40
hjk101
7y

TL;DR I'm fucking sick and tired of Devs cutting corners on security! Things can't be simply hidden a bit; security needs to be integral to your entire process and solution. Please learn from my story and be one of the good guys!

As I mentioned before my company used plain text passwords in a legacy app (was not allowed to fix it) and that we finally moved away from it. A big win! However not the end of our issues.

Those Idiot still use hardcoded passwords in code. A practice that almost resulted in a leak of the DB admin password when we had to publish a repo for deployment purposes. Luckily I didn't search and there is something like BFG repo cleaner.

I have tried to remedy this by providing a nice library to handle all kinds of config (easy config injection) and a default json file that is always ignored by git. Although this helped a lot they still remain idiots.
The first project in another language and boom hardcoded password. Dev said I'll just remove before going live. First of all I don't believe him. Second of all I asked from history? "No a commit will be good enough..."

Last week we had to fix a leak of copyrighted contend.
How did this happen you ask? Well the secure upload field was not used because they thought that the normal one was good enough. "It's fine as long the URL to the file is not published. Besides now we can also use it to upload files that need to be published here"
This is so fucking stupid on so many levels. NEVER MIX SECURE AND INSECURE CONTENT it is confusing and hard to maintain. Hiding behind a URL that thousands of people have access to is also not going to work. We have the proof now...
Will they learn? Maybe for a short while but I remain sceptic. I hope a few DevrRanters do!

Comments
  • 13
    Someone who's really into security as well here!

    That kinda shit (what those guys pulled) makes me want to eradicate their fucking bloodline!
  • 4
    In my experience (and I work in the security business) is security for most people always a burden. They don't see the benefit from doing it 'complicated' when it is working in another and easier way. And yes, developers are not excluded from such thoughts. So I hope that such incidents can reshape our thinking to what it should be and shall be.
  • 2
    @linuxxx there entire bloodline even that is a step up from https://devrant.io/rants/882284/... thorough though.

    Unfortunately one bad apple can undo it all so I get your sentiment
  • 2
    And another thing: for crying out loud have some type-checking of arguments, and some authentication/authorisation, on your backend API calls...
  • 0
    @2erXre5 Devs are definitely not excluded. I used to be a sysadmin (still do DevOps). As a sysadmin you are constantly confined with security updates etc I think that helps put things in perspective. Also you are thought about the prevent subsystem and what it entails (like bankruptcy of you fail at it hard enough).

    I hate that your industry resorts to scare tactics but as it resides on the costs side of the business I get it is the only way to get the point across (just as my bankruptcy thing). I try to explain that it saves time and money and is interesting not a burden.

    Cleanup is though. Had to re-upload years of files and substitute links to them. Yuk
  • 0
    @d4ng3r0u5 Yep those are basics and where it already starts to go wrong.

    input validation is done properly here but they always try to cut corners on authentication.

    Basic auth sucks as it requires credentials saved somewhere yet that is there choice every time...
  • 0
    That reminds me of stuff like this

    <!-- <?=php_code_doing_shit(blah) -->
Add Comment