I'm shocked. Shocked, I tells ya.
Shocked that anybody still uses Adobe anything, that is.
Patient: "Doctor, it hurts when I do this!"
Doctor: "Well, then don't do that!"
This may shock you but Adobe is shipping insecure software. No, it's not Flash this time. Nope, not Acrobat, either
It has been revealed that Adobe's Experience Platform mobile SDKs, used to create apps that interact with the company's cloud services, until recently contained sample configuration files that created insecure default settings. Developers creating apps that utilize those files as templates or examples could find that their …
-
Friday 8th November 2019 09:26 GMT Anonymous Coward
Today's Developers
In an email to The Register, a spokesperson for Nightwatch said, "[Developers] are supposed to replace the config file with one downloaded from the developer portal... but they often don't."
Isn't this how development is done these days? Copy & Paste/Link files from other locations and/or ask on Stack Overflow, stir with a big spoon and hope it works?
-
Friday 8th November 2019 09:33 GMT Anonymous Coward
Dear Lord I hate Adobe.
We have to use their Acrobat products, every install is agonisingly painful when your have to fight throuhg various versions if it demandingindividual Adobe cloud accounts (not suitable for corporate). I think in the end I had to install our teams copies under a single license key because the others wouldn't work or were impossible to install. So we have to have a dodgy install despite paying those horric prices for licenses.
-
Friday 8th November 2019 10:48 GMT Anonymous Coward
The problem isn't that Adobe shipped sample configuration files for use with their SDK, but that developers blindly copy and paste code into production without even a cursory glance at said code.
Even if Adobe and other tutorials direct you to 'just copy that file into your root directory', any developer worth his salt should still peruse said configuration files before releasing their product.
-
Friday 8th November 2019 23:01 GMT Anonymous Coward
Why can't it be both?
I'm not one to give engineers a pass on this sort of thing; indeed, I consider making a serious attempt to understand something completely before using it to build products to be one of those modest professional nuances that distinguishes engineers from devs (and goldfish). At the same time, Adobe failed to demonstrate another modest professional nuance first by creating a template or demo that does not reflect best practices, then by shipping it without noticing the problems, and finally by recommending that a configuration template from a demo be used by customers instead of creating their own from scratch after reading the (hopefully) complete documentation, providing a tool to create one that will be correct by default, or any other safe approach.
That there are undoubtedly thousands of customers who are going to copy-pasta out of demos or stackexchange regardless does not excuse any of Adobe's errors. This is a classic example of multiple things going wrong to cause an eventual production failure. Correcting any one of them would have prevented the ultimate failure. The author of a piece of software puts his or her name or brand on it and assumes responsibility for its content regardless of who else made various components. When they did so, both Adobe and its customers failed in their duty to their respective customers. But engineering is passé; everyone wants devs now because copy-pasta gets you to market faster. Deploy to production from your desktop, move fast, break shit, disrupt. Devops! Agile! We don't have time to understand what we're doing or why. And you can see that mentality at work on all sides in this case. No reason to choose just one! If you really don't like it, stop giving these people money.
