Am I the only one ...
... seeing a serious lack of network security knowledge being displayed in New Zealand?
A New Zealand auction website has shut after just a day, thanks to IT professionals who noticed extraordinarily relaxed security operations. The site in question is Wheedle.co.nz, which currently says “unforeseen technical problems “have “postponed further activity on the website.” Postp0wned may be a more accurate term, as …
No, just the usual web start-up approach to life, i.e. "Let's get the product launched quickly and cheaply, build a user base and worry about boring stuff like security later." To be fair, if you dig back not so many years you'll find plenty of (now) household names that were regularly exposed for schoolboy security errors for exactly the same reason.
Unfortunately (for this lot), it's harder to get away with it for very long these days, especially if your hubris has the potential to end up costing punters actual cash money as this case appears to demonstrate.
Programmers need to start with security and work backwards - too many start with the code and then try to make it secure.
Learned this the hard way through a "professional" UK programmer who created a pile of insecure shit for me two years back with all sorts of holes like no checking of data before entering it into a database, URL manipulation, admin functions accessible by anyone if they knew the URL - pain............
I don't agree - a programmer needs to understand security and the risks in what he does otherwise how can he ever write good code?
As my application has developed and moved forward I have used other programmers and there are many who are very knowledgeable about security and performance and scalability and other considerations beyond the technicality of writing code and that's what separates the shit from the good.
Not smart to say the least. If your coder doesn't have a clue about security, he's not a coder, just a liability.
Not sure about your corner of the world, but where i'm at, it usually starts with user input not even being sanitized/validated, never mind exotic exploits...
A WAF does have it's merits, but if the whole web app was built from the ground up on idiotic assumptions and dimwit designs, it's about as good as steel plating your front door while leaving the windows wide open.
Yeah, because it is the general impression of Indian programmers in NZ. NZ is dominated by cost in these types of enterprises. You get what you pay for everywhere. The mistake people make is saying Country A has good programmers and Country B has bad programmers. I've worked with some successful and some appaling teams from India. The difference was always how much communication took place every minute or hour. Those teams which rotated members into the on shore team to slowly build up a team culture were the ones I loved working with.