General discussion


Database related Security Risks - Who has responsibility?

By Shellbot ·

I work for a company that purchased a bespoke web based database application a couple years ago. We hold highly sensitive personalised information, so security is important.

The company that created the system for us is a bit of a joke. But as it was all done before I came along, nothing i can do about it. (we are in the process of looking for someone else to do a rewrite and support the dang thing)

Anywho's, poking about this morning..(not my job to do so, but occasionally do so for the entertainment value...) and look-see what I found in the Web.config file (inetpub/wwwroot/appfolder):

Keep in mind, I have replaced the values with asteriks, in the file, they are there in plain view.

<add key="Database.ConnectionString" value="server=1**.***.***.*;uid=sa;pwd=*********;database=********"/>

Now..if something would have happened in the previous 2 years and someone was going down for it..who has responsibility??

Is it our fault for not having web dev's to look after this, or is it their fault for developing it like this in the first place??

Just curious...
Now as I'm the one who found it, i get the pleasure of asking them to get their heads out of their @sses and explain why this is there as well as ask (nicely) that it be changed immediatly.

This conversation is currently closed to new comments.

13 total posts (Page 2 of 2)   Prev   01 | 02
Thread display: Collapse - | Expand +

All Comments

Collapse -

a lesson learnt early

by Shellbot In reply to Yeah - It's good to laugh ...

I document everything. I have every email from the past 2 years..saved my butt more than once I'll say.

I totally agree re: Mickey Mouse..
we not really a mickey mouse company, but the attitude towards IT definatly is..
they want IT, but are unwilling to "invest" in IT..

I'm still waiting for either a helper OR a manager ..that was promised to me over a year ago. As the work keep piling up and up I smile and think..when I leave..they are so FUBAR'd.
Not that I'm all that great..but I'm the only one with any system other one to transfer information to..I'm only hanging onto the job because its a decent place to work for the money I'm getting paid..

Its just after a couple years of trying to save the just say eff it and do your own thing..

Collapse -

Take the responsibility

by Dr_Zinj In reply to Database related Security ...

You found the mistake, you get to recommend the corrective action.
If you're not the person in charge of IS (and I assume as a position of DBA that you are not), then it's up to your boss to find and implement the fix. However, finding and successfully implementing a security fix of this nature could be a jumping point for you in this company, so make the most of it.

Collapse -

if only

by Shellbot In reply to Take the responsibility

Unfortuneatly they don't really understand, so I don't get a lot of brownie points.

I've pointed it out to the company we use for our application..they are "looking into the reason of why its like that"

We have no one in charge of IS. We've 2 networks guys who keep the email and networks up and running.

I'm it..and no matter how many times i save thier proverbial @rses, they don't really appreciate the mechanics of it. Its not thier fault, IT is not thier game and i understand that..
just frustrating to deal with thats all :)

Back to Windows Forum
13 total posts (Page 2 of 2)   Prev   01 | 02

Related Discussions

Related Forums