BA systems down globally

Probably thats the bit I dont understand. If the code is injected at the baseline, why couldnt the rogue message be picked up at either the functionality or integration stages? I assume all network activity is logged at those stages.

Not slower than I imagine. The biggest (and most secure system) I worked on took something like 5 years from start of dev to live running. And that was just phase one.

yeah I joined one when it was over 20 years old........................that was 20 years ago - and it's just now being decommissioned.

CSP covers the loading of scripts and also the actions performed by the site - connect-src blocks stuff like XMLHttpRequest, WebSockets etc

ba.com/index.html has header Content-Security-Policy: connect-src: 'self'
That page can load ba.com/hacked-script.js, which is prevented from using XMLHttpRequest.send() to anything except ba.com

If the passwords were affected they'd have to reset them all immediately, and by the looks of the javascript only the form data from the payment page was targeted.

Does anyone else find it strange now little detailed analysis available in the public domain there seems to be of these hacks? How are companies supposed to learn from other's mistakes when the information is so rarely available?

That's a problem though, isn't it? When an airliner crashes there is a forensic level investigation and the results are shared with the industry. Why shouldn't this happen in IT? At the end of the day, it is in everyone's best interests, as not only will BA face financial losses for card compromised, damage to their brand and ultimately fines from regulators.

I'm not even sure it is a financial limitation. Companies seem to be spending fortunes on cyber security teams, which in my opinion is an ineffective way to secure your systems.

Aeroplanes, for all their complexity, are all very similar. If a hinge fails on a door on one 737, then it is likely to fail on all of them. So they crawl all over the wreckage, find what broke, and then make sure everyone fixes it. Similar for the human factors side: an overloaded pilot is the same in any situation, so it is worth finding out why they were overloaded, and then making sure it doesn’t happen again.

IT systems are very different. I’ve been in the business for er, several decades, and I’ve not once seen two implementations that were the same, even when they were using the same underlying software. Even when companies decide to use an external service (one of the premises behind cloud), they will use it in subtly different ways. A “lesson learned” in one place may not be relevant to others. Software suppliers (either closed or open source) do update their code all the time to fix problems - but that may open up new issues in something that someone has built.

Two other points.

The number of companies that you’d expect to be really thorough ... but stick largely untested software into production is eye watering. Generally functional stuff (does it work?) is tested, but no one is really interested in other aspects (does it perform, is it secure) because the skills to do that properly are expensive. It’s also not very interesting for people whose focus is business growth or whatever. They view hard technical stuff as “in the IT domain”, and they’d rather IT spent less money... For the avoidance of doubt, I’m not saying BA do this, I’ve never worked for them, but lots of organisations do.

There’s also no commercial advantage to a company in revealing stuff they’ve found. It’s generally embarasssing, and its cost them a fortune to find it. Why share competitive advantage? The software suppliers will generally be involved, and will fix whatever they can.

Not that different.

BA sought to save money by not doing a code audit until after a breach.

If you've ever worked on any kind of Mil Spec system (as in the £5 per bolt to ensure you know which day the zinc in the anti-corrosion coating was mined on) they will go over every line and only use the lines they require.

It looks like BA built a system on the cheap, rather than writing their own libraries, just took one from another source without auditing the code.

This is why card information should never be stored by merchants. Ultimately we can't trust them to do a proper job.

I read it as a third party library was used to gain access.

Erm you do audit your production code... This is how they found the vulnerability.

If it doesn't make sense to you, that would be your issue.

I've worked with banking, finance and insurance. Nothing goes into production without being checked and triple checked. Any slightly ambiguous sources of code to be used with payment information is discarded. Unless they know exactly what the code does, it's not implemented.

The problem with this approach is it's not cheap. You need talented people who can write their own code rather than copy/pasting from Stack Overflow.