I’ve been hired by someone to do some small work on a site. It’s a site for a large company. It contains very sensitive data, so security is very important. Upon analyzing the code, I’ve noticed it’s filled with security holes – read, lots of PHP files throwing user get/post input directly into mysql requests and system commands.
The problem is, the person who made the site for him is a programmer with family and children who depend on that job. I can’t just say: “your site is a script kiddie amusement park. Let me redo it for you and you’ll be fine.”
What would you do in this situation?
Update:
I followed some good advice here and politely reported to the developer that I’ve found some possible security flaws on the site. I pointed out the line and said there could be a possible vulnerability for SQL injection attacks there, and asked if he knew about it. He replied: “sure, but I think that to exploit it the attacker should have information on the structure of the database; I have to understand better”.
Update 2:
I said that’s not always the case and suggested he follows this Stack Overflow question link in order to deal with it properly: How to prevent SQL injection in PHP? He said he would study it and thanked me for telling him before. I guess my part is done, thanks guys.
14
First and foremost here, the priority is to close the security holes.
If you’re working directly with the engineer who wrote this, document everything and give it to that engineer.
If not, tell your employer the security issues are bigger than initially thought and that the site needs a lot of work. Ask to work with the main developer who’s on the site, and offer to teach them about PHP security (don’t promise to make the person an expert, but do offer to train them in everything you know) so that person can take it over after you’re done.
Don’t make this a “this guy is bad, fire him” issue. Approach it from the perspective of “Hey, I found some potential bugs that need fixing stat, which seem to be coming from some ignorance/common misconceptions about site security. I’d also like to talk to your development so we can improve your site and hopefully avoid more of these issues in the future.”
4
There’s a difference between ignorance and incompetence. There was a time when you didn’t know what SQL injection was either, and there’s no reason to believe the original programmer isn’t capable of fixing the problems once he is made aware of them.
So tell them. Be specific and objective, and make yourself available to answer questions, provide examples of exploits, and recommendations for fixes. If they still don’t get it after that point, the most you can really do is not put any of your own personal information on the site.
1
Your job isn’t to redo the site for him. It’s to fix the small bug. However, if you’ve noticed security issues that should be fixed you can bring it up with the site owner and offer insight on what the problem might be.
Don’t berate or talk negatively about the original developer or comment on how horrible the code is. Be respectful and professional. You can offer to work with the developer to resolve the issues. Don’t try to fix it yourself or offer a solution unless you’ve been contracted to address the problem. If they follow your advice and you’re wrong they could come back on you.
First and foremost – fix the thing they hired you for. If you don’t do that, then you’ll be perceived as the type of consultant who’s interested in making more work for themself, rather than getting the job done.
Along with the fixes, you need to give them a list of the stuff you’ve noticed that’s wrong from a security perspective, and why these things are wrong.
It won’t do anyone any good to not report the issues. If you had a specific task you were hired for complete it but document other security issues as you see them and report them to the appropriate individual, probably the individual that you are reporting to for the task you were hired for.
This is a situation where strong soft skills are going to come in handy as to handle this with tact will require not putting down the work done by others on the site and not making the developer feel as if you are questioning his talent.
Obviously avoid words like “crap, bad, poor, riddled” when referring to the code/flaws and similar words for the developer that wrote the site.
1
In addition to the other answers what you might want to do is point the developer at some resources on how easily SQL injection issues can be exploited, for example sqlmap which is an automated SQL Injection exploitation tool.
What I’ve found to be effective in demonstrating the seriousness of this kind of issue in the past is showing what can be done with it, so if you run something like that against a dev. copy of the site to show it extracting data etc you might convince them of the seriousness.
1
First and only; Management does not want to hear about problems. I got fired from the Office of Personnel Management (security clearances for the white house) because I pointed out how insecure their system was. That was awhile back, but management attitudes have not changed.
Address the problem with the developer, via email so you have a trail, then walk or run away. When they do eventually have a problem, as a contractor, they will try to blame you, regardless of having any involvement even remotely connected to the problem.
Having a problem as fundamental as a SQL injection, indicates they were cheap when they initially developed the system, and odds are they are at best cheap now. Get what you can from them while they are still in business, but seek business development elsewhere.
1