Sunday, July 19, 2009

I'd rather have some policy, thanks

The ruling poltical party in SA, the ANC, suffered a rather embarrassing defacement to their website over this weekend. After the usual party propaganda, there was this little gem:

Let's zoom in on that a bit:

That's right. Jet charters. Government porn. A personal request of JZ perhaps?

According to the report, they can't sort this out until Monday. Now, I understand the annoyance of working over the weekends (hence the recent lack of posts myself), but I'd call in my developers if I found this on my site.

Now let's assume for this minute this wasn't a deliberate attack - which is a fair assumption considering in the top right corner the site is listed as last updated today. This raises questions of the character of the deleveopment team that the government actually hires to design their websites, if they actually allow this to enter production.

This got me thinking though, what can the development team do internally to make a website more secure? Thinking beyond the usual prevent-SQL-injection story here's some questions I would ask my team:
  • Have we ensured resigned employees have had all their access removed?
  • What is our process to ensure the correct version is uploaded to production?
  • Have we built it in to testing to check that the basics of security have been followed?
  • Who do we hold accountable?
Update: In the time it took me to write this post (approx 30 minutes) the website was updated to remove the offending adverts. Apparently someone understood the value of not waiting till Monday.