I wonder who reading this article and is outraged by it would support this case (which is essentially the same thing): Say someone is walking by your house and decides they want to test the safety of the lock on your door. They then proceed to pick the lock, take a stroll through your house, and grab an item of yours to prove they did it. When you come home they kindly let you know that they illegally came into your home, stole your stuff and are now returning it. And they expect you to be very happy that they identified a flaw in your lock.

I sure wouldn't be, why is there a different standard here? If you aren't paid to assess a site then you shouldn't assess a site. Also, all code has flaws and I am sure the University has a ton of webpages and websites. It is ignorant to say that it is the developers fault because they might not have had the time, tools or resources to manually or automatically review the code. It is even more ignorant to blame it on Information Security. The InfoSec team, for all anyone knows, might not even be included in the requirements for websites (if they even have an InfoSec team at all). If they have a team, it might not be familiar with application security, or they might not be informed when new code or webpages are setup. Even if they were they might not have the proper tools to verify whether the site is vulnerable.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11389/33751#33751