Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
spacem18367yIf it were me I probably would just fix it. After working 3 years on a system dont you take ownership and responsibility for its shortcomings?
-
@spacem that was only the root of the problems. There is no sort of access control at all, and looking at the html you can figure out which pages and endpoints you can call
-
@spacem but i learned from it, the next web project had a strict line between front- and backend and every call to the backend required a login (with whitelisted exceptions). Hibernate prevents sql-injections, react prevents xss and access control exists. Apart from XSRF everything got good.
-
coolenaab447yEveryone says they want security but implementing it can't take up any resources that they could otherwise translate into profit or sales if used for something else.
-
@YouAreAPIRate Add keycloak to this stack and you have mine (including CSRF Protection).
Btw. injection flaws such as SQL Injections are still the #1 security flaws according OWASP.
https://owasp.org/index.php/...
On my first day at work i was given the task to rewrite some code. I pulled the code, started the server and was greeted with a login-page. Instead of asking for credentials i tried good ol' " OR 1=1;#. Instand login, admin account. My boss was baffled, but instead of fixing this he decided other tasks had "higher priority". 3 years later, this still exists. I also heard some client runs the application open on the internet.
Everyone wants security, but some people decide to pull out the bottommost card in the fragile house of cards of security
rant