| dc.contributor.author | Lehtola, Tino | |
| dc.date.accessioned | 2022-12-23T22:02:15Z | |
| dc.date.available | 2022-12-23T22:02:15Z | |
| dc.date.issued | 2022-12-19 | |
| dc.identifier.uri | https://www.utupub.fi/handle/10024/173897 | |
| dc.description.abstract | In recent years, web applications have become increasingly more complex as they are required to have more features than ever before. The need for more features comes from both the service providers as well as the end-users, since competition on the Software as a Service (SaaS) market can be fierce. The ever-growing complexity and feature richness of web applications have in turn also increased their attack surface, predisposing them to new threats and vulnerabilities. The evolving web applications have also developed new methods of gathering personal data from its users. User information privacy has become a hot topic of discussion in the past decade, which has led to privacy legislation being enacted in different regions of the world. In 2019, the European Parliament enacted Directive (EU) 2019/1937 into the European law, which is also known as the Whistleblower Directive. The Directive's goal is to establish rules and procedures to protect individuals who report information they have acquired in a work-related context on breaches of EU law in key policy areas. The Directive requires qualifying organizations and municipalities to set up reporting channels that whistleblowers can use to anonymously report these breaches.
The commissioner of this thesis, BeanBakers Ltd, has developed a web application called Vihjaa that is meant to be used by organizations and municipalities as an internal reporting channel that complies with the requirements set for the application by the Directive. The main objectives of this thesis were to identify the requirements set for Vihjaa by EU law and then to conduct security, privacy, and legislation adherence assessments on Vihjaa to gain a deeper understanding of its current status. Furthermore, the procedures and methodology used during the assessments can be used as a framework for future works, which assess the states of other web applications. Our assessment found that Vihjaa's state of security, privacy, and legislation adherence are mostly in a good standing, but there were multiple issues identified that should be addressed. Most of the identified issues were of low severity, for instance, lacking a privacy policy document, missing a incident response plan, and out-dated dependencies. In this thesis, we present the developed framework that can be used to assess web applications of this nature, the results of our assessments, and a ranking of data items collected by a web application based on how critical they are for the process of identifying a specific user. | |
| dc.format.extent | 166 | |
| dc.language.iso | eng | |
| dc.rights | fi=Julkaisu on tekijänoikeussäännösten alainen. Teosta voi lukea ja tulostaa henkilökohtaista käyttöä varten. Käyttö kaupallisiin tarkoituksiin on kielletty.|en=This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.| | |
| dc.subject | Whistleblower Directive, GDPR, web application security, user privacy, legislation adherence, web application vulnerabilities, privacy concerns | |
| dc.title | Security, privacy, and legislation adherence assessment of a whistleblowing web application | |
| dc.type.ontasot | fi=Diplomityö|en=Master's thesis| | |
| dc.rights.accessrights | avoin | |
| dc.identifier.urn | URN:NBN:fi-fe2022122373560 | |
| dc.contributor.faculty | fi=Teknillinen tiedekunta|en=Faculty of Technology| | |
| dc.contributor.studysubject | fi=Tietotekniikka|en=Information and Communication Technology| | |
| dc.contributor.department | fi=Tietotekniikan laitos|en=Department of Computing| | |
