You have probably heard about the celebrities private pictures leak caused by hackers who managed to find iCloud login credentials of several celebrities. They have exposed their private pictures online and created a big scandale. Many articles have been published on the subject, including this complete analysis from Engadget explaining the bug in the ‘Find My iPhone’ service.

icloud-leak-fappening-password-security-ssdlc

What happened?

Exact details of the attack are not clear yet. Apple's ‘Find My iPhone’ in fact, may not be the only vulnerability allowing the hackers to break into others' personal accounts and access confidential data (including pictures and private information).

The attack was extremely simple given the nature of the vulnerability and the very first action a hacker would attempt when trying to break into personal accounts. At the same time, protecting against such category of attacks is simple as well!

At Apple, IT security is seriously considered a key factor. We're quite sure that the issue arose due to the lack of formalism and security within the software development life-cycle (SDLC). Passwords brute-forcing is typically avoided by a combination of strong passwords policies usage and the implementation of strict accounts lockout mechanism. That prohibits eventual attackers to continuously repeat their tests via automated passwords generator, which nowadays are powerful and efficient technologies.

The importance of Secure Software Development Life Cycle (SSDLC)

We'd like to underline the importance of including the above techniques as mandatory security controls, when designing your Secure Software Development Lifecycle Standard. No matter how good you think you are with secure coding. Following strict and secure guidelines and software quality assurance processes, is not just important, it's rather vital for you organisation.

Last but not least, this particular breach could have also been avoided with the execution of the needed runtime security testing (i.e. penetration test) on the 'Find My iPhone' service.

We'd like to underline this as a very important step of your Software Development Lifecycle, which should not be limited to the mere Secure Coding practices.

Make sure you always develop secure software!

We here at Advantio understand that your development team may not have implemented Secure Software Requirements before which is why we offer several different methods for making your software more secure.

We can review your software's code for you, we can evaluate the Software Development Lifecycle to ensure that your team is taking the right steps towards secure software and we can also train your team so that they have a better understanding of Secure SDLC (SSDLC) concepts and practices.

Marco Borza

Written by Marco Borza

I am the Founder of Advantio.
Technology has been my passion since I was a kid; when I first heard the handshake of an old 300bps modem I realised security would be key in an interconnected world. Since then it has become my passion and primary focus.
The reason why I've started my own business is to make IT Security simple.

Certifications: CISSP / CCSA (Checkpoint) / ITIL Foundations / ACSA (ArcSight)/ Linux+/ PCI-QSA / PA-QSA