When Will Web Developers Learn

Stanford University is considered is fairly good college.  They have some well known grads such as Sergey Brin and Larry Page (Google founders), Herbert Hoover, Peter Thiel (Paypal founder), John Steinbeck and Sandra Day O’Connor.

But apparently when it comes to software, they, themselves, are not so good.

A little over a year ago they exposed the personal details of thousands of students and non-teaching staff.

Now another bug allowed students to access the data of other students.  This one is neither a hack nor a bug, but rather crappy software design that we see frequently.  Perhaps they should take a class in secure software development practices.

What did they do?

They put parameters on the address line something like

www.standford.edu/GetPrivateData?UserIdNumber=432643

While this is a bit of a simplification, if a user changed the number at the end, they could see other students information.

I remember eliminating this programming practice decades ago as not secure.  But not at Stanford.

They say that this is part of vendor provided software (where is their Vendor Cyber Risk Management Program?), so I hope their contract with the vendor says that the vendor is liable for breaches.  Probably not.  What do your vendor contracts say?

To add insult to it, the vendor is longer selling or supporting the software (kind of like those of you still running Windows XP).

Stanford’s disabled the software and told students to visit the registrar’s office in person if they need the information.  How 1960’s.

Long term, they will replace the software,

Does any of the software that you use pass parameters on the command line?

If so, you could be the next Stanford.

Not necessarily a “rep” that you want.

Information for this post came from Security Info Watch.

by