The Fateful Pull request

Chui Tey Chui Tey

Chui Tey

Engineering Lead

发布日期: 2017年2月14日
+ 关注

Your colleague has created the following code change and requested you review and approve it.

Would you have looked a bit harder if you knew this change would in part contribute to a security vulnerability which led to about 1.5 million web pages being defaced, and possibly damage reputation of a piece of software that has built trust over many years?

If you are interested in the vulnerability, Sucuri's blog details how they found the vulnerability, and goes into a fair bit of detail. The counterintuitive part I find is this -- introducing an (int) cast to sanitize the input inconsistently actually formed part of the bug. It makes for food for thought the next time I do a code review.

However, this blog post is not about criticising the good people at Wordpress, but it is about secure code review practices. It only takes one unlocked door for a whole house to be robbed.

I hope you have a look at the Sucuri write-up, but don't stop there. Bring this up at your next team meeting. Discuss it. It doesn't really matter that this is PHP. A similar problem could occur with NodeJS due to the way parseInt works. If nothing else, it keeps security at the top of mind.

Software touches everything we do today - from boarding the bus; to visiting your doctor; to donating blood. Through regular postmortems, we can raise our collective intelligence and build the secure software that we all deserve.



要查看或添加评论,请登录

Chui Tey的更多文章

  • The PolyNetwork $600m hack.
    2021年8月11日

    The PolyNetwork $600m hack.

    Kelvin explains it below, but here's a summary for my future reference. Source: https://twitter.

  • Bots, lies and Hoaxy
    2020年1月12日

    Bots, lies and Hoaxy

    This write up is purely for the students of how information / disinformation is propagated. The notion of bots…

  • Interesting data model problems #2 - querying journal/transactional data
    2018年2月27日

    Interesting data model problems #2 - querying journal/transactional data

    In these series of articles, I write about modelling problems that result in underestimates. You may also be interested…

  • Interesting data model problems #1 - temporal reference data
    2018年2月18日

    Interesting data model problems #1 - temporal reference data

    I want to write about a common problem, but we often think it as a one-off issue when we encounter it in consulting. I…

  • Getting out of the poverty trap
    2017年8月20日

    Getting out of the poverty trap

    The New York Times has an article (paywalled) about the value of social signalling in giving poor people the initiative…

  • 457 visas and a country of makers
    2017年4月18日

    457 visas and a country of makers

    I want to chime in on the debate over the abolition of 457 visas in Australia. The issue surrounding 457s is a hard…

  • P-Invoke on OS X with PowerShell
    2017年1月14日

    P-Invoke on OS X with PowerShell

    This is probably of interest to a very small section of the programming community. I wanted to learn a little bit about…

  • I tried out dokku today and this is what I learnt
    2016年11月12日

    I tried out dokku today and this is what I learnt

    What does dokku do? If you have a dokku service running on your VM, you can "git push" to the server and dokku will run…

  • The mainstreaming of exploratory programming
    2016年8月8日

    The mainstreaming of exploratory programming

    Can we apply technology to improve technology itself? Chas Emerick writes of a conversation with Prof Sussman of MIT…

    4 条评论
  • Recognising technological transitions
    2016年3月13日

    Recognising technological transitions

    When there are technical shifts like the picture above, the game is not to find a faster horse, or a better jockey…

社区洞察

其他会员也浏览了