Expert On Gov U-turn On Insecure Contact Tracing App

Open source is undoubtedly a good thing in the pursuit of enhanced development and in surfacing security issues more quickly; however, open GitHub repos shouldn’t be used to design and architect an application that can reveal people’s medical information, even if anonymised. When you consider the paramount importance of this platform as part of the NHSx project, in meeting both personal data regulations and in gaining the trust of our nation, the failure to adhere to industry best practices in terms of comprehensive security controls is, quite simply, indefensible.

What we have here is a classic disconnect between the developer and security worlds. The combination of these two groups – DevSecOps – ensures data privacy and security are part of the design. It’s not perfect, but it provides the overlay that gets security built in early – something that is quite clearly missing in this instance. What is more worrying is this wasn’t a hidden issue – data privacy has been the main topic of conversation around the contact tracing app from the start; but, despite access to some of the best security practitioners in the world, the need to plough ahead has somehow overridden best practice.

If we can take something positive from this, it’s that we’re moving to a decentralised model that will provide stronger levels of privacy and security – one the professional security community has encouraged throughout. But this also serves as an important lesson for all organisations – early security intervention is vital and educating developers to consider security and access controls as part of the software development life cycle (SDLC) is critical.