Application Security , DevSecOps , Governance & Risk Management
Why Software Bugs Are So CommonRecent Breach at Singapore Airlines Reveals Lack of Attention to Security at Development Stage
The recent exposure of customer data on the website of Singapore Airlines as a result of a software bug is further evidence of the persistent challenge of adequately addressing security during the development stage.
See Also: Attack Surface Management: Improve Your Attack Surface Visibility
The airlines recently revealed that a software glitch led to the exposure of data on 285 frequent flier accounts, including passport number as well as travel and flight details.
"There are many reasons that software bugs exist, and these range from poor standards and simple mistakes right through to the ethics and morals behind software development."
The software bug surfaced after changes were made to the carrier's website on Jan. 4. The bug enabled some frequent flyer members to view information belonging to other travelers, the company said in a statement.
Singapore Airlines apparently launched its new website without completing the entire development cycle properly - a common mistake at companies worldwide.
"The airlines is practicing some new software development methodology. I guess it updated the system live while the development is still ongoing, and with it came errors," says Aloysius Cheang, executive vice president for Asia Pacific at the Center for Strategic Cyberspace + Security Science. "The chosen programming framework may have some inherent bugs or may have created this issue due to various reasons."
Lack of Incentives?
Companies worldwide don't have enough incentives to follow secure software development.
"There are many reasons that software bugs exist, and these range from poor standards and simple mistakes right through to the ethics and morals behind software development," Steve Marshall, CISO at U.K.-based Bytes Software Services, tells me. "However, in most commercial organizations there is no reason, either by incentive or by regulation, to develop quality code that does not contain bugs."
For far too many companies, pressure to hit deadlines means taking adequate security steps during software development takes a back seat.
"The market dictates that software is developed quickly, cheaply and is feature rich for the end user," Marshall says. "There is little requirement that the code is secure or that there is any longevity to it. This means that in a lot of instances, the commercial pressure that is felt by organizations to get software and features out to market before the competition is too great."
Practicing Security by Design
Although there's widespread agreement that addressing security early in the software development cycle is an essential component to any breach prevention strategy, practicing "security by design," unfortunately, is not yet common.
"We all know that we should create secure code, and we need to think about this critically as attackers don't care about laws, so they will always have an advantage over defenders," Marshall says. Companies that focus exclusively on short-term profitability will be reluctant to enhance software security efforts unless "there is a government-backed incentive or they are made to do it," he argues.
Dinesh O. Bareja, COO at Open Security Alliance, tells me: "I interact with many companies who do not want to spend money on things they can later accept and issue apology. They would rather keep aside a certain amount for fines than delay they product in the market because of a small bug."
Marshall argues that governments should create incentives, such as tax breaks, for companies that invest adequate time and resources in security by design. This needs to be coupled with stiffer penalties for companies that fail to meet software coding standards, he asserts.
Do you think that approach would work? Share your views in the space below.