I learned a valuable lesson today.
2 months ago, I tried explaining that a technical decision taken for the project I’m working on was bad. In fact, I clearly explained that there were security issues that could compromise the website, and suggested an alternative approach, complete with reference to books and web pages. The answer from the architect had been “well, yeah, you might be right, but let’s just see how it goes with our current solution”. What?? How can you “see how it goes” when security is an issue??
Anyway, today, after 2 months, a fellow developer asked me to show how the system could be compromised. Which I did, a fairly simple process that showed that in 10 minutes you could get a user to sign a legal document with any name he chooses, making that document completely useless.
Well, this developer guy is competent and all, and he did understand my point when I first explained it. But it took this demonstration to show him how easy it was.
Realizing that people had not understood the seriousness of the situation, I redid the demonstration to the architect, who this time got into his head that it was reasonably easy for pretty much any Java programmer to change values arbitrarily in the database.
End of story? well, we’ll have to work on it in the next iteration. But we have lost 2 months, and the refactoring will be that much harder. Entirely my fault, really.
Thanks, nice article and good example!