Hi all,
I need some opinions on this:
I recently found the following security issues in a website done for a shop
- SQL queries were being displayed to the user at the top of the results page after they used the search function
- There was no sanitization, so you could pass SQL queries to the database at your leisure
I contacted the shop and warned them of the issues, without slating the development company in question. However a representative from the development company happened to be at the shop the day after I send the email and ... :
1. felt the need to be cocky about it... slagging me off ie that I think I'm such a hacker
2. Downplayed it to the customer saying... it's not a bank so its not feasible to focus on stuff like that
3. Did not take ownership of the hugely unprofessional workmanship and apologize to the customer
The above 3 points I heard from people that were there at the time.
What does this say about a company that boasts about custom CMS sites and having done sites for the government on their clients page. Actually quite a few of the sites listed on their client page seemed to have moved away or some that are actually with them have quite a few error pages scattered among their respective links that describe the server and php versions quite nicely for anyone wanting to exploit it.
My view of this:
(I create systems that handle sensitive and mission-critical data for companies that use web technologies for their frontends)
Validation and Sanitization should be at the core of any web development... I have my own engine that scales to the size and usage of the site, and validates everything, it is also very customizable. It catches everything the client-side validation misses so if a designer is hired to redo the site design and doesn't validate properly... the engine still handles it appropriately. The engine also catches errors and blatant hacking attempts, alerting my admin panel that holds stats on all my deployed sites. Any freelance work I do has this engine for free as I feel security is not a separate issue to development... before I even start a freelance site the security gets put in place and is implemented throughout my code. I monitor security news and test my own sites against exploits even if the client doesn't have an SLA with me. (for the testing I keep local copies and will contact the client if I feel the LIVE site needs testing)
I am VERY OCD with my code, it is my creative outlet and having my sites and code out there feels like I'm letting someone look into my soul... so I am very thorough and stringent with what I produce. Am I too harsh with my view of what a charging, 'Professional' company (who's bread-and-butter is web development) should be supplying to their clients?
Thanks,
Arky
I need some opinions on this:
I recently found the following security issues in a website done for a shop
- SQL queries were being displayed to the user at the top of the results page after they used the search function
- There was no sanitization, so you could pass SQL queries to the database at your leisure
I contacted the shop and warned them of the issues, without slating the development company in question. However a representative from the development company happened to be at the shop the day after I send the email and ... :
1. felt the need to be cocky about it... slagging me off ie that I think I'm such a hacker
2. Downplayed it to the customer saying... it's not a bank so its not feasible to focus on stuff like that
3. Did not take ownership of the hugely unprofessional workmanship and apologize to the customer
The above 3 points I heard from people that were there at the time.
What does this say about a company that boasts about custom CMS sites and having done sites for the government on their clients page. Actually quite a few of the sites listed on their client page seemed to have moved away or some that are actually with them have quite a few error pages scattered among their respective links that describe the server and php versions quite nicely for anyone wanting to exploit it.
My view of this:
(I create systems that handle sensitive and mission-critical data for companies that use web technologies for their frontends)
Validation and Sanitization should be at the core of any web development... I have my own engine that scales to the size and usage of the site, and validates everything, it is also very customizable. It catches everything the client-side validation misses so if a designer is hired to redo the site design and doesn't validate properly... the engine still handles it appropriately. The engine also catches errors and blatant hacking attempts, alerting my admin panel that holds stats on all my deployed sites. Any freelance work I do has this engine for free as I feel security is not a separate issue to development... before I even start a freelance site the security gets put in place and is implemented throughout my code. I monitor security news and test my own sites against exploits even if the client doesn't have an SLA with me. (for the testing I keep local copies and will contact the client if I feel the LIVE site needs testing)
I am VERY OCD with my code, it is my creative outlet and having my sites and code out there feels like I'm letting someone look into my soul... so I am very thorough and stringent with what I produce. Am I too harsh with my view of what a charging, 'Professional' company (who's bread-and-butter is web development) should be supplying to their clients?
Thanks,
Arky
I'm going to walk over to your PC right now as you're watching me type over my shoulder and unplug your PC
