Control Engineering

Peter Welander

Building security around poor programs
November 9, 2007

Last Tuesday I posted a story about a woman who found a hole in an online shopping program that she exploited for her own fun and profit. I asked several cyber security experts to offer an their viewpoints on the matter. Here's the first one, from Todd Nicholson, Industrial Defender:

"We view this more of an internal accounting and process breakdown than a specific cyber security hacking attempt. Clearly the shopper discovered an open loop in the online transaction process that enabled her to place orders without paying for them which is a very scary situation for online merchants but it is highly unlikely that a security system would be able to protect against the type of flaw or vulnerability that caused this incident. Proper application testing and validation of the online ordering application should have provided visibility into this issue. Also QVC accounting and auditing processes should have detected an anomaly in these transactions."

True, this is not hacking in the traditional sense. Ms. Moore-Perry simply took advantage of a program anomoly that was presumably open to anyone who made the same discovery. (We have no way of knowing if others found the same opening.) Todd's point about proper application testing and validation is well made. Programs in the industrial arena should also be subjected to thorough testing to make sure the code is sound before applying security protocols.

The SANS Instutute offers courses on secure code writing. Here's an example.

Posted by Peter Welander on November 9, 2007 | Comments (0)