It would be depressing. I ended up working somewhere we would regularly get called in to clean up messes and enterprise software is a disaster.
Huge application. Dominating it’s industry. It had only one user on a DBs with a password that hadn’t been changed in over a decade. Same user/pass for each DB as well. The DBs were all publicly accessible. The applications, clients, engineers, and everyone else used that singular user. Better yet, one DB even had a table for the locations of every server, what it did, and what credentials you needed to log into it. This app held insurance information, PHI, PII, payment information, etc. The “Founder” thought he was clever because he’d turned of all logging on the DB and was under the impression if he couldn’t detect a breach he didn’t have to report it. The DB engines were so unbelievably old “community” versions of DBs. The password was something along the lines of <company name>1998!
They had a load balancer that took traffic in on 443 and sent it to the server on 80, but since the servers only used 80 and no one explained networking to them, every internal request would be sent to the open internet on 80, hit another source, and then would make it’s way back to the load balancer and into the app. They were excited to show it to me and everything. Networking and Developers are like water and oil.
Yes that did get reported to governing bodies. They slapped he company on the wrist. No fine. I fixed it so it’s nearly bulletproof now. When I turned on logging I do want to note there were TONS of connections to Iran South America, China, India, Russia, etc.
But that’s A LOT of apps. We kept doing M&As and 3/4 apps that are being sold were the exact same. Hell, I’ve seen apps handling CUI store their data unencrypted on open servers. Reported as well, but nothing ever happens. We were told by one person that the laws and fines only exist to hit companies after there’s a breach AND a lawsuit from users. Before then there’s no victim and no crime.
Tldr; auditing software is a lot like what I imagine smoking crack is like.
Huge application. Dominating it’s industry. It had only one user on a DBs with a password that hadn’t been changed in over a decade. Same user/pass for each DB as well. The DBs were all publicly accessible. The applications, clients, engineers, and everyone else used that singular user.
At least one of those people seriously considered doing crime, right? It would be like shooting fish in a barrel and, with simple steps to hide your network origin, there would be no way of finding the culprit. With the kind of ransoms you could get from a company like that you could go and live happily ever after in Dubai.
It would be depressing. I ended up working somewhere we would regularly get called in to clean up messes and enterprise software is a disaster.
Huge application. Dominating it’s industry. It had only one user on a DBs with a password that hadn’t been changed in over a decade. Same user/pass for each DB as well. The DBs were all publicly accessible. The applications, clients, engineers, and everyone else used that singular user. Better yet, one DB even had a table for the locations of every server, what it did, and what credentials you needed to log into it. This app held insurance information, PHI, PII, payment information, etc. The “Founder” thought he was clever because he’d turned of all logging on the DB and was under the impression if he couldn’t detect a breach he didn’t have to report it. The DB engines were so unbelievably old “community” versions of DBs. The password was something along the lines of <company name>1998!
They had a load balancer that took traffic in on 443 and sent it to the server on 80, but since the servers only used 80 and no one explained networking to them, every internal request would be sent to the open internet on 80, hit another source, and then would make it’s way back to the load balancer and into the app. They were excited to show it to me and everything. Networking and Developers are like water and oil.
Yes that did get reported to governing bodies. They slapped he company on the wrist. No fine. I fixed it so it’s nearly bulletproof now. When I turned on logging I do want to note there were TONS of connections to Iran South America, China, India, Russia, etc.
But that’s A LOT of apps. We kept doing M&As and 3/4 apps that are being sold were the exact same. Hell, I’ve seen apps handling CUI store their data unencrypted on open servers. Reported as well, but nothing ever happens. We were told by one person that the laws and fines only exist to hit companies after there’s a breach AND a lawsuit from users. Before then there’s no victim and no crime.
Tldr; auditing software is a lot like what I imagine smoking crack is like.
At least one of those people seriously considered doing crime, right? It would be like shooting fish in a barrel and, with simple steps to hide your network origin, there would be no way of finding the culprit. With the kind of ransoms you could get from a company like that you could go and live happily ever after in Dubai.
Absolute madness.