One of the aspects of the work that I do is system analysis. I'm contacted regularly by individuals who are working on a new application or have an application that's about to go into production that they want me to look at. Generally, the focus is performance or scalability, but there's almost always a "is it secure?" comment in there.
Admittedly, I'm not a Chris Shiflett or Rsnake… you know, those guys who live, breath, research, and eat security issues like it's their job. Oh wait, it is. 😉 In fact, in a conversation or two with Chris, he's enlightened me to a couple tricks and tactics that he finds useful. Instead, I'm a guy that knows the basics, can apply them in different ways, and has developed a solid toolbox to detect and explore issues… I'm a practicioner, not a researcher.
In almost every case, I find a number of issues. Some are so small and simple that I give them a line or two of code to resolve the issue. Others are big and nasty and require significant rethinking of portions of their system… sometimes individual pages, other times how the core functionality is implemented. Sometimes they take my suggestions, sometimes they ignore me… honestly, as long as I identify the problem and suggest some potential fixes, it's not my problem. I've done my job.
Regardless, I'm sensitive about giving sample code to exercise the issue. I don't without explicit instruction to do so. I see it as opening too much professional risk to myself.
So here's the problem:
I worked with a customer last year had a number of major security issues I identified. On the scale of Little Bobby Tables issues… I give them a number of scenarios where it could cause problems for them or their users and they did nothing. In fact, they undid the handful of fixes that I did implement. Fast forward a bit and their system has been thoroughly compromised. I know because in the last week their system has started spewing spam and notifications to various addresses, one of mine. I would wager that they're putting out enough garbage that their hosting company will shut them down any day. I can only imagine the problems their customers are having…
And the most interesting part:
Since I discovered the problem and reported it months ago, obviously I was the one who compromised it.