Software bug in authentication server behind SingPass, CorpPass service disruptions

0
4234

The Government will work on improving the system’s early detection and warning capabilities, as well as beef up all-round resiliency, says Senior Minister of State for Communications and Information Janil Puthucheary.

singpass down

Screengrab from the SingPass website, as of Thursday afternoon (Feb 8) at 3.45pm. 

SINGAPORE: The recent disruptions to the SingPass and CorpPass system were caused by a software bug in the authentication server provided by a commercial vendor, said Senior Minister of State for Communications and Information Janil Puthucheary on Monday (Mar 19). 

Previously undetected, the software bug only manifested after a system enhancement carried out in January. 

While the enhancement complied with all technical specifications and was properly tested, the interaction between it and the software bug “caused some records to persist in the system, instead of being automatically removed 30 days after they expired”, Dr Puthucheary explained.

This was the “root cause of the slowdown” in SingPass and CorpPass services last month, he added.

The commercial vendor Gemalto, a Netherlands-based company providing digital security services, has acknowledged the software bug in their product, said Dr Puthucheary in Parliament.

Access to national authentication systems SingPass and CorpPass first experienced a six-hour outage on Feb 8 before seeing another bout of disruption for about five hours the following day.

In response to a parliamentary question from Member of Parliament (MP) Tan Wu Meng about the investigation outcomes and lessons learned, Dr Puthucheary said improvements will be made to the system’s early detection and warning capabilities. 

“While the bug itself was elusive, the slowdown in system performance could have been detected earlier. Our early detection and warning capabilities can be improved and will be improved. 

“We intend to do so by enhancing the software checks and diagnostics so that in such cases, the engineers can act before the system condition worsens to a state that would affect users,” he said. 

Meanwhile, there will be a review of the system design to “improve all-round resiliency beyond just hardware resiliency”. 

The recent service outages also underscored the need to “work more closely” with commercial providers that are supplying products for critical Government systems, added Dr Puthucheary 

“The Government is reviewing the contracts with its commercial providers, both with respect to the incident as well as what we’ll be engaging moving forward,” he said. 

“We will take these lessons and apply them to the development and maintenance of other Government systems.”

Source link