On day one of the project, Kenneth was given a single rule that was to be followed under all circumstances. “You do not talk to the SAP contractors. They’re too busy, and their time is too valuable. They do not have time for front-end developers.”

As a front-end dev, Kenneth was used to being told to take his crayons and get back to work. A front-end dev forbidden from talking to the developers behind the back-end? What could go wrong.
Gift box icon
What’s in the box? And why does it smell so bad?

The product was a “redeem points for cool products” system. A customer could purchase a gift-box. The outside of the box was labeled with a public code, and the inside was labeled with a private code. A user could enter both codes into the system to redeem points. Those points could then be used to buy tchotchkes from their web store.

There were all sorts of ironies in the project. While Kenneth was forbidden from talking to half the team, the project managers kept chanting “agile”. They used the word, not because it meant anything, but because it was a mantra to ward of project slippage. Of course, slippage looked almost inevitable, since every project milestone date was chosen through the “toss a dart at the calendar” method. It also didn’t help that Kenneth and the SAP guys were working from entirely different specifications.

Kenneth went to his boss’s office to attempt to explain the latest problem. “The spec says that we need to validate a customer’s code before we let them create an account,” Kenneth said to Jack.

“Yes.”

“But this is just an HTML/JavaScript front end. So that validation should happen on the back end.”

“Yes…,” Jack said, with less confidence.

“But there’s no back-end method for us to do that.”

“Yes…? So what’s the problem?”

“That is the problem. We need a method on SAP to let us check if the code is valid.”

Jack nodded. “So… this means changing the SAP specification. I don’t know that we can do that…” Jack called his boss, who called her boss, who called the SAP team’s boss. A meeting was scheduled between the management levels, which meant Jack and Kenneth needed to have a pre-meeting with Jack’s boss, which meant Jack and Kenneth needed to have a pre-pre-meeting. After roughly 85-person-hours of meetings, an agreement was reached: the SAP team would expose their validation logic as a web service, so that the web team could validate gift codes.

Since everyone was collaborating so well, the management team pushed the deadline up four more weeks, “because Agile means thinking on your feet.” After pulling a month of 60–70 hour weeks, Kenneth had a sense that Agile actually meant being dead on your feet.

After too many late nights, the project launched, on time and over budget. It was loaded with bugs, mostly minor, and too few test plans to actually identify or help triage the bugs. Over the next six months, Kenneth and his front-end team handled their bugs, and it looked like the project was on the downhill slope.

At least, it was until TrudyHeart1971 created an account. Within minutes of joining the site, TrudyHeart1971 was redeeming a suspicious number of points. The management chant of “agile” was replaced by screams of “hackers!!!111!!!”. All-hands meetings started. For the first time, Kenneth and his team sat down in a conference room with the SAP guys: Sven and Lars.

Kenneth’s screen was mirrored on the projector as he scraped the logs. “This doesn’t look like a hacking attempt. These requests all look valid.”

“You would think that,” Lars said. He pointed at one of the entries. “These public and private codes don’t match.”

“In fact,” Sven said, “these private codes look completely fabricated . ‘12345678’? Not a code.”

“Okay, so that probably has something to do with the validation on your side, right?” Kenneth said.

Lars and Sven glanced at each other before turning to Kenneth and laughing at him. “We don’t validate the codes. There is a CheckCodes method we gave you. You are to do the validation.”

“You don’t validate the codes.” Kenneth said.

“No, of course not. We gave you a method.”

“You’re relying on the client-side JavaScript code to do all of the validation before requests hit your public-facing web service?” Kenneth clarified, hoping someone else in the room would see how insane this sounded.

“Alright, then.” The Big Boss rapped his knuckles on the table to get everyone’s attention. “It sounds like we know what the problem is- the front-end is insecure. And Kenneth, it sounds like you know how to fix it.”

In the end, technical ignorance and the contractors’ hourly rate guaranteed that Kenneth was forced to “fix” the front-end. Their cobbled together solution was to implement a web-service proxy that performed validation on the server-side, while making the existing public-facing (and utterly insecure) SAP services private.

Their “hacker”, TrudyHeart1971 had discovered the bug when she accidentally entered her code incorrectly and saw she received points anyway. She did this a few more times, before the guilt set in. The company briefly considered pressing charges, but someone realized that publicizing this sort of security mistake wasn’t in their best interests. They settled for removing Trudy’s points and a letter of apology.