From this (my highlighting), I guess that very few airport and airline applications have any form of threat modelling carried out during their development…:
[…] Why are airlines and airports so unprepared?
Over the last 20 years an awful lot of attention – and quite rightly – has been paid to physical security, and ensuring that we have the tech in place to prevent a physical attack. Now, we need to ensure that we’re giving due attention and focus to preventing cybersecurity attacks. The Department of Transport has a five-year plan and a cybersecurity strategy which talks about all the measures that need to be in place.
The government along with the regulatory bodies – in the UK, CAA and in the US, FAA – are taking the responsibility seriously. But I think we also need to ensure that across the board, not just for the physical security but in software, we’re getting systems up to scratch. In our State of Software Security Report, [we found that] in the aviation industry, unfortunately, most software applications failed common security standards.
There is a security standard called the open web application security project and it provides a checklist of vulnerabilities – the security bugs we really don’t want to see in your software application. Only one in four applications that were tested against the standard passed the first inspection. The majority of those applications failed. Whether they’re on the ground or in flight, it’s crucial that we do a better job of ensuring that the systems which people rely on are safe and secure and the attackers don’t have any bail to breach.