PETALING JAYA: The Central Database Hub (Padu) should have undergone stress testing or security testing before its launch, given that it stores public data, say cybersecurity experts. The system has caught some flak including from a former deputy minister, who even suggested that it should be suspended to resolve the glitches that arose right after it was rolled out.
While the government has taken swift action to address the technical flaws, Fong Choong Fook, founder and CEO of the cybersecurity firm LGMS Bhd, expressed concerns on whether the system had been sufficiently assessed and checked prior to its launch on Tuesday.
“In debating the issue of whether to suspend or shut down the system, the concern now is whether the government has conducted extensive stress and security testing on the system.
ALSO READ : Malaysians still trying to figure out Padu
“If it had then it wouldn’t have exhibited so many vulnerabilities, as discovered by users who exposed them online,” he said when contacted for his comment on the matter yesterday.
Owing to that, he said the government must be transparent about the cybersecurity measures taken to protect the data in the system.
As such, Fong suggested that the government issue a white paper encompassing the security actions and approaches to address issues involving Padu including user registration.
“The vulnerabilities have been rectified, as announced by the government, but these are just preliminary findings.
“When it comes to cybersecurity, we, as practitioners, are looking for something more transparent, for example, what measures the government has put in place to protect the database,” he said.
The head of Universiti Kebangsaan Malaysia’s Cyber Protection and Governance Lab Prof Dr Zarina Shukur said Padu needs to follow the software development process according to its discipline.
“Since Padu was announced with great fanfare by the government, the application of robust testing from all aspects, including functionalities and non-functionalities such as security testing, stress testing, load testing and others, must be implemented.
“It is also hoped that the development of Padu covers the Secure Software Development Life Cycle, and the minister was informed of the results of such tests,” she said.
Prof Zarina said having a third party consisting of cybersecurity specialists to provide expert opinions during the testing of the system before Padu was launched could have provided better insights into how it would operate.
The launch of Padu, she added, should have been done on a smaller scale through government agencies.
“For example, it could have been done involving government employees according to agencies first before involving all Malaysians.
“From a content point of view, it is stated that the data is combined with other agencies. However, it appears that the data is almost ‘empty’ without content.”
Having said that, Prof Zarina commended the government’s efforts in developing Padu.
“Like any other applications, it always goes through the ‘upgrading’ process,” she said.
However, she feels that Padu should be suspended until thorough testing by several parties.
Meanwhile, Fong also raised concerns about how the government is planning to consolidate and protect the database using Padu because “using a centralised database to store data from various sources is kind of old-fashioned”.
“The modern way of accessing data from different data points is using an API gateway, like what is being done by the Singapore government,” he said, adding that an API gateway allows the government to access various agencies and get data in real time.
Fong added that if Padu is dependent on a single repository (database), then it’s concerning that one single data storage carries all sensitive personal information.
“To be fair, the government has yet to publish anything in-depth about the current infrastructure, so we have no idea whether the government has built up a centralised database that receives data from different agencies, or it could be a hybrid database plus API gateway,” he said.