Days of Auld Lang Syne Best Not Be Forgot

Posted By Jonathan Bloom on December 29, 2011 | Application Failure

Should old acquaintance be forgot, and never brought to mind?
Should old acquaintance be forgot, and days of auld lang syne?

Yes, many of us will find ourselves this weekend sipping champagne and singing the familiar lyrics of this centuries-old tune that has become as synonymous with New Year’s Eve as resolutions and the ball dropping in New York’s Times Square. But in a year when we saw one major outage, malfunction and security breach after another befall organizations that rely upon technology, we should heed a lesson from these verses.

2011: A Tech Odyssey

Easily the best-known tech issue of the year happened at Sony Corporation, which, in a span of four months, was victimized by more than a dozen hack attacks, most of them at the hands of the LulzSec group, and nearly all of them via SQL Injection. In all, Sony saw its hackers gain access to more than 100 million customer data files. So massive were the breaches that even Sony’s insurance company refused to pay off on its losses stemming from 55 class action lawsuits and hits to its operating profits to the tune of $178 million.

But Sony while Sony suffered the largest security breach, it was not the largest company to own up to problems with its technology. As usual, that spot was reserved for Microsoft.

First came April’s Patch Tuesday, which saw Microsoft release a record-tying 17 bulletins that patched a record 64 vulnerabilities, 15 more than the previous largest-ever set in October 2010. Equally significant to the total were the “critical bulletins,” which included security patches affecting Windows XP, Vista and Windows 7, and at least some of which affected the kernel. The second was November’s Patch Tuesday, which witnessed Microsoft craftily avoiding an attempt to patch a zero-day vulnerability used in the Duqu malware attacks that allowed hackers to run arbitrary code in kernel mode. Microsoft instead offered a work-around for the issue.

Microsoft and Sony were far from alone this year. Game maker SEGA and security vendor RSA were also among those who were dinged by hack attacks. Meanwhile, software malfunctions, vulnerabilities and product recalls due to software structural issues befell Dropbox, Google and even Apple this year.

Financial Disarray

Financial organizations were hit hard this year. On the morning of February 25, we learned the London Stock Exchange had been forced to halt trading on its main market due to a technical fault in its barely two-week-old MilleniumIT trading system.  Despite having been tested prior to its implementation, the reason for the failure of the relatively new system was “algorithms.”

But the LSE was not alone. That same month, Nasdaq OMX Group confirmed that its servers had been breached, and suspicious files found on servers associated with the Web-based collaboration and communications tool for senior executives and board members to share confidential information. Over the succeeding two weeks, Euronext, Borsa Italiana (bought by the LSE in 2007) and the Australian Stock Exchange had all suffered outages due to technical flaws. A few days later, Bank of America joined the exchanges when it suffered a major outage in its ATM network. And lest anyone think lightning does not strike twice, later in the year Bank of America’s website was taken down by a “denial of service” attack.

And the issues did not end there. The Financial world had barely caught its breath over the flurry of outages in the first quarter when Chase and JP Morgan warned customers of a potential breach of security. They were followed shortly thereafter in May by Citigroup, which announced its North American cards division had fallen victim to hackers who had finagled access to names and information of more than 200,000 customers.

Man at the Top

Application failures at the government level were perhaps this year’s biggest surprise. The surprise was not because of their existence – the U.S. government is known to be one of the biggest targets for hackers worldwide and is even targeted by foreign governments – but because of the number to which they owned up.

The most serious among them was a data breach at a Pentagon defense contractor in which 24,000 sensitive files were stolen by a hacker backed by an unidentified foreign power. The attack, which took place in March, was not revealed until July and even then only under the auspices of announcing a plan to better prepare the government and the military for cyber terrorism.

This revelation was followed later in the year by a breach at Pacific Northwest National Laboratory, a Department of Energy contractor, over Independence Day weekend and then news of the Air Force’s new drone being infected by a computer virus. And these were just a few of the literally tens of thousands of cyber attacks the government has had to fend off in the past year.

…And the Beat Goes On

I would like to say the list ends there, but there were also airlines, railways, medical devices and health care institutions that met with application failures that led to malfunctions and outages this year. Heck, they even found a software vulnerability that could allow someone to shut off a person’s pacemaker!

The sad part about nearly all, if not all of these outages, malfunctions and breaches is that their roots were located not with an outside source – no, the outside source was merely the catalyst for disaster. All of these issues had in common a structural flaw somewhere down in the bowels of the application that had gone undetected.

Perhaps it was part of legacy code that once was valid, but after multiple generations is no longer a solid piece of work. Or maybe it was just a badly written piece of code that got passed over because it didn’t bother anything in the testing phases.

Whatever the reason this structural quality error happened, it shouldn’t have. Hopefully in 2012, companies will look back on all the problems in 2011 and realize that they need to increase the structural analysis of their application software to ensure they won’t be the next Sony, SEGA, Citigroup, et al.

Should old acquaintance be forgot and never brought to mind? HELL NO!

For as Sir Edmund Burke once said, “Those who do not learn from history are condemned to repeat it.”

Tags: Android, Apple, application failure, Application Quality, application security, automated analysis and measurement, Citigroup, Google, Government, Microsoft, Software Quality, structural quality