Application security, DevSecOps, Governance and risk management
Recent breach at Singapore Airlines reveals lack of attention to safety in development
Suparna Goswami (gsuparna) â¢
January 15, 2019
The recent exposure of customer data on the website of Singapore Airlines, following a software bug, is further evidence of the continuing challenge of properly addressing safety during the development phase.
See also: IT visibility gap study: how vulnerable is your IT infrastructure?
Airlines recently revealed that a software glitch resulted in the exposure of data on 285 frequent flyer accounts, including passport number as well as travel and flight details.
âThere are many reasons why software bugs exist, and these range from low standards and simple mistakes to the ethics and morals behind software development. “
The software bug emerged after changes were made to the carrier’s website on January 4. The bug allowed some frequent traveler members to post information belonging to other travelers, the company said in a statement.
Singapore Airlines apparently launched its new website without properly completing the full development cycle – a common mistake in companies around the world.
âAirlines are practicing a new software development methodology. I guess they updated the system live while development is still going on, and with it errors,â said Aloysius Cheang, vice president Asia-Pacific Executive at the Center for Strategic Cyberspace + Security. Science. “The chosen programming framework may have inherent bugs or may have created this problem for various reasons.”
Lack of incentives?
There is not enough incentive for companies around the world to follow the development of secure software.
âThere are many reasons why software bugs exist, and these range from low standards and simple mistakes to the ethics and morals behind software development,â Steve Marshall, CISO at Bytes Software Services based in UK. “However, in most business organizations there is no reason, either by incentive or by regulation, to develop quality code that is bug-free.”
For far too many companies, the pressure to meet deadlines means that taking proper security measures during software development takes a back seat.
âThe market demands that software be developed quickly, affordably and feature richness for the end user,â says Marshall. âThere are few requirements that the code be secure or be durable. This means that in many cases the business pressure felt by organizations to bring software and features to market before the competition is too great. . ”
Practice safety by design
While it is widely accepted that addressing security early in the software development lifecycle is an essential part of any breach prevention strategy, the practice of “security by design”, unfortunately, is not yet mainstream. .
“We all know we have to create secure code, and we have to think about it critically because attackers don’t care about the laws, so they will always have an advantage over defenders,” Marshall said. Companies that focus exclusively on short-term profitability will be reluctant to improve software security efforts unless “there is a government-backed incentive or they are required to do so,” says he does.
Dinesh O. Bareja, COO at Open Security Alliance, tells me, âI interact with a lot of companies who don’t want to spend money on things they can later accept and apologize for. product on the market because of a small bug. ”
Marshall argues that governments should create incentives, such as tax breaks, for companies that invest sufficient time and resources in safety by design. This must be coupled with tougher penalties for companies that fail to meet software coding standards, he says.
Do you think this approach would work? Share your views in the space below.