BBC Sites Injected with Nasty IFRAME

An article in Dark Reading today tells about a nasty attack on two BBC sites that has an IFRAME injected onto the site that downloads nastiness to your computer, and only 20% of the anti-virus software packages catch it. OW!

Read the article

Key thing is injected. It almost makes it sound like BBC is a victim, doesn't it? "Hey did you read how the bad guys injected this nasty code into two BBC sites?" Folks, in a sense they ARE a victim, with an unwanted set of code put there by some 3rd party. But um, hello??!! YOU LEFT THE DOOR OPEN!!

When you read the word "injected", think "unwitting developer leaving a wide open door for hacker to put stuff on their site". BBC...surely lots of developers, a few development managers, must have some infosec and compliance people. And a hole like that is left open?

Maybe it was a tricky hole or something really brilliant that got around the standard defenses. But I have a hard time thinking that is the case.

In any case, the developers left a hole open.

So my question to you is:

How many headlines will it take before you change your code?

Don't wait until you ARE the headline...

Developers don't know $#!t about security

"'Developers don't know shit about security'. That may very well have been the most retweeted quote from the 2011 #OWASP Summit." That is a quote from a blog from a big name at the OWASP Summit.

It is an interesting read for sure. I am not sure how to take it. I guess at first I was a little shocked and humbled that InfoSec folks make fun of devs like me. I do realize we know so little about security and they know so much. And I appreciate the blog's point that InfoSec folks should learn more about software development and our unique challenges to get product out the door. But to hear that I am part of a running joke (outside of the ones I know about in my own office)...that stung. And it reminds me how much work we have to do.

I still insist it is all about educating the developers. I didn't know what I didn't know, until I decided to study up on it. 95% of the devs won't study up on security when LINQ, HTML 5.0, and lots of new and sexy technologies are there to learn. We are good at learning the tools of our trade. Security? Isn't that what InfoSec is FOR?

We aren't bad people, or lazy...well for the most part. We put our best foot forward and want to make a good, sellable product. We want the glory. Show me a negative headline with my name in it and suddenly I will pay attention. Show us how the dev down the street, from our own user group, got bitten and now their company is under fire in the press and by customers or shareholders. Whoops! Wake-up call!

It is going to have to come from the developers since we won't listen to InfoSec folks (they don't get us, they just want to box us in, etc). I can't do this alone. Are you willing to step into the gap and point out the elephant in the room?