As an update to yesterday's post, we've since learned that a map update for the DCA airport was to blame for the American Airlines (AA) iPad outage. AA explains that this was why the whole fleet wasn't experiencing issues, only those who tried to access the DCA map.
I think this is a great case study for some infosec discussion. It isn't immediately something you'd call an infosec problem, but it has lots of potential infosec angles. Yesterday, I talked about pre-deployment security testing, disaster recovery, and MDM as possible infosec angles to look at. Today since we now know the cause of the failure, I'd like to add in pre-deployment code testing or tighter integration between development and production. This tight integration is often reffered to by the buzzword DevOps.
Obviously, AA tested the code before they shipped out any updates. But obviously they didn't catch the case of the update impacting someone who was updating a copy of the DCA map rather than installing one fresh. Whether or not this would have been caught with DevOps, it's a neat fringe case for sand table exercise in your security department. It's new and it brings in some different people you might not have in a more traditional sand table exercise.
Interesting question Jacob. Seems to me having DevOps for Configuration Management and Agile for Continuous Integration would make American Airlines able to handle a fix faster. My long lingering question is what an organization like American uses to test the app? And does that test work in an Agile and DevOps environment? -Frank
ReplyDelete