Every time a website is hacked, the hackers are to be blamed. Is it only a hacker to be blamed?
Web Developers are the real Criminals: Website Developers are equally responsible for the hacking.
The recent incidence of CBI website is biggest embracement. The CBI registered a case against unknown hackers for defacement. But the web developer who is been paid huge amount to develop and maintain such high profile sites gets escaped from the legal clutches.
Not only the hackers but also the website developers are equally responsible for the hacking since they don't develop websites which are completely secured. Jeff Moss, a black hat hacker has said that no hacker can hack any website if it is secured. Hackers can hack only those websites that have vulnerabilities.
The developers are paid lakhs of rupees for their creation and hence it is their responsibility to develop it without any loopholes. But, their carelessness invites the hackers who are looking out for prey to hack them. There are many website developers who don't realize the poor programming techniques they propagate. Surprisingly, most of the web developers are not certified. The Government website of our country too is developed by such web developers who are not trained but only have a little skill.
A hacker requesting anonymity said, “Why the hackers are targeted and not the web developers and testers? Hackers hack only those websites which have vulnerabilities. Web developers should be prosecuted for their sloppy work.”
While selling themselves as experts (which make convincing management that they are wrong hard), they use bad programming practices.
Sometimes the website of very crucial department has been given to web developers who are still studying in the college and don't have any professional experience of any type of website development. Only on the basis of the relationship, those site development work has been given to college going kids (Who even don't know the basics of how to secure a website). Resulting website with full of loopholes inviting hackers causing embracement.
“Developers must possess advanced PHP skills and have hacking/security knowledge for web development. Also, they should have a good understanding of a large range of other computer-related topics. They are responsible to code new projects, handling of bug fixes and bug reports,” said, Mahesh Salunke, a web developer.
Developers are blissfully ignorant in knowing how insecure the code they write is. To overly simplify, an application security specialist’s job is to remove a developer’s bliss, their happiness.
Why don't developers write secure code? “Why should developers write secure code? There, that's the question the application security industry needs to be answering, and answering convincingly. Secure code is not implicit, it's explicit. Meaning, code cannot be considered even remotely secure unless one specifically asks for it, in the requirements," said Subhash Jha, Asst. Web developer. Adding further he said, “If the company asks only then it would be developed smartly and tested thoroughly. If secure code isn't explicitly asked for, you almost certainly won't get it.”
He also said, 'To further emphasize the point, if you read any software end-user licensing agreement (EULA) you'll notice software makers directly state that there is no warranty and no guarantee regarding the performance of their product, which includes security, and at the same time they waive all liability should any errors occur. Therefore unless a new and profound legal precedence is set regarding the enforceability of these EULA provisions, secure code being explicit, rather than implicit, is unlikely to change.”
0 comments:
Post a Comment