The Government did a dramatic u-turn on its NHS contact tracing app yesterday – throwing in the towel on developing its own and switching to the more privacy focused Apple-Google model.
We’ve seen this coming for weeks and it’s a move the security community has urged since the beginning. Looking at GitHub, there were some fundamental – and serious – failings in security and privacy that doomed this project from the start.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
Open source is undoubtedly a good thing in the pursuit of enhanced development and in surfacing security issues more quickly; however, open GitHub repos shouldn’t be used to design and architect an application that can reveal people’s medical information, even if anonymised. When you consider the paramount importance of this platform as part of the NHSx project, in meeting both personal data regulations and in gaining the trust of our nation, the failure to adhere to industry best practices in terms of comprehensive security controls is, quite simply, indefensible.
What we have here is a classic disconnect between the developer and security worlds. The combination of these two groups – DevSecOps – ensures data privacy and security are part of the design. It’s not perfect, but it provides the overlay that gets security built in early – something that is quite clearly missing in this instance. What is more worrying is this wasn’t a hidden issue – data privacy has been the main topic of conversation around the contact tracing app from the start; but, despite access to some of the best security practitioners in the world, the need to plough ahead has somehow overridden best practice.
If we can take something positive from this, it’s that we’re moving to a decentralised model that will provide stronger levels of privacy and security – one the professional security community has encouraged throughout. But this also serves as an important lesson for all organisations – early security intervention is vital and educating developers to consider security and access controls as part of the software development life cycle (SDLC) is critical.