Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Parcel Force web site errors avoidable with code testing

Fortify : 23 June, 2009  (Technical Article)
In-house developed code on web-sites tend to be more vulnerable to attack which could have been the case with Parcelforce according to Fortify
Fortify Software, the application vulnerability specialist, says that the Parcelforce data leak - in which Web customers were given access to the entire customer records of seemingly random data relating to other customer's postal consignments - is almost certainly the result of shortcomings at the program code auditing stage.

'From what has been reported by the BBC and others, this sounds like a scripting issue with the site concerned,' said Richard Kirk, Fortify's European director.

'What's interesting about the Parcelforce site is the scripts used on the main landing pages appear to have been developed in-house, rather than the firm relying on third-party interfaces. This suggests to me that the site was developed by an in-house programming team using Omniture's SiteCatalyst software,' he added.

The problem with in-house development of Web sites, says Kirk, is that whilst the staff concerned can be well acquainted with the requirements of the company, they may well lack the facility of looking at the code from an audit perspective.

Things have moved on from the old days of `soak tests' with programs and Web sites, he explained, adding that his means that external professionals are usually asked to conduct a range of tests on the Web site software, even including penetration testing where appropriate.

Whether this happened or not remains to be seen, but the fact that customer data was leaked means that the company has probably breached the Data Protection Act, meaning that an investigation is likely.

The Information Commissioner's Office is reported to be contacting Parcelforce to work out what actually happened with the Web site errors and what can be done to prevent it happening again, said Kirk.

'Almost certainly this will involve some sort of audit. It is to be hoped that, as well as Parcelforce learning from this situation, that other companies realise it could be their own IT team involved in the corporate red face stakes and review their own Web sites as well,' he said.

'Only by efficient code auditing can major errors like this be avoided. We all learn from mistakes. Some more than others,' he added.
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo