Mainstream media has been reporting that Singapore Airlines KrisFlyer members' personal details have been disclosed, not through a hack, but through a software bug. One member had reported on Facebook that she had been able to see another member's details when she logged in, implying that a very specific scenario needed to occur.
While hacks are more prevalent these days, the crux is that software bugs are equally problematic, Synopsys notes, as they can create vulnerabilities with similar outcomes. Like hacks, bugs can expose companies to data loss, privacy lapses, and even hacks.
Nabil Hannan, Managing Principal of Software Integrity Group, Synopsys, said: "This is a very common bug, specially in applications where the authentication and authorisation schemes are not designed well. In particular, when building the application, it is most likely that there were some basic flaws in the design of how authentication is performed to determine who can access what data. As a result, some simple changes made in the application could have resulted in some type of race conditions (i.e. undesirable conditions) and horizontal privilege escalation type of situation showing one customer a different customer's private/sensitive information."
Hannan said such bugs can be avoided with various security-related checkpoints throughout the software development life cycle (SDLC). "Typical quality assurance (QA) testing just isn't enough to catch these types of issues since we know that most QA testers usually test the 'happy path' and in some cases at their discretion perform edge/boundary test cases," she said.
According to Hannan, security touchpoints that could have helped include:
- Proper security requirements on how to protect data and perform authentication,
- Protecting against misuse and abuse cases around how attackers may try to extract sensitive information from the application,
- Performing security assessments like secure code review or penetration tests on a regular cadence to look for similar vulnerabilities.
Shift left is a concept where software should be tested earlier in the development cycle so that it works better and is more secure from the start. Synopsys' touchpoints are all expressions of the shift left concept.
At the time of writing Singapore Airlines had not announced anything on its website - either the advisory section, or through press releases - or on its Facebook page.
Explore:
Read the 2019 security predictions from Synopsys and Sophos in TechTrade Asia that touch on why knowing how to secure applications will be important this year
No comments:
Post a Comment