reports
- Institutional or Commercial Partners: Any third party partner
- Affiliates or Group Companies: Sister companies or subsidiaries
- Recipients in third countries or International organizations: As defined under GDPR, for example WHO, Interpol, United Nations
- Transfer Safeguards: As defined under GDPR, values include:
- Standard Contract Clauses
- Binding corporate rules
- Code of Conduct
- Certification
- Contractual clauses authorized by a supervisory authority
- Derogations
Discovering Databases
To detect databases, Privado does a package analysis of databases along with looking for uses of database annotators, ORM, functions inside the code. With this Privado can detect all local databases and cloud databases including Postgres, Mysql, MongoDB, S3, BigQuery, and Firebase amongst others.
Discovering Internal Sharing
Similar to third-party APIs, Privado discovers all API URLs that are passed as part of API calls. However, any domains that are listed as internal domains are listed under the API section of the repositories.
Log Leakages
Privado also discovers any leakages of personal data to logs. This includes leakages to application logs like log.error, log.info, console.log, and central logging & SIEM tools. Logging personal data has both privacy & security issues associated:
- Privacy: Logging personal data of users could have unauthorized exposure of personal data to people inside the company. Unless needed for security reasons, logging personal data also violates the data minimization principle of GDPR. If you log personal data, you should have strict retention schedule. Another privacy problem is when application logs are centralized into one system which leads to more data processing & exposure of personal data to more people inside the company.
- Security: Leakage of sensitive data to logs, CWE-532 can lead to external actors getting access to sensitive data if the server is compromised.
You can use Privado to find & fix log leakages in production and prevent any new leakages from going live.