Holmes on Homes
November 30th, 2006 by Hans Kaspersetz in New Jersey
There is a show about a Canadian contractor that goes around and works for families that have had chronic problems in getting their home built or remodeled. The host is the actual contractor and he goes through the home and explains where the last contractor went wrong and what the right solution is. He clearly outlines how the short cuts that were taken end up costing the customer much more than it would have originally.
I find myself in a very similar position when consulting for our customers on their interactive projects. Time after time we get called in to fix problem projects or to redevelop projects that have failed. The common thread in many of these projects is an attempt to save money initially by choosing the least expensive vendor. The discount vendor starts the project and is not able to finish it. Or worse the vendor delivers the piece and the client can’t use it because the workmanship is so low it would damage their image.
Let me share a recent experience. A client of Cyber X Designs’ elected to use an SEO firm based in India. They choose the firm because they were the ‘right’ price and the client wanted to move pretty quickly on the SEO efforts. The SEO company developed code for integration with the client’s existing web application. Per agreement with our client, Cyber X Designs was to audit all the code before it was integrated with the application. What we found was amazing! The ‘SEO’ development company provided PHP code that was dangerously insecure for a website that accepts credit card information or any website. The first error we found was un-escaped and unfiltered data being sent directly to MySQL. This was a huge and very simple SQL Injection vulnerability. It could have been avoided with just a small amount of work.
The second major error was that the web form posted content directly to the client’s website. There was no, count it ZERO, code dedicated to managing or staging the posts. The SEO company had promised that functionality but upon delivery it was missing.
The last major problem was that content was being displayed directly with out having any of the html or JS escaped. This made the scripts venerable to XSS and it would have put all the users at risk.
The short of it is, the SEO company broke every basic rule in the book! If they had attended a single New York PHP meeting, read a PHP Security book, read any PHP blogs or attended any conferences, it would have been painfully clear to them what they were doing wrong. The moral of the story here is that it is worth it to have your code audited and to invest in a respectable developer. You will save money and heart ache in the long run.
Some PHP Security Resources:
Chris Shiflett’s book Essential PHP Security
Chris Snyder’s and Michael Southwell’s book Pro PHP Security
I had similar problems, but on a much smaller scale.
I am a web designer, not a programmer. I outsource my programming jobs here and there on a small personal scale.
Not to be rude or biased, but when I outsource work to firms/groups that do the work for literally $15 overseas, the shell of the software looks okay. The code is SHAMBLES because they pickup people from the street to work for $10 an hour while the project is worth thousands of american dollars. They don’t really care about the security of your sensitive information over time, they care about the money. In and out deal. The same goes for construction contractors.
Funny you mention Mike, I worked on the show for 4 years (seeing construction is my main concentration). The same principles can be carried over to the IT world.
Quality costs. When you go to the BMW dealership and your looking at the new 700-series, you don’t tell the staff “Look, I’ll give you $25k ok.. deal”? NO. Price (for the most part) is governed by quality. We see this scenario EVERY SINGLE DAY in the construction world, and I know you boys see it in the IT world as well.
Don’t be fooled by the cheap way out, it cost’s more in the end. The only one laughing is your competitors.
Gavin MacRae
GJ MacRae Foundation Repair
Toronto, ON