Wednesday, January 09, 2008

Lesson Learnt...

I got a scare at work recently...

I was working on a form that is suppose to jumpstart a service we will be deploying sometimes this year. And due to time constraint ( exams were fast approaching and my time table was looking like evil) and sheer carelessness on my part, I didn't put in place the necessary security measures and I apparently left the system susceptible...
Then I got a call from my OGA who says that there has been a security breach; that the database has been compromised...sqlinjection attack he said.


OUCH!!!

It was then I understood the value and importance of taking adequate security measures, I mean in like 5minutes I could have safeguarded the application and prevented this supposedly mayhem...right there I added "prevention is better than cure" as part of my guiding tenet when building applications...

So I got down to work, did some poking around to see the extent of the damage. At the end of the day, it wasn't what my OGA thought...but still, the lesson stuck.

When it comes to securing web application Jason Gilmore aptly put it when he said:
"Any Web server can be thought of as a castle under constant attack by a sea of barbarians. And, as the history of both conventional and information warfare shows, often the attackers' victory isn't entirely dependent upon their degree of skill or cunning, but rather on an oversight by the defenders."


You see, the interesting thing is that in most scenarios, the steps even needed to safeguard your applications are far from being complex. They are simple tasks that are so simple we sometimes forget how important they are.

So the lesson I learned from the scare? 'Never ever move from development to deploying again without first putting all the necessary security checks'.

1 comment:

untouched said...

dude, you got that right. where serious web applications are concerned, only the paranoid survive. that - or you're God. never underestimate the importance of practically everything. as they tell us in web development school: mistrust any input. you're better off paranoid than fired. or hacked. or both. and did i mention broke and/or owing?