It seems that the whole Ashley Madison case is used in a lot of areas as a learning exercise. We all were surprised (at least I hope) that people were stupid enough to use their business mail addresses to register – well, you cannot use your private one, can you? We – once again – saw that the quality of passwords is fairly low.
People started to look at the code of the portal as well. Not surprisingly there are some very fundamental mistakes in there: Credentials in the Ashley Madison Sources. Not one but many!
It is really embarrassing for our profession. There is the OWASP Top Ten showing the most dangerous (and most common) mistakes when developing software. SANS has 25 of them. And still people make these stupid mistakes not only once but consistently – and they are not really hard to omit. This is really basic. No silver bullet just do your job as a professional developer. Period. But it seems that people do not care at all – they are just negligent.
And then the next step would be to really engineer security into software by treating software development as an engineering profession and not as an art. There are companies like Microsoft which even publish their learning (Security Development Lifecycle) and tools like the Threat Modelling Tool and the Attack Surface Analyzer and a lot more… Just there to use as a pro.
The way I usually put it: It is really upsetting me – and it is humiliating – if you get compromised by these simple vulnerabilities… So make sure that you omit them!
Roger