04/16/08 12:47 PM
Little Bobby Tables
Seriously, folks. This is just unacceptable.
The amount of effort put into securing an application needs to be proportional to the importance and sensitivity of the data. A SQL injection vulnerability that allows addition of records to the sex and violent offender registry? Are you kidding me? This wasn’t a “bad credit” kind of a security hole, this was a “completely ruin somebody’s life” kind of security hole…and the steps required to exploit it aren’t exactly rocket science.
Given the description of how much effort it took to get the hole patched, it doesn’t sound like these developers should have ever been let within 10 feet of a computer, let alone a Department of Corrections application. How does this happen? How can security be such a non-issue to people responsible for dealing with information like this? And how can any developer, security industry or otherwise, NOT know about SQL injection?
Now, an explanation of the title: XKCD rules