Hacker News new | past | comments | ask | show | jobs | submit login

After so many decades in this industry nothing surprises me at all. Security is usually an afterthought that barely warrants spending more that a token amount. I once did a contract at a public university and found the app that every department used to verify with the state that money was appropriately spent used incrementing id's in the url and used GET to handle the delete button. I wound up fixing it for them on the way out (after weeks of telling me it wasn't a concern). A simple command line script would have deleted the entire database leaving the university with no budget for the upcoming year. Another place I worked kept production passwords in the code repository; when I complained they told me they passed their audits every year so it didn't matter. HIPAA company in the US no less.



Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: