Linked by Thom Holwerda on Mon 1st Apr 2013 12:25 UTC
Apple "Last Friday, The Verge revealed the existence of a dead-simple URL-based hack that allowed anyone to reset your Apple ID password with just your email address and date of birth. Apple quickly shut down the site and closed the security hole before bringing it back online. The conventional wisdom is that this was a run-of-the-mill software security issue. [...] It isn't. It's a troubling symptom that suggests Apple's self-admittedly bumpy transition from a maker of beautiful devices to a fully-fledged cloud services provider still isn't going smoothly. Meanwhile, your Apple ID password has come a long way from the short string of characters you tap to update apps on your iPhone. It now offers access to Apple's entire ecosystem of devices, stores, software, and services."
Thread beginning with comment 557294
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: it happens to everyone
by Alfman on Tue 2nd Apr 2013 03:54 UTC in reply to "RE: it happens to everyone"
Alfman
Member since:
2011-01-28

Soulbender,

"If security flaws are an 'inescapable part' of your development process then your process is fundamentally flawed."

I agree with you, it's shameful that there are developers who regularly produce security holes in software. But at the same time it's sort of a biproduct of the fast and cheap development process that companies are seeking. My experience with most companies is that "security" is little more than a PR selling point and not a genuine development philosophy.


"If the software was properly engineered that wouldn't automatically happen."

I think the OP was merely explaining the situation on the ground rather than trying to justify it. If so, I think he's right. It'd be nice if things were engineered correctly in the first place, but security is rarely a priority in development and usually only gets tackled in hindsight. I agree with you it's the wrong way to do it.

Reply Parent Score: 3

RE[3]: it happens to everyone
by Brendan on Tue 2nd Apr 2013 05:07 in reply to "RE[2]: it happens to everyone"
Brendan Member since:
2005-11-16

Hi,

I think the OP was merely explaining the situation on the ground rather than trying to justify it. If so, I think he's right. It'd be nice if things were engineered correctly in the first place, but security is rarely a priority in development and usually only gets tackled in hindsight. I agree with you it's the wrong way to do it.


A company's only goal is profit - their products are just a by-product of that. If engineering things correctly costs more than the potential cost of fixing things if/when they break; then engineering things correctly is the "wrong" way to do it.

- Brendan

Reply Parent Score: 3

RE[4]: it happens to everyone
by Alfman on Tue 2nd Apr 2013 06:36 in reply to "RE[3]: it happens to everyone"
Alfman Member since:
2011-01-28

Brendan,

"A company's only goal is profit - their products are just a by-product of that. If engineering things correctly costs more than the potential cost of fixing things if/when they break; then engineering things correctly is the 'wrong' way to do it."

That's all true, and it wouldn't be a big deal if the company were only putting it's own data at risk. Unfortunately the victim of these poor security measures is often not the company but rather it's customers. Companies should have a responsibility to protect customer data. When a company takes private data and says it will keep it private, it's borderline fraud when they take shortcuts and fail to implement good security practices.

I realize my security demands are futile in modern business where nothing is worth doing right if it can be done wrong for cheaper. But frankly sanitizing input should automatically be standard practice for all developers on all user facing projects without needing to be justified on a balance sheet, sheesh.

I miss the old maxim: If it's worth doing, it's worth doing right.

Reply Parent Score: 3

RE[4]: it happens to everyone
by ricegf on Tue 2nd Apr 2013 09:47 in reply to "RE[3]: it happens to everyone"
ricegf Member since:
2007-04-25

Not all companies set profit as their only goal.

Reply Parent Score: 4

Soulbender Member since:
2005-08-18

A company's only goal is profit


That's not universally true and I doubt it's even true for most companies.

If engineering things correctly costs more than the potential cost of fixing things if/when they break; then engineering things correctly is the "wrong" way to do it.


No, it's still the wrong way to engineer things. Correct engineering is not a function of profit goals.

Reply Parent Score: 3