Forums
A single line of code from a large application that somehow manages to provide an almost endless insight into the pain that its maintainers face each day.
Matthew R recently took a team-lead position and was tasked with improving the quality of the company's application. He started with security, specifically the fact that user passwords were stored in plain-text. "But it's easier this way," the developer complained when Matthew suggested to change it, "plus, it's relatively easy to break modern encryption."
Over the years, Armid transitioned from being a full-time developer to a full-time pen tester (as in penetration testing, not pen testing) and he hasn't looked back since. "I did enjoy writing code," he commented, "but there's something really satisfying about demonstrating an XSRF attack to that smug developer who swore up-and-down that his code was perfect." And with things like PCI Compliance to worry about, there are plenty of projects to keep him busy.
"It takes a lot to surprise me anymore," Armid added. "In fact, these days, I'm surprised if I don't find a SQL Injection vulnerability. That being said, the public-facing operations engine of a large (3,000+ employee) company really surprised me. To say that it was filled with back doors would almost imply that someone thought to install doors -- this system has more openings than walls. But there was one vulnerability in particular that trumped them all."
Sep 11