Poorly designed corporate sites

[kalidas]

Take a look at this site from Dicks Sporting Goods. Their shipping docs can be accessed online.

http://www.dsgfreight.com/UserFiles/File/

While it doesn't contain extremely confidential information, it definitely looks like proprietary info that needs to be secured.

[sarv_shaktimaan]

wow! looks like a case of bad production release.

• A Production defect needs to be raised with critical priority
• a RFC (Request for Change) will need to be logged with the Change Management team
• VP's approval needs to be sought for a same day fix.
• Ensure the admin team is made aware of the work coming their way during off-hours.
• Fish-bone RCA (root cause analysis) is generally recommended when such lapses happen.
• Audit teams will be interested in a summary of this mishap.

P.S. Good luck explaining to the VP how this was missed in QA and production release validation.

[kalidas]

Quote:

Originally Posted by sarv_shaktimaan

wow! looks like a case of bad production release.

• A Production defect needs to be raised with critical priority
• a RFC (Request for Change) will need to be logged with the Change Management team
• VP's approval needs to be sought for a same day fix.
• Ensure the admin team is made aware of the work coming their way during off-hours.
• Fish-bone RCA (root cause analysis) is generally recommended when such lapses happen.
• Audit teams will be interested in a summary of this mishap.

P.S. Good luck explaining to the VP how this was missed in QA and production release validation.

I don't think there is time for an RFC.

They need to open a incident ticket and issue the developers emerids.

There is a major loophole in their authentication / authorization framework. I'm guessing that the files reside on a separate framework and the network guy decided to open up port 80 to the world, since the referencing app was in the dmz. This is clearly shitty architecture.

They need to move the file server behind the DMZ. Webserver and app server teams need to make config changes. The app needs to make config changes. This is a mess I tell you.

[sarv_shaktimaan]

An incident ticket does make it easier to hush up matters. this way nobody'll know.. a secret pact between the admins and development team. The developer goes to the admin.. buddy, I owe you one.

[kalidas]

Quote:

Originally Posted by sarv_shaktimaan

An incident ticket does make it easier to hush up matters. this way nobody'll know.. a secret pact between the admins and development team. The developer goes to the admin.. buddy, I owe you one.

It's not that easy. Because you will need an outage. It will show up in a weekly mgmt outage report.

But I'm sure mgmt will also want to hush things for cya purposes.

[another indian]

Quote:

Originally Posted by kalidas

I don't think there is time for an RFC.


There is a major loophole in their authentication / authorization framework. .

now I am not a computer/software enginner to comment on this & I don't understand any details which you have written.

I feel that if you know a major loophole in some company. you can try contacting the top mgmt. of that company & informing them about the loop hole.In return to this info.,you can ask for some small reward.

If you want something in return, try to contact only the top mgmt, as employees may themselves take credit.

[sgars]

You guys forgot to blame the business for not mentioning in the requirements that these files need to be secured from general public.
The QA guy could say that security testing is not on his scope.

[dirty]

Quote:

Originally Posted by another indian

now I am not a computer/software enginner to comment on this & I don't understand any details which you have written.

Then why are you commenting ? Move on to other threads .....

[Sane Less]

Quote:

Originally Posted by dirty

Then why are you commenting ? Move on to other threads .....

If this was the criteria to post on echarcha... then my fingers would have had cobwebs by now