Tags: case study, new customer, Hacken service, security analisys, essential knowledge, cybersecurity

March 14. AirAsia, Asia’s largest low-cost carrier by passengers, has partnered with Estonian cybersecurity consultancy company Hacken to complement their security strategy to ensure the best user experience for their passengers.



Under the agreement, Hacken will perform an advanced secure code review of AirAsia applications to support the company with PCI DSS compliance requirements. The review will cover AirAsia Centralized Engine, Android and iOS mobile applications, and a New payment system, with the goal to check consistency and security of legacy code as well as the implementation of secure software development best practices.

Airline companies are prone to incidents of data theft and breaches, with cases of passport data, credit card numbers and other sensitive information being stolen by malicious hackers.

Cybersecurity in the Airlines industry:

The technology company finds that 89% of airline chief information officers are planning a major program around cybersecurity in the next three years, up from 71% in 2017. For airports, the figure is higher, with 95% planning initiatives between now and 2021. Investment in cybersecurity is also increasing and totaled $3.9 billion in 2018. The research reveals that airlines will spend an average of 9% of overall IT budget on cybersecurity in 2018, up from 7% last year The 2018 Air Transport Cybersecurity Insights study also looks at spending priorities, with employee awareness and training coming top at 76%, followed by regulatory compliance at 73% and identity and access management at 63%. The research also shows that more than 50% of the industry does not capture cybersecurity as part of its global risk register, although many plan to include it by 2021.

What is quality code?

There is no precise definition of this term. As a rule, an understanding of how a quality source code should look is based on years of experience of a specialist. Some programmers adhere to the abstract principle of KISS, which stands for Keep It Simple, Stupid! (“Make it easier, stupid!”). In part, this design method is fair, since it reflects the main rule of good code – simplicity and clarity. However, simplicity is often confused with simplification, therefore, the quality of the source code in a professional environment is judged by several other properties:

perception. The code is not overloaded with complex constructs, so it is easy to understand even without additional documentation or comments;

maintenance. It is easy to make changes to a thoughtful code: change configurations or even platforms;

expansion. Just add new functionality to it without the risk of breaking the code algorithm. Even if there are any problems, you can quickly fix them;

broadcast. Good code can be transferred to other developers for support or refinement, and they will have no difficulty reading it;

tests. The higher the percentage of code coverage of tests, the more likely to avoid unnecessary bugs in the future.

To facilitate the understanding of code in a professional environment, each programming language has its own Code Style – the standard of design. It is he who dictates the rules: where to put spaces or brackets, how to separate strings or name variables. It may seem that these nuances are not so important, but their compliance greatly facilitates the understanding of the code for those who see it for the first time.

Not every programmer can write really good code. This is especially hard given to those who are just gaining experience. But even competent developers can make mistakes from time to time. Therefore, studios that create high-quality software regularly conduct code inspections.

How to improve the quality of the code?

One of the most popular and at the same time fairly simple to implement techniques is called Code Review. Its meaning is that any changes made by the programmer get into the main code repository and into the release version of the software only after the rest of the team members have checked them.

This process consists of several steps:

First, the developer adds new functionality to the code and notifies the rest of the participants that they need to check for these updates.

At the second stage, team members, or reviewers, look at the code and leave their comments. Some companies that practice Code Review focus only on finding bugs, but to really improve the quality of the code, you should also point out architectural flaws, improper use of tools and a poor writing style – incomprehensible or poorly perceived.

Further work with remarks follows. If the author does not agree with any claim, he may reject it, but for this, it is necessary to provide convincing arguments in defense of his position. If there are no arguments, he makes the necessary corrections.

Then everything repeats first and happens systematically – every time a new batch of changes is made to the code.

Advantages of Code Review:

The Code Review technique helps in the early stages to find some mistakes and get rid of incomprehensible and confusing solutions. Not one person but a whole team is involved in the work on the code, so a fresh outlook can often appear.

A programmer who knows in advance that colleagues will check his work, tends to write more accurately and in an organized way. The output is a code that is understood by several people, which means that it is much closer to quality.

When a group of several specialists is familiar with the code at a high level, it becomes easy to transfer between the process participants. If the need arises, any member of the team can quickly delve into the work and make it qualitatively.

Thanks to Code Review, the so-called bus factor, or “bus factor”, is reduced. So called the number, meaning the number of team members who must bring down the bus, so that all knowledge about the project was lost. For example, four people are employed in the project, if two of them leave for some reason, the rest will be able to finish the work, and if three leave the team, the last participant will not manage alone.

All in all Code Review:

Increases clarity, because the author is forced to bring the code to such a form so that it is understandable to the reviewers.

Generates a common dictionary for communication at the code level.

It is a catalyst for the development of general code design agreements, i.e. code convention not from the document to the code, but from the practice, directly from the code

Reduces the number of vulnerabilities in the code

Synchronization of mental models

Improving the quality of the software product

“Every company that deals with sensitive data should ensure its privacy and secure storage management. Hacken is honored to cooperate with such an esteemed and guest-obsessed airline as AirAsia. Hacken will utilize the best practices of SDLC to provide AirAsia with the highest quality of applications secure code review. ”— Dmytro Budorin, CEO Hacken

About AirAsia

AirAsia, the world’s leading low-cost carrier, services an extensive network of over 200 destinations across the Asia Pacific. Since starting operations in 2001, AirAsia has carried more than 500 million guests and grown its fleet from just two aircraft to over 200. The airline is proud to be a truly ASEAN (Association of Southeast Asian Nations) airline with established operations based in Malaysia, Indonesia, Thailand, and the Philippines as well as India and Japan, servicing a network stretching across Asia, Australia, the Middle East, and the US. AirAsia has been named the World’s Best Low-Cost Airline at the annual Skytrax World Airline Awards 10 times in a row from 2009 to 2018. AirAsia was also awarded World’s Leading Low-Cost Airline for the sixth consecutive year at the 2018 World Travel Awards, where it also won the World’s Leading Low-Cost Airline Cabin Crew award for a second straight year.

Follow AirAsia on Facebook (AirAsia), Twitter (@AirAsia), Instagram (@airasia), YouTube (AirAsia), Weibo (@亚航之家) and WeChat (亚洲航空).



About Hacken

Hacken is a global cybersecurity consultancy firm. It provides a wide range of cybersecurity services such as security assessment, deep-dive penetration testing, bug bounty as a service, and secure code review.