Remember the Qantas app data breach incident in May 2024? Users suddenly seeing other passengers’ booking details, able to change seats, even cancel flights – a digital nightmare. While Qantas swiftly addressed the issue and assured no critical data was compromised, the incident serves as a potent reminder: even seemingly minor code errors can have far-reaching consequences.
This wasn’t a malicious attack, but rather a “technical issue” – a polite way of saying “someone made a coding mistake.” And this is where the crucial lesson lies: human error is an inherent part of software development. We can’t eliminate it entirely, but we can mitigate its impact.
Why Code Errors are Inevitable
Imagine a skyscraper built with millions of individual bricks. Each brick represents a line of code, meticulously placed to form a functional structure. Now imagine a single brick slightly out of place. It might seem insignificant, but depending on its location, it could weaken the entire structure, potentially leading to a collapse.
Similarly, even a small coding error, like an incorrect variable or a misplaced symbol, can disrupt the intricate flow of an application. The impact can range from minor visual glitches to significant data breaches, depending on where the error occurs within the codebase.
Building a System that Accounts for Human Fallibility
The Qantas app data breach glitch underscores the need for a multi-layered approach to software development, one that acknowledges human error and builds in safeguards to catch those inevitable mistakes.
Here’s how to create a more resilient system:
1. Empower Developers:
- Clear Coding Standards and Examples: Provide developers with well-defined secure coding standards and practical examples. This ensures everyone understands the best practices and writes code with security in mind from the start.
- Ongoing Training: Invest in regular security training to keep developers updated on the latest threats and vulnerabilities. This empowers them to make informed decisions and write more secure code.
2. Implement Safety Nets:
- Secure Middleware: Utilise secure middleware to add an extra layer of protection. This can help mitigate the impact of vulnerabilities that might exist in the application code.
- Rigorous Testing: Implement a comprehensive testing strategy, including unit tests, integration tests, and user acceptance testing. Automated testing can catch a wide range of errors early in the development cycle.
- Code Reviews: Encourage peer code reviews, where developers review each other’s code. A fresh perspective can often identify errors that the original developer might have missed.
- Static Analysis Tools: Employ static analysis tools to automatically scan code for potential vulnerabilities and deviations from coding standards.
3. Double Checks:
- Penetration Testing: Conduct regular penetration testing to simulate real-world attacks and identify vulnerabilities that might have slipped through other safeguards.
- Secure Code Audit: A code audit can focus on code vulnerabilities and key steps on how to secure the code to protect against mistakes and vulnerabilities.
By embracing these strategies, organisations can create a more robust development environment that minimises the risk of human error impacting their users and their business. It’s about accepting the reality of human fallibility and building a system that supports developers in creating secure, reliable, and high-quality software.
Vertex Cyber Security provides products and services including in Penetration Testing, Secure Code Training, Coding Guidelines, Middleware Consultation, Secure Code Audit and Cyber Consultation for creating secure code.
For further reading on the QANTAS app data breach click here.