Watch out for insecure website developers!!!

Posted on by Keith Marlow

We are just in process of ‘tidying up’ a right pigs ear of a website that one of our clients has asked be folded into their main website. The website to be folded in was based on Php and ran on a LAMP stack – should be a simple undertaking.

Well once we got our hands on the code of the website in question in became apparent very quickly indeed that whom ever had done the development on the site had very little true professional development background and pretty much zero online security awareness let alone ability. There are some people in the world who should not develop anything online and this was a case to point.

Basically the problems we found were:

  • SQL injection vector on literally every time a SQL statement was used – this is normally a hard thing to achieve (a complete blanket failure), but no prisoners were taken in being insecure – it had to be 100%!
  • No input sanity checking. Want an email address to be a bit of HTML? No problem. Want passwords to be blank – no problem.
  • No sign in checking on AJAX calls – basically if you knew the entry points you could do anything you want!
  • No usage of unique indexes on usernames, they did a simple if it didn’t exist checks. No wonder we found several duplicate records that had to be cleaned up before we tightened the nuts down on the schema.
  • etc, etc

In essence the website code as it was put at risk:

  • The privacy and correctness of the data held in the database;
  • The website itself, as it was possible (using some SQL fu and silly script calling) to manipulate the code of the site itself. Basically drop in a command and control script and you could get the web site to become a slave very easily.
  • The hosting itself and other websites on it – essentially the website was hosted in such an insecure way all the sites on the hosting would be at risk…

The takeaway

Please, please, please only employee people to develop online services for you if:

  • They actually have a direct qualification in software development from a known university. Qualifications to do with ‘online media’ etc do NOT teach security and online best practices – these are the guys you engage to make your website look good, they are not trained to implement. Bit like hiring a hairdresser to make a shampoo, they may come up with something that looks like shampoo but 24 hours later all your hair falls out!
  • They have an existing client list and/or direct experience in the online business doing commercial online development. If they haven’t done proper commercial work – stay well away!

In Conclusion

It may save you a bit of money in the short term to hire a ‘all smoke’ online developer – but you will end up paying 100x later on either in lost brand value (when the website gets hacked) or 10x as much to someone like us to fix it before you loose brand value. When if you engaged us directly to begin with it might have only cost as little as 5x.

It’s really a question of if your business brand is worth the investment to have something developed that is secure and stable, or to ‘risk it’ it all in a way that could take down your whole business reputation.