General discussion


Database related Security Risks - Who has responsibility?

By Shellbot ·

I work for a company that purchased a bespoke web based database application a couple years ago. We hold highly sensitive personalised information, so security is important.

The company that created the system for us is a bit of a joke. But as it was all done before I came along, nothing i can do about it. (we are in the process of looking for someone else to do a rewrite and support the dang thing)

Anywho's, poking about this morning..(not my job to do so, but occasionally do so for the entertainment value...) and look-see what I found in the Web.config file (inetpub/wwwroot/appfolder):

Keep in mind, I have replaced the values with asteriks, in the file, they are there in plain view.

<add key="Database.ConnectionString" value="server=1**.***.***.*;uid=sa;pwd=*********;database=********"/>

Now..if something would have happened in the previous 2 years and someone was going down for it..who has responsibility??

Is it our fault for not having web dev's to look after this, or is it their fault for developing it like this in the first place??

Just curious...
Now as I'm the one who found it, i get the pleasure of asking them to get their heads out of their @sses and explain why this is there as well as ask (nicely) that it be changed immediatly.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -


by Tony Hopkinson In reply to Database related Security ...

Who needs a buffer overrun ?

Collapse -

oops indeed..

by Shellbot In reply to oops

i actually laughed when i saw it..

in fact i'm still laughing, reason being is that it normally takes them 3-5 days to respond to one of my emails...i got a response in less than 7 minutes when i sent them an email asking for an explanation.
No answers yet, but they are "looking into it".


Collapse -

I have a picture of a bunch of people

by Tony Hopkinson In reply to oops indeed..

running around gibbering 'Not me guv' and fighting over the IIS admin manual to place down the back of their own trousers.

Collapse -

Why don't you just encrypt it?

by Scott @ SBS In reply to Database related Security ...

I'm not familiar with bespoke, but it looks a lot like an config section key.

I haven't tried it myself, but I'm under the impression that you can just encrypt the config section without having to change the web app at all.

Collapse -


by Shellbot In reply to Why don't you just encryp ...

i think you missed the point..
we've paid these guys X amount of money and they leave our massive security risk like that open?

I know it can be encrypted....the point is..they didn't. And the email they got from me told them that it a rather b1tchy way.

Its a political thing..I'm the DBA..I'm not authorised to make modifications to the web application. So I don't. I just poke around and point out the horrendous errors in the stupid thing :)

Collapse -

Definitely the company's responsibility

by drurys In reply to Database related Security ...

It seems to me that, in Ireland (and your profile indicates that your location is Dublin, IE), the data holder would be responsible under the Data Protection Act for keeping such data secure. In other words, your company has a legal obligation for data security.
If you get software developed by a 'Mickey Mouse' company, then you have to expect to get 'Mickey Mouse' software. I suggest that your company should have tested the software sufficiently to ensure that the data would be secure.
So, within the company you might blame the person who awarded the work to 'Mickey Mouse' or the person who signed off on the final product and implemented this less than satisfactory system.

Collapse -

Fantastic laugh

by Shellbot In reply to Definitely the company's ...

Thanks Drury! I needed that :) Its friday after all.

"Tested"??? The thing was live for 3 months before they hired me to do support/dba work for it.
"Signed off"??? No one ever actually signed contracts. I found a draft SLA kicking about that was never signed either.

I'm the only person in the place who knows anything about this type of stuff..i have nightmares..i shudder at the thought of what is going to crash next and how long will it take to be fixed..and when thats fixed..what will they have broken in the process

i'm always looking for a new job, but thing is..its not a bad place to i reckon as long as i keep my head on me and just document document document..I'll be grand for a while yet :)

Collapse -

**** the whistle

by jon In reply to Fantastic laugh

Dear Shellbot

I think you should take dryrys response very seriously. Your action could be to inform your management about the problem in a language understandable to them.

In that way you should expect the management to find the necessary resources to rectify the problem. If the management does not do that, then at least you can sleep at night assured that you made an attempt to solve the problem.

Save your mail to the management in case the authorities starts asking questions.

Collapse -


by Shellbot In reply to blow the whistle

I do take it serisouly..hence why I almost had a brain hemmorage when I saw the config file.

I've informed management, in a way they can understand it (not so easy to do all the time) and they are happy that I ask the development company that created the app to change it. So I've done so..

its just a cronic problem that gets to me sometimes, hence my flippancy..inherited a poor system, trying to keep it going with rubber bands and who can hardly use Outlook, never mind understand access issues bewteen web servers and databse servers..

*sigh*..all in a days work :)

Collapse -

Yeah - It's good to laugh, but...

by drurys In reply to Fantastic laugh

You said yourself that your company holds "highly sensitive personalised information, so security is important". It doesn't sound like the latter statement is true, judging by your most recent post.
So, maybe it's your own company that is the 'Mickey Mouse' organisation!
My advice? Whatever you do, document it. If you care about the company's attitude to security, tell them - then leave.

Related Discussions

Related Forums