Experts: Padu should have been thoroughly tested

By TEH ATHIRA YUSOF

PETALING JAYA: The Central Database Hub (Padu) should have undergone stress testing or security testing before its launch, given that it stores public data, say cybersecurity experts. The system has caught some flak including from a former deputy minister, who even suggested that it should be suspended to resolve the glitches that arose right after it was rolled out.

While the government has taken swift action to address the technical flaws, Fong Choong Fook, founder and CEO of the cybersecurity firm LGMS Bhd, expressed concerns on whether the system had been sufficiently assessed and checked prior to its launch on Tuesday.

“In debating the issue of whether to suspend or shut down the system, the concern now is whether the government has conducted extensive stress and security testing on the system.

ALSO READ : Malaysians still trying to figure out Padu

“If it had then it wouldn’t have exhibited so many vulnerabilities, as discovered by users who exposed them online,” he said when contacted for his comment on the matter yesterday.

Owing to that, he said the government must be transparent about the cybersecurity measures taken to protect the data in the system.

As such, Fong suggested that the government issue a white paper encompassing the security actions and approaches to address issues involving Padu including user registration.

“The vulnerabilities have been rectified, as announced by the government, but these are just preliminary findings.

“When it comes to cybersecurity, we, as practitioners, are looking for something more transparent, for example, what measures the government has put in place to protect the database,” he said.

The head of Universiti Kebangsaan Malaysia’s Cyber Protection and Governance Lab Prof Dr Zarina Shukur said Padu needs to follow the software development process according to its discipline.

“Since Padu was announced with great fanfare by the government, the application of robust testing from all aspects, including functionalities and non-functionalities such as security testing, stress testing, load testing and others, must be implemented.

“It is also hoped that the development of Padu covers the Secure Software Development Life Cycle, and the minister was informed of the results of such tests,” she said.

Prof Zarina said having a third party consisting of cybersecurity specialists to provide expert opinions during the testing of the system before Padu was launched could have provided better insights into how it would operate.

The launch of Padu, she added, should have been done on a smaller scale through government agencies.

“For example, it could have been done involving government employees according to agencies first before involving all Malaysians.

“From a content point of view, it is stated that the data is combined with other agencies. However, it appears that the data is almost ‘empty’ without content.”

Having said that, Prof Zarina commended the government’s efforts in developing Padu.

“Like any other applications, it always goes through the ‘upgrading’ process,” she said.

However, she feels that Padu should be suspended until thorough testing by several parties.

Meanwhile, Fong also raised concerns about how the government is planning to consolidate and protect the database using Padu because “using a centralised database to store data from various sources is kind of old-fashioned”.

“The modern way of accessing data from different data points is using an API gateway, like what is being done by the Singapore government,” he said, adding that an API gateway allows the government to access various agencies and get data in real time.

Fong added that if Padu is dependent on a single repository (database), then it’s concerning that one single data storage carries all sensitive personal information.

“To be fair, the government has yet to publish anything in-depth about the current infrastructure, so we have no idea whether the government has built up a centralised database that receives data from different agencies, or it could be a hybrid database plus API gateway,” he said.

×

Related stories:

‘Security barriers in place’

Fahmi: It’s running smoothly now, no need to suspend system

Malaysians still trying to figure out Padu

The ‘other Padu’ for Johor biz

Data is king, so make sure it’s protected

Padu a good start towards focused subsidies

Follow us on our official WhatsApp channel for breaking news alerts and key updates!

padu , cybersecurity experts , testing

   

Report it to us.

Next In Nation
Two Filipinos among three individuals arrested by Kudat MMEA for transporting livestock without a permit
Heavy rain in Penang causes flash floods in parts of Air Itam
Housemen to be placed at district hospitals facing doctor shortage, says Dr Dzulkefly
Chinese minister Liu Jianchao meets with PKR senior officials led by Nurul Izzah
Non-functional wells: Four suspects in Kota Baru remanded three days by MACC
Malaysian youths shine in Forbes 30 Under 30 Asia list
JB senior citizen dies in freak accident after car reverses into her
Former assistant bowling coach jailed for sexual assault of teen boy
Johor MMEA gets a boost with return of vessel after refit, repowered engines
Fahmi hopes Meta's incident of removing news of PM with Hamas leader will not be repeated

Trending in News

Others Also Read

Load more

Copyright © 1995- Star Media Group Berhad [197101000523 (10894-D)]

Best viewed on Chrome browsers.