Saturday, May 22, 2010

Why Security Pros Drink...

A colleague posted this to his Twitter feed today ...and I felt compelled to really read and comment on the whole situation with OpenCartOne quick note - this is, not -anyway...

Now, I read this post from Ben Maynard's blog (which is a worthy read, by the way so add it to your RSS readers) - and you should too before you go any deeper into this post ...go ahead I'll wait ...


OK, so now let's talk about what just happened.  Did you read the comments?  All of them?

Ben not only sent the developer an email explaining what CSRF is but sent that same developer links and tried to explain the issue.  This developer clearly "didn't get it".  But ask yourself this that rare?

Now, I'm going to post the comment that really got me fired up from Daniel Kerr (the dev from OpenCart)... check this out:
Daniel Kerr says:
to be honest. this just shows the type of person be is. he thinks hes found some big hack and when i tell him to to stop wasting my time he goes around posting my emails in forums and his blog. ben is a prat.
this sort of problem even today effects big sites like gmail, paypal. you really think everything is down to the person who writes the script? or the web user?

Say what?!  I'd love to grab this Daniel by the shirt-collar and rub this ass-hat's face into the steaming pile of shit he just made for himself.  Are you kidding me?  Someone does your job of finding a security vulnerability in your code (a major one at that), politely tells you about it, and gives you resources to understand it better and you have the stones (or is it just ignorance now?) to call him names on his own blog?

What an asshole.

By the way, Ben went on to write his own patch for OpenCart ...and maintained it some.  But then the developer went to an entirely new level of mental midget ...he apparently broke the patch in the update of the OpenCart code.  *facepalm*

Now ... what have we learned from this experience?  I don't know about you but what I'm learning is that developers just aren't going to get it... today, tomorrow or after we force mandatory "secure coding" education on them.  They just don't get it.  The discipline of software development apparently requires such full attention of your mind that you cannot even squeeze the very thought of writing your code with an ounce of prevention.

...and this, my dear friends, is why we in InfoSec drink...heavily.

So you think if we pooled our pennies we could buy this OpenCart idiot a clue?


Stephan Wehner said...

I think it's just a case of avoiding projects which have such problems -- in this case OpenCart.


Anonymous said...

Nothing we could save, would offer a single clue to him. Nothing at all. It is that type of mindset that exposes countless web apps to this day.

Scott said...

Actually this is a perfect example of a developer who is uneducated about security and has casually heard of "web hacks" but doesn't grasp the impact of how they are exploited and what the effect is. In this case, Daniel Kerr thinks that anyone who falls for clicking on that kind of link is a fool and it's beyond his requirements to implement a technical means to stop these kinds of web attacks; a classic case of "developer mentality" vs. "security mentality".

Personally I think that Daniel needs to get pwned with some subtle web hack to grasp the reality of web security.

Patrick said...

Reading through that made my blood boil, but I think there's an important discussion to be had on how we as security folks deal with people who just don't get it.

If we actually want to improve security we have to win these people over, *especially* the most pain in the ass, egregious offenders.

I though it was worthy of a full post:

Love to hear your thoughts.

Unknown said...

The worst thing is that nonce code (which is the most straightforward fix for this vulnerability) in PHP is very simple and straightforward. Like Scott said, this guy is one of those developers who thinks that because it's a hard vulnerability to exploit that it's risk must be low.