alt Hacker NewsThis keeps happening in Europe with these mega-IT suppliers repeatedly getting exposed using very bad development practices. Sweden most recently had a major breach back in 2024 when the other large IT services supplier TietoEvry had their data centres breached and claimed "not actually an issue of security".
Several government organisations / regional authorities and companies were down. Last I heard several medical journals for whole municipalities were just destroyed.
Unfortunately, the public tender process encourages awarding contracts to these giants that repeatedly fail to deliver on even basic opsec and still believe in security-by-obscurity, are suspicious of things like zero-trust, follow outdated engineering practices. Sigh.
Replies
> Unfortunately, the public tender process encourages awarding contracts to these giants that repeatedly fail to deliver on even basic opsec and still believe in security-by-obscurity
So what you think would be the solution ? From what I see (both public tender or not), I would claim that "any large IT project/company will suffer from security issues", so not sure what is the added value to single out a process (the tender) or a region (Europe) if there is no obvious alternative.
The probleme here is that what tends to happen is that the security requirements are relatively vague and once the customer has signed the acceptance, good luck.
And signing up with a big company is good way to cover your behind, because "if they with all their people and knowledge could not do it...". Basically the mantra or "Nobody was ever fired for buying Cisco".
The tender process is what they are optimised for. They are professional project bidders with a bit of outsourced software development bolted on the back.