|brotherhood of LAN|
| 2:33 pm on Jun 13, 2011 (gmt 0)|
I am not a lawyer, etc, I think it really comes down to the wording of your working agreement with your developers.
From the moral standpoint? Successful SQL injections are the fault of the developers. Good code is not vulnerable to web-based SQL injections.
| 2:44 pm on Jun 13, 2011 (gmt 0)|
I tend to agree unfortunately I cannot find any paperwork other than the invoice for the original site build. (this was build in 2008) way before my time here.
|From the moral standpoint? Successful SQL injections are the fault of the developers. Good code is not vulnerable to web-based SQL injections. |
Contemplating moving the site & database away from the current developer/host to another developer, although I expect that will cost more then just the fee to fix it?
| 2:48 pm on Jun 13, 2011 (gmt 0)|
|although I expect that will cost more then just the fee to fix it? |
More than the fee to fix it, plus any potential future vulnerabilities?
I think it's fair enough that they charge you for their time to fix it (though 3 days? That's seems excessive to me). But in 2008, it'd seem that they should've done a check for mysql injections before launching the code. Not doing so seems pretty delinquent to me.
In other words, if you're going to keep them, pay them. But consider moving on (though now may not be the time to move - first thing is get the site back online).
| 3:05 pm on Jun 13, 2011 (gmt 0)|
Cheers for the replies guys, just emailed the web developers I usually work with will see what they say, but I suspect your right wheel.
Id just like to get the site back up and running.
| 3:42 pm on Jun 13, 2011 (gmt 0)|
If that's the priority, stick with the original coders. They built it, so they should know the code best. Anyone knew is going to have to spend quite a bit of time looking through the code to get a feel for things.
|Id just like to get the site back up and running. |
Then again, if it was written 3 years ago, the original coders may need some time to get back up to speed on the project. Also, is it the same company you used before or the exact same people who wrote the code in 2008? If it's just the same company, it may end up being different coders (the old ones may have moved on to another company).
Remember, there are 3 options when coding: price, speed, quality. Consider yourself lucky to be able to get 2 out of 3 at any time.
| 4:16 pm on Jun 13, 2011 (gmt 0)|
No code is ever perfect. Insist the code is thoroughly reviewed and as many issues as possible are fixed. If this is PHP, you'll be needing to make it fully PHP 5 compatible anyway. I'd guess that wouldn't have been done in 2008.
| 6:07 pm on Jun 13, 2011 (gmt 0)|
Your company. Software and resources to test these vulnerabilities is freely available - the web if full of attack sinatures to type into forms and urls - you should have tested one of thier sites before using them.
I wouldnt spend too much on fixing it, SQL/XSS attacks evolve quickly & its an indication of potentially more worrying problems. I'd look to a new system/supplier as it will be cheaper in the long run
| 3:30 pm on Jun 14, 2011 (gmt 0)|
Thanks for all the replies, As a company we would like some assurances from the developers that the issue is resolved and it wonít happen again (I know hackers are determined and with the old adage if they can they will, just look at Sony, epicgames, codemasters recently)
What sort of guarantee should I be looking for? apparently I'm told by my sales director that they will offer a 6 week guarantee for the coding.
Never heard of that before.
| 9:09 pm on Jun 16, 2011 (gmt 0)|
Code warranty (guarantee) is quite common in software development, although 6 weeks is a quite short period - from my experience 3 months warranty is more common. It basically means that any bug you find in that period will be fixed for free, after that period they can charge you for fixing the bug.
The best way to use this period is to get a good tester to test your site for the fixes they put in and to try to break what they have done. Anything you found within these 6 weeks in the area they were addressing should then be fixed for free.
In fact one should always insist for a clearly defined warranty period if they order software from a third party.
| 10:06 am on Jun 17, 2011 (gmt 0)|
I agree, 3 months is quite normal in my experience too. Its normally stated as "bugs found within 3 months will be fixed FoC".
It nearly always gets missed because the client is not ready to start testing properly.
| 10:16 am on Jun 17, 2011 (gmt 0)|
In most countries the same legistlation as for product warranties applies in such cases. When there was no warranty agreement in the original contract, usually the standard warranty that is regulated by law kicks in.
| 1:14 pm on Jun 17, 2011 (gmt 0)|
Any developer that doesn't phish for injections is not worth much.
Did they build the databases as well? What privileges were users given?
| 1:29 pm on Jun 17, 2011 (gmt 0)|
The site was build it 2008, this is something I have inherited, there are 2 backend user login's with roughtly 500 subscribers (tiny amount i know) the popualtion and setup of the sql database would have been handled by the developers.
The one bit of good news is our payment systems is handled by world pay, no finacial info has compromised.
Once the site is back still going to have towrite to all the subscribers asking them to login an change thier details, not looking forward to that.
| 6:59 pm on Jun 17, 2011 (gmt 0)|
If this is a UK site, you have a legal obligation to inform the Information Commissioner about the break in and inform all of the customers.
| 1:13 pm on Jun 20, 2011 (gmt 0)|
I have been drafting up an email this morning. I did not know about the The Information Commissionerís Office though.
| 1:25 pm on Jun 22, 2011 (gmt 0)|
I have been looking into notfiying the ICO assuming you only hold details for marketing your products your exempt.
This is processing for the purpose of advertising or marketing your business, activity, goods, or services and promoting public relations only in connection with that business or activity, or those goods or services
This exemption only applies to data controllers who are advertising and marketing their own goods and services.
If you obtain personal data from a third party for the purpose of marketing your own goods and services, you will not lose the exemption.
Fixed the site but have since found more issues, it never ends lol