My company website got hacked. The finding showed that the hacker accessed the website via some loophole that the programmer overlooked.
We have already paid 50% of the production fee and we feel that we should not pay the remaining due to the breach.
Anyone know if there's are policies/regulations/laws/guidelines to safeguard programmers and website owners?
hmm.. companies should hire white hats to hammer their systems.
it all depends on the contract i guess.
Thanks Dumb. Are you in the IT line? Do you have a sample of the contructual agreement or clause on this matter? What is the market norm?
It really depand on the contract, and you must see how much of the damage of the hacking to ur company.
Remember, every website have the risk of being hack......it really depand on how good is ur network adminstartor and programmer to protect it from hacker to access it.
Loop holes, as the name said, is something that is overlooked by whoever is protecting/programming it.
It's a tough thing to make.
on one hand, it's the programmer's fault for not identifying
on the other hand, loopholes are not easily found
It depends on what you mean by overlook. There are so many kinds of programming languages and each does different things.
Since you said it's a website, I assume it's related to SQL? Does the website has some kind of DB? What kind of programming language is used to query the DB?
Most use PHP to query the data in MySQL. SQL queries, if not properly sanitized, can result in an attacker doing all sorts of things to the DB and the website.
Also, how does the company's network layout look like? Where the servers located? Public? De-militarized zone?
Lastly, have all the web pages been checked? There's been a recent spate of SQL injections done via JavaScripts. Sometimes, a website can get attacked without them knowing. If any attacker chances upon the website, he can abuse that info.
Here's one example - http://securitylabs.websense.com/content/Blogs/3053.aspx
If your company is big enough, they should hire pen testers to test the site. Pen testers is short for Penetration Testers. They are a group of hackers which are paid to hack. They have the permission of the management to break into things. Once they done their work, they'll have a report for the company and some recommendations on how to resolve the security issues.
Alternatively, you can use automatic tools to find errors in the website and fix them if the company has got no money to hire such testers.