I’m so frustrated!
From 2014 until 2018 I worked for a small sized web development agency. Most of the web development was done for a specific PHP based system.
The security posture of this system could have been described as “poured cheese”. I was terrified by the many aspecty of insecurity in this system.
Earlier this year I changed my job. I’m now working for a company, that operates in several markets. At that software company, we check software regarding the overall security, before using them.
I checked 5 software solutions since my job change plus some in my spare time. There was none, that had no security issue! I found ~10 critical security vulnerabilities.
Why, the hell, is this our reality in today modern software development?
You might say: You are using PHP. What did you expect?
PHP is not the problem
You can create secure programs in PHP! I did this on my own several time ;-). In PHP you have more ways to shoot yourself in the foot than in other languages. But this does not mean, that PHP has a patent for ‘shooting yourself in the foot’. I found bad vulnerabilities in software, that was not written in PHP.
Developers are dump
The fact is: Developers are dump! I don’t want to insult anyone nor do I want to sound overbearing. But the security vulnerabilities I saw, let no other conclusion. Most developers have not the slightest idea about application security.
Me, too! My knowledge about information technology security is soooo limited. I don’t even know, what I don’t know. There are so many ways to penetrate a software, that you will never know anything.
But to be honest, there could be much more interest in securing applications than there is right now. Most developers are not aware, that their code will decide over the security of the whole system. They go to work, program there horrible stuff and go to home without ever having to carry the can for the security vulnerabilities they created.
Companies do not fulfill their responsibility
Before working in the security field, I did not know, how hard it is to get a financial reward for a found security vulnerability.
When demanding a reward for your work, you get insulted by the companies. They call you a blackmailer. Those little minded do not fulfill their responsibility and call you, the white hat, a blackmailer!
Just do your fu***** job!
Being a black hat, would be so fun!
I thought about becoming a black hat several times. It’s just too easy, to penetrate systems and making money by exploiting those systems. The only thing, that prevented me from doing so, is my good breeding. It’s just not ok, to get rich on the weaknesses of other. But not all people do have such good moral compass.
I will continue my work! I will keep doing my very best, to find and prevent security vulnerabilities. Everyone interested in preventing and finding security vulnerabilities in software (especially web applications) should come back to this blog or use my rss feed. In the next months, I will publish a web application security series here.
What is your experience regarding security topics? Comments appreciated :-)
This rant is not related to Shopware’s security issues. In this case, correlation is not causality! Shopware did a good job regarding the found security issues.