The Precautionary Tale of CrowdStrike: Why QA matters in Cybersecurity

On July 18th, CrowdStrike pushed an update to its customers that caused Microsoft Windows users to experience a myriad of technical difficulties. Machines displayed the blue screen of death. Flights came to a halt, hospitals had major issues, and even 911 call centers were brought down. A company whose main goal was to prevent cybersecurity attacks pushed an update is on track to be one of the most disruptive IT events in history.? A company considered best of breed for a long time negated the goodwill it had built up over the years. Some people argued that everyone makes mistakes, but often these mistakes stem from the same problem: poor QA. As a cybersecurity company, these mistakes are not acceptable.?

Testing software is a vital part of the software lifecycle, especially in environments running automatic updates or in a CI/CD environment.? Many times, companies erode best practices around testing to either save money and/or save time. However, in the long term, it never saves money. Eliminating QA is a lot like playing at a casino; the longer you play, the more likely you are going to lose.

Why would CrowdStrike possibly lower its QA standards?? Time.? One of CrowdStrike’s major claims to fame is to prevent Zero-Day exploits. When new software comes out, CrowdStrike uses machine learning to identify exploits that hackers have found and creates a defense around the new malware from similar attacks before the actual issue is addressed. This means the software needs to be updated … a lot.? CrowdStrike could push out updates as often as once a day. ?This rush to cover new exploits quite possibly led to a lapse in best practices and may have caused the cybersecurity threat within CrowdStrike. Just because an attack did not mean to malicious does not mean it is not a cybersecurity threat.

Fault does go beyond the QA practices of CrowdStrike but also on the functionality of the product itself. ?In order to deliver this lightning-fast delivery, CrowdStrike Falcon sold the concept of Frictionless Zero Trust, which is anything but zero trust (zero trust probably needs to be retired as a marketing catch all in cybersecurity).? CrowdStrike required users to put their complete faith in them and allow a third-party vendor to update directly to machines with packages that could affect the very OS Kernel of the machines. ?That is a statement that would make any cybersecurity professional cringe. ?I understand the allure of real-time protection. However, without testing an update that goes onto critical machines, you have brought cyber risk onto your organization. Again, just because an attack did not mean to be malicious does not mean it is not a cybersecurity threat.

What can we learn from this? Do not skimp on QA. It is a losing proposition that will eventually cost you. CrowdStrike is going to be hurt considerably by this mistake as they rightfully should be as a cybersecurity company.? Any software development (or platform development) should have a robust QA team testing it.? Also, you should never blindly trust a third party with kernel-level access to your machines, especially if they are marketing that as a Zero-Trust exercise.? You should be able to run any patch or update in a test environment before you push to the rest of your machines. If you are looking for additional help or guidance with your QA efforts, cybersecurity posture, or other pieces of your technology stack, please feel free to contact us at Oxford Global Resources