{"id":670,"date":"2005-05-20T00:00:00","date_gmt":"2005-05-20T00:00:00","guid":{"rendered":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/2005\/05\/20\/development-pressures-making-a-mockery-of-online-security\/"},"modified":"2021-12-30T11:37:55","modified_gmt":"2021-12-30T11:37:55","slug":"development-pressures-making-a-mockery-of-online-security","status":"publish","type":"post","link":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/2005\/05\/20\/development-pressures-making-a-mockery-of-online-security\/","title":{"rendered":"Development pressures making a mockery of online security"},"content":{"rendered":"<p>Despite a series of high-profile online security blunders at leading retailers such as Argos and B&#038;Q in recent years, companies selling online are still failing to train staff to look for bugs and glitches which could betray customer details or give rise to fraud.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>While sophisticated hackers might always find a way into a system, many companies, such as the two mentioned above, are guilty of some basic failings which would have been discovered within minutes of penetration testing, according to a leading expert.<\/p>\n<p>Dan Newman has been running one of the most popular certified ethical hacking courses for three years at the UK-based Training Camp and says he&#8217;s not seen a single student from an e-commerce company put forward to attend, while financial institutions, government departments and the military are well up on the need for penetration testing.   &#8220;We had one guy who worked for a retailer but he funded it himself because he was actually looking to move into a new job in a different sector,&#8221; said Newman.  While this doesn&#8217;t mean e-commerce sites have never honed their penetration-testing skills, Newman is confident he&#8217;d have seen some of them through his classroom at least, or heard of their efforts if such skills were commonly used in the online retail sector.<\/p>\n<p>Newman walked Builder UK sister site silicon.com through a very basic &#8216;hack&#8217; which simply involves changing cookies to access any number of customers&#8217; details on one ecommerce Web site.  By doing so a hacker would be able to download paid-for documents from other users&#8217; accounts with one keystroke.<\/p>\n<p>Newman blames a lot of the failings on the pressures of the retail environment and on developers charged with getting functionality online in time to meet demand, rather than when it is ready.  &#8220;I used to be a developer and I used to make the same mistakes they do,&#8221; said Newman.  Newman said a lot of the time &#8220;they&#8217;re getting things out there as quickly as they can&#8221; without regard for security.  &#8220;Some Web sites are just bulging at the seams,&#8221; said Newman, referring to the multitude of security weaknesses just waiting to be exploited in the e-commerce sector.<\/p>\n<p>Firebox.com is one online retailer happy to talk about its penetration testing.  &#8220;Our IT team regularly check all of our security and always start with anywhere there could be a potential problem and thankfully they have always been pleasantly surprised but you still have to test,&#8221; said the spokeswoman.  &#8220;I feel bad for a lot of companies who buy products from vendors who know nothing of security,&#8221; added Newman.<\/p>\n<p>But just because e-tailers deal with a third party vendor doesn&#8217;t abdicate responsibility for carrying out their own thorough penetration testing.<\/p>\n<p>http:\/\/uk.builder.com\/webdevelopment\/scripting\/0,39026636,39247453,00.htm<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-670","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/670","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=670"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/670\/revisions"}],"predecessor-version":[{"id":3157,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/670\/revisions\/3157"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=670"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=670"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=670"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}