I heard today that Google released Google Base with a cross-site scripting bug (reported here, here, and here. For the non-geeks, this basically means that, for a period of time, you could use Google Base to get at a user's GMail or other personal information hosted on (something).google.com. Comforting, huh?
"But, George, no one is immune to security bugs!" you may say. Sure, bugs exist, especially in beta software. But these are basic, well-understood bugs we're talking about, not some obscure security hole that is hard to exploit.
Security is something that should be part of the "checklist to release this Beta on the web" list. It should be part of the team culture to ensure that these security tests happen. It's something that is typically learned the hard way, but something that is invaluable to learn once, and then leverage often.
No comments:
Post a Comment