SoftSeq SoftSeq

British Airways may have jeopardized your payment card data

It’s been highly publicized during the past 2 weeks that British Airways spilled out the payment info on 380,000 customers to hackers, with CVV2 codes, via their web and mobile apps.

As most companies disclosing a breach, they called it a “very sophisticated” hack, and surely not a result of poor software development practices.

Unsurprisingly, the “very sophisticated” hack was Cross Site Scripting (XSS). From a myriad of ways software can be hacked, it’s number 7 out of top 10 most easy and simple to exploit vulnerabilities, even for middle schoolers. Calling this type of attack “very sophisticated” is a gross misrepresentation, and as a general approach causes giggles among cyber-security pros.

Can BA claim moral high ground?

After calling an XSS hack “very sophisticated”?..

Well, if we use LinkedIn to fact check and sift through BA’s work force today, it’ll show around 22,000 employees, of them 200+ having in titles words “software”, “developer”, “application”, and “programmer”.

You would expect BA to also employ software security engineers that work hand in hand with such large software engineering team – to protect your personal and financial data, you know. But you’d be wrong.

As of September 12th, 2018, there are no people with titles “software security engineer” or “application security engineer” on LinkedIn. Which indicates that expert security engineering and testing is not happening in BA’s software development – a huge oversight in post-Equifax world, and 2018 in general.

While on the subject, with 6 billion USD of Equifax’s market capitalization wiped out in the week following data breach announcement in September 2017, Equifax received a wake up call on software security. They had just one appsec engineer before the breach, but they’ve additionally hired 4 more, which is a positive change. Let’s hope they can steer and oversee software security processes, as even great engineers can’t do much good without skilled management.

Is BA totally clueless about cyber-security?

Not totally, but their focus isn’t where it should be. And the same can be claimed about the absolute most of software companies.

BA deploys some fancy security tools – Splunk, BeyondTrust, Checkpoint LEA, Tanium, various DB’s, etc, and external threat intelligence feeds.

This may impress general public, but not experts as none of these tools can properly defend software targeted attacks. No tool can, really, unless you design, engineer, and manually test software’s security during development – and not do penetration tests as an afterthought.

What does BA’s security team do today?

BA employs 20 people with IT and infosec titles, who work on security event monitoring, oversee tools for network and application security scanning, and ensure BAs PCs run anti-virus software.

In addition, 10 people perform compliance duties – as no company wants to be fined, and they surely are compliant with the relevant cyber-security regulations – which did not protect the business against a software security attack.

Is BA’s hack a perfect “case in point” for application security?

BA did compliance, bought expensive security tools, scanned the networks, and even runs a SOC – as most larger companies these days. And all these good practices did not save BA from the PR nightmare and financial hit they’re experiencing as software security got ignored.

Why BA ignored software security?

Compliance requires no advertising, and businesses shell out cash left and right on it. Additionally, many companies sell security tools for network security, SIEM, encryption, identity management, scanning, etc., and they have deep pockets to market and raise awareness about the cyber-security domains that their tools address.

On the other hand, almost no automated tools are of much help to software security – except for ticking a box on a compliance – meaning, fewer marketing funds are spent on promoting awareness about software security.

Which is unfortunate since most interactions with remote computer systems happen via web browsers or mobile applications, whose security falls into “software security” domain – the one most companies try to sweep under the rug.

What should BA have done?

Software security engineering by skilled experts.

This means having security reviews at all stages of development, starting all the way from requirements gathering. Security experts need to look at architecture, code, introduce software security automation processes that really work, and to methodically test all software changes before putting anything into production.

How expensive would it be for BA to protect its customer data?

In SoftSeq, we use this rule of thumb – it takes 1 software security engineer per 20 to 40 programmers – depending on how agile the development process is.

For BA, it’d mean an addition to its 21,836-strong staff of 5 to 10 people – or 0.02% to 0.04% increase – an equivalent of a hundredth of a penny on a dollar.

If you like and agree with the article – please click the share buttons below. Thank you!

Have questions?

We have answers. Write us at security@softseq.com

    Your message has been sent!

    We'll get in touch shortly