The rush to develop and deploy a life-saving app amidst impossible lead times still did not justify a security-first workflow.
South Korea’s quarantine app has been found to contain a major security lapse.
The vulnerability, which has since been fixed, could have allowed hackers to access private details of users like their names, real-time locations, and other details of the people in quarantine.
A South Korean official had addressed the situation conveying that the haste in creating and deploying the app to help slow down the spread of the virus was paramount, so they could not afford a time-consuming security check on the app that would delay its deployment.
The vulnerability was discovered almost by accident when a security researcher living in Seoul was using the app to monitor his own quarantine period. Finding that user IDs were not randomly generated and therefore guessable, he went on to discover that the encryption key was stored exposed in the app, making it easy for hackers to decrypt any data they wished to access.
The app’s developers, Winitech, has admitted to the oversight and added with hindsight that the government’s onerous feature requests, like adding more surveillance features, slowed down the team’s work on finding bugs and fixing them.
What should have prevented this
According to Tim Mackey, Principal Security Strategist, Synopsys Cybersecurity Centre: “When designing any new application, time to market needn’t take priority over security. When collecting data, the data requested should serve a specific requirement within the app. In other words, data should never be collected in anticipation of any other use. Since the data is being collected, it’s going to need to be processed and potentially stored.”
With a new app, Mackey said, the decisions surrounding the processing and storage will need to be made, which means that key questions surrounding the secure processing and storage of the data have yet to be answered. “Answering these questions at the design or initial implementation phase is the least-costly time to apply security practices. Not only are the implementation options effectively a blank sheet, but since development hasn’t started, there is no reworking an implementation to address a defect or weakness.”
In effect, going slightly slower at this phase can result in a quicker time to market as the development teams will not need to reimplement poor designs, patch applications, or re-secure retained data.
“Such a process also allows for automated security tooling to be deployed during development to catch any deviations from security targets while not impacting development velocity,” Mackey concluded.