Last week I posted about the faulty jail software that let thousands of inmates out of prison early.
While I recognize it is the holiday season and staffing might be light, I expected that we'd hear some news in the week that followed.
The most egregious example in the faulty software was Robert Terrance, who was released early. While he was out early, he drove under the influence and crashed his car, killing his girlfriend. His real release date should have been in December, but he was released in November due to the faulty software. I totally expect the victim's family to sue the state in this case. The blood is on the hands of those that led to the inaction on the fix.
Not all software is as important as prison software. But many of our companies code and implement
software for seriously impactful things like ICS and healthcare, areas
where bugs (whether or not they are security related) can have serious
impacts to public safety. This is truly a place where we should ask
ourselves "what's the absolute worst that can happen if my software
doesn't function to specification?" It's hard to imagine a more critical "worst case" than loss of life.
Once you define
worst case scenarios, it becomes easier to plan for disaster recovery.
Your organization can't mitigate risks it hasn't yet recognized. Once
those risks are identified, adequate test plans that account for both
security and functionality must be created. Often, when Rendition Infosec
is auditing for security bugs, application logic flaws are discovered
that in many cases have serious impacts to availability and
confidentiality of data. In the case of WA DOC, a logic flaw failed to
maintain integrity of the data. While this is arguably the hardest case
to identify, once identified threats to any portion of the CIA triad should be resolved swiftly.
There's little news from the Washington State Department of Corrections (WA DOC) on when the fix will be implemented. According to this article, a fix is expected "early next month." And of course there will be an independent investigation, though it remains to be seen precisely how independent the investigators will be.
In the meantime, at least two offenders committed new crimes during the time when they should have been incarcerated. The contractor responsible for the buggy software has not been identified yet by the WA DOC.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.