Saturday, January 2, 2016

Inaction on faulty jail software kills at least one

Last week I posted about the faulty jail software that let thousands of inmates out of prison early.

While I recognize it is the holiday season and staffing might be light, I expected that we'd hear some news in the week that followed.

The most egregious example in the faulty software was Robert Terrance, who was released early.  While he was out early, he drove under the influence and crashed his car, killing his girlfriend.  His real release date should have been in December, but he was released in November due to the faulty software.  I totally expect the victim's family to sue the state in this case.  The blood is on the hands of those that led to the inaction on the fix.

Not all software is as important as prison software.  But many of our companies code and implement software for seriously impactful things like ICS and healthcare, areas where bugs (whether or not they are security related) can have serious impacts to public safety.  This is truly a place where we should ask ourselves "what's the absolute worst that can happen if my software doesn't function to specification?"  It's hard to imagine a more critical "worst case" than loss of life.

Once you define worst case scenarios, it becomes easier to plan for disaster recovery.  Your organization can't mitigate risks it hasn't yet recognized.  Once those risks are identified, adequate test plans that account for both security and functionality must be created.  Often, when Rendition Infosec is auditing for security bugs, application logic flaws are discovered that in many cases have serious impacts to availability and confidentiality of data.  In the case of WA DOC, a logic flaw failed to maintain integrity of the data.  While this is arguably the hardest case to identify, once identified threats to any portion of the CIA triad should be resolved swiftly.

There's little news from the Washington State Department of Corrections (WA DOC) on when the fix will be implemented.   According to this article, a fix is expected "early next month."  And of course there will be an independent investigation, though it remains to be seen precisely how independent the investigators will be.

In the meantime, at least two offenders committed new crimes during the time when they should have been incarcerated.  The contractor responsible for the buggy software has not been identified yet by the WA DOC.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.