Compliance Monitoring Issues

Table of Contents

General Information

In the world of website compliance, a lot of differnt compliance violotions can occour. Therefore we decided to make a clear separation of those violations and introduced different violation categories:

  • Regulatory Violations
  • Business Violations

Each category includes different types of violations that will be described in the corresponding section. The main differences are that regulatory violatens based on GDPR context prescribed by law and business violations based on custom rules that can be individually defined to meet each customers individual requiremnts.

Regulatory Violations

This category includes all detected problems that relates to the acutal GDPR context prescribed by law. The following types can be detected by the Nimbusec compliance monitor in the context of regulatory violations:

Generally, the Nimbusec Complaince Scan simulates a standard website user that visits a website, but does not perform any kind of interaction with it (e.g. allowing cookies, ...). For this vioaltion type, we collect all cookie information that was set from the website (before any kind of user interaction). This results in a clear list of cookies that were initially set/provided by the website. In the default configuration, if our simulated website user gets any kind cookies, a 'Cookie Opt-In' violation will be triggerd and shown in the compliance monitor. With other words, cookies have been set without asking for consent in the cookie banner.

In the Nimbusec Compliance Monitor, this violation type can be seen in the compliance view of an asset: Complaince View

By clicking on the "Details" button, all detected cookies can be seen.

Complaince View

If a Cookie Opt-In violation is detected, the following information will be saved.

In more detail, the Nimbusec compliance scan saves the following data:

example data:

Name Domain Secure HttpOnly LifeTime SameSite ThirdParty InServerResponse
cookie_name www.example.com false false -1 N/A true false

column description:

Column Description
Name Name of the detected Cookie
Domain Domain name where the described cookie was found
Secure The Secure flag is an option that can be set by the server when sending a new cookie to the user in an HTTP response. The purpose is to prevent cookies from being observed by unauthorized parties due to sending the cookie in clear text.
HttpOnly The HttpOnly flag is an additional security option for cookies. If this flag is set, the browser does not display the cookie through client-side scripts.
LifeTime This parameter shows the validity of a cookie.
SameSite The SameSite attribute shows if this cookie is restricted to a first-party or same-site context.
ThirdParty This attribute shows if this cookie was distributed from the own web ressource or from an external one. (domain name matching)
InServerResponse If the value of this attribute is true, this cookie was directly send from the server. If this value is false, the cookie was created and distributed via a JavaScript context.

The Nimbusec Compliance Scan checks websites for the presence of a standard cookie banner. For this case, we check for a default set of various cookie banner implementations. If a custom cookie banner is used, the scan configuration has to be adjusted to detect non default cookie banners.

Form: HTTP-Transmit

For this case, our scan checks all availabe input forms that handles sensitive data. If the content of the input form will be send unencrypted (via HTTP), the Nimbusec Compliance Scan throws a Form: HTTP-Transmit violation. Unencrypted data transmission may be intercepted and the data could be seen in plain text.

By clicking on the "Details" button in the compliance view, all detected cookies can be seen. Complaince View

Complaince View

Form: Form-Sensitive

As mentioned above, the Nimbusec Complaince Scan checks all availabe input forms that handles sensitive data. If we detect such forms, a Form-Sensitive event will be triggered. This should help the users to identify those forms and may handle them in a different way.

Complaince View

Form: External-Transmit

This type of violation gets triggerd if form data will be send to an external processor (e.g. to an external company that may performs user analytics tasks)

Complaince View

Imprint Policy:

The presence of an imprint is a mandaroty regulation in GDPR. Our imprint policy checks the presence of an imprint link on the corresponding website. To detect it, we use predefined search patterns and apply them on the websites source code.

By clicking on the "Details" button in the compliance view, all defined polices can be seen. Complaince View

Complaince View

Privacy Policy:

The presence of a privacy statement is a mandaroty regulation in GDPR. Our privacy policy checks the presence of a privacy statement link on the corresponding website. To detect it, we use predefined search patterns and apply them on the websites source code.

Complaince View

Tracker:

From our point of view, a tracker is any kind of software that collects or transmits data to an external ressource. Therefore, our Nimbusec Compliance Scan analyses the whole network traffic that is active during our simulated website user visits the site. From the GDPR point of view, before the user accepts the defined privacy policy, any kind of data collection or data transmission to third party systems is a violation against the given law.

Business Violations

This category represents the adjustable part of the Nimbusec Compliance Monitor. For each issue type a customized ruleset can be defined to identify violations against corporate guidelines. These adjustments (ruleset definition) will be realized by the Nimbusec Serivce Team according to the customers needs.

The following types can be detected by the Nimbusec compliance monitor in the context of business violations:

Cookies:

For this type, a list of allowed cookie names can be defined (Cookie Whitelisting). If a detected cookies matches an entriy of the predefined list, it does not ceate an issue and will be acknowledged automatically.

This setup is very useful to close already known cookies and keep the focus on cookie violations.

Here is an example: Assume three cookies were found

  • CookieA
  • CookieB
  • CookieC

The Cookie Whitelist includes

  • CookieB
  • CookieC
  • CookieD

As a result, Cookie issues for CookieB and CookieC will be acknowledged automatically and only the Cookie issue for CookieA will remain.

In the Nimbusec Compliance Monitor, this violation type can be seen in the compliance view of an asset: Complaince View

By clicking on the "Details" button, all detected cookie information can be seen. Complaince View

The first table (COOKIE OPT-IN VIOLATION) shows all cookies of the domain that were detected during the complaince scan. The second table (COOKIE POLICY VIOLATION) contains all cookies that were not defined in the cookie Whitelist. All those cookies should be checked if they are really needed. If yes, move them behind the cookie banner and define them in the cookie policy. If not, remove them from the web application.

Additionally, we have a default Cookie Whitelist in place for all of our customers. This default list includes common technical neccesary cookie names that do not represent a violation in the GDPR context (not all technical necessary cookie names included).

Forms

TBD

Trackers

TBD

Policies

This type generally handles all content related checks. The customer has the possibility to define company related rules for all/parts of their own requirements.

For example, the management wants to see a specific privacy policy and imprint combination on all of their company websites. Those requirements will be converted in a customized rulset by the Nimbusec Service Team.

More examples:

  • specific privacy policy / imprint link combinations in header and footer of a website
  • specific text in privacy policy / imprint (old board members, specific topics, ...)
  • specific company cookie banner
  • specific imprint text
  • ...

By clicking on the "Details" button in the compliance view, all defined polices can be seen. Complaince View

POLICY CONFIGURATION detail view (example): Complaince View

Still need help? Get in touch!
Last updated on 30th Mar 2021