Bearer has been acquired by Cycode, the complete ASPM.
Learn more ->Cross icon
<- Back to the blog

Using Bearer to scan your code for Privacy risks

Did you know that Bearer offers the ability to automatically compile the privacy information Legal teams need from Security and Engineering teams?

This is a requirement for most privacy regulations and laws such as EU’s General Data Protection Regulation (GDPR), Singapore’s Personal Data Protection Act (PDPA), Canada’s Consumer Privacy Protection Act (CPPA), California Privacy Rights Act (CPRA), Washington’s My Health My Data Act (MHMDA), and Virginia Consumer Data Protection Act (CDPA), and Health Insurance Portability and Accountability Act (HIPAA).

It only takes a few minutes to run on your codebase and automates the information-gathering part of the compliance process. 

What is broken in software privacy compliance?

Getting ready for privacy compliance requirements can take a lot of time and effort for the already overworked IT, engineering, and security teams. This is especially true for large organisations, where that job involves finding out what millions of lines of code spread across countless repositories are doing. It is time-consuming, yet a core requirement set forth by legal teams. While Legal teams are busy navigating the regulatory landscape to avoid fines faced by companies like Instagram, Meta, Amazon, British Airways, Engineering teams are the ones tasked to gather this information.

Engineering and Legal teams must work together to fulfil privacy compliance requirements, and enable privacy-by-design. Often, they don't speak the same language, have the same priorities, or have the same reference point. This can lead to tension between the two teams and a lack of understanding of what is required to meet the company’s obligations.

All privacy laws have the same basic technical requirements

Privacy laws are diverse and depend on many factors to determine what you can or cannot do. You can take comfort in the fact that the basic set of requirements in most global laws are derived from the GDPR, the European Union’s privacy law.

GDPR, CCPA, CPRA, HIPAA, and many other regulations tackling privacy have a basic set of requirements to fulfil:

  • You need to identify who the person described in the codebase is (i.e., User, Customer, Employee, Staff, Sender, Receiver, Patient, Prospect, Supplier, Student, Alumni, …). In GDPR, it is called the “data subject”. Legal teams must compile the grounds on which the company is processing personal and sensitive data. Knowing to whom this data relates is essential to that job. 
  • You must catalog what Personal Data is stored or processed about each Data Subject. (Ie. email, password, birthdate, full name, home address, IP address, …)
  • You need to catalog and take special care of Sensitive Personal Data, as they are particularly harmful if disclosed. (ie. Religion, Ethnicity, Belief, Health issue, prescriptions, …)
  • You need to maintain a list of all third-party entities with whom you share data and catalog what Personal or Sensitive Data they provide or access.
  • You must make reasonable efforts to keep the data safe and not publicly disclosed, or available to an illegitimate party. 

As developers, it's easy to spot the potential for edge cases, headaches, and overall difficulty of these requirements. Security budgets are tight, and stakeholders need Engineering teams to ship new features as quickly as possible, thus continuously adding more data to the codebase.  We understand that compliance information gathering efforts can be tedious for engineering teams, but they're important for protecting users' privacy and meeting legal requirements.

Is there a way to make this process more efficient? Yes, read more to find out how.

Get privacy compliance right by automating the hard parts of it 

We conducted hundreds of interviews with privacy engineers, developers, and security professionals. We know that Engineering teams want to be better at data privacy because they told us so. However, they often get discouraged by the legal jargon and by Legal teams' lack of understanding of software development processes. The manual process of correctly identifying and classifying the kind of data the codebase processes is draining. It’s a never-ending job that is outdated and incomplete in just a few pull requests. 

Here comes Bearer CLI’s privacy report: Any developer in the team can quickly scan their codebase and get a report that provides them with the basic technical information they need to meet privacy requirements, dramatically reducing the effort required to be compliant.

Example of a Privacy Report we ran on our demo app  Bear Publishing

Bearer CLI compiles its privacy report using static code analysis to scan the codebase and identify personal, sensitive data and third-party dependencies. It analyses structured files such as SQL, ProtoBuf, and OpenAPI, as well as the actual codebase. Bearer privacy report supports multiple programming languages, including PHP, Java, Ruby, Go, C#, JavaScript, and Typescript. The scan process will automatically look for patterns, keywords, and other information that could indicate the presence of sensitive data or third-party dependencies. Once the scan is complete, Bearer CLI generates a formatted report (available in SARIF, JSON, HTML, etc.) so your Legal team can peruse it for their reporting and next steps. 

Start automating Privacy Reports now!

To start using Bearer CLI’s Privacy Report on your codebase, you can follow these simple steps:

  1. Visit Bearer/bearer on Github, or the official docs to download the Bearer CLI.
  2. Install the tool by following the instructions provided on the website.
  3. Navigate to the root of your codebase and run the command bearer scan with the --report privacy flag.
  4. Bearer will scan your codebase and generate a report that provides information about the sensitive data and third-party dependencies found in the codebase, and what actions need to be taken to address any issues.
  5. Review the report and take the necessary actions to address any privacy issues identified by the scan.
  6. You can schedule regular scans to ensure your codebase complies with relevant Privacy laws and regulations.

You can also refer to the Bearer CLI documentation for more detailed instructions on how to use the tool.

Bearer CLI is designed to be easily integrated into your existing development workflow, but if you want to manage privacy engineering at scale and need tighter integration with enterprise tools like GitHub, GitLab, JIRA, and Slack you can do so through our SaaS product Bearer Cloud.

Schedule a demo now to learn how you can ship trustworthy products by enabling both privacy and security by design in your SDLC with Bearer!

Share this article: