Comments by: Ian Hall, Head of Client Services, APAC, at Synopsys Software Integrity Group
Thanks to the COVID-19 pandemic, governments across the world have rushed to develop apps – for track-and-trace, vaccine passports, tracking users in quarantine and more. However, with the rush security is oftentimes not in the forefront of developers’ minds and this leads to insecure practices. Security is an aspect that should be thought of right from the design phase through to post go-live monitoring. In this case, it appears that a database with an array of data including Personally Identifiable Information (PII) was left exposed. The good news is that it was identified by an ethical hacker and reported to the developer. At this time, we don’t know if a malicious attacker had identified the database as well and accessed the data.
In modern software development, being able to develop and deploy quickly is one of the key goals of the DevSecOps movement. However, with this, it is important to also have the necessary monitoring in place to detect security issues and then triage, fix, test and re-deploy. From the description that vpnmentor provided, it appears that this area could have been improved. Further improvements could also have been made in the turnaround time for taking the database offline since the initial disclosure was also made to the developer about a month ago.
I do hope that a complete review of the incident is conducted and full disclosure made to the public about the issue. This will help to give confidence to users of Indonesia’s COVID-19 apps that the apps remain secure and they should continue to use them to bring the pandemic under control.