DevDisasters

Gatekeepers of Bad Software

Software development gone wrong: ASP plus Access not equal to secure Web portal.

• By Alex Papadimoulis
• 05/01/2009

The HR department at a financial services firm wanted to hire GlobalComp to build a Web portal.

Getting approval was straightforward: the purchaser set up a meeting between GlobalComp and an "integration services" developer on the IT team, and then waited a few days.

After a brief spiel from the GlobalComp sales rep, Steve opened with a softball question: "Is it secure?"

"Of course it's secure," the rep said. "At GlobalComp we take security very seriously. In fact, our pages are delivered over Secure Socket Lay—"

"Wait a sec," Steve cut him off, as he played around with the Web portal. "I think I just broke into your admin console."

The GlobalComp rep stumbled through an apology. It was clear that the developers had never anticipated someone typing ' OR ''=' in the password field. Steve thought it'd be a good idea to do a code review to see what else they had missed.

A Code Tour
Before Steve was permitted to even talk to a developer at GlobalComp, they had him sign a an NDA. As an added security measure, Steve could only review the code while the immaculately dressed Dave, GlobalComp's lead developer, watched him. "You'd be surprised," Dave said in a serious tone, "there are a lot of people who would steal our software ideas."

Steve's first port of call was login.asp. But it wasn't the security snafus or the FrontPage meta-tags that caught his eye. Not only were they using Access, but they had come up with a rather interesting way of caching huge amounts (400K+) of user-specific info. They used the ASP Session object:

<%
set cn = Server.CreateObject(_
"ADODB.Connection")
cn.Provider = _
"Microsoft.Jet.OLEDB.4.0"
cn.Open "C:\inetpub\wwwroot\db.mdb"
set rs = Server.CreateObject(_
"ADODB.recordset")
rs.Open "SELECT * FROM Users " & _
" WHERE Username = '" & _
Username & _
"' AND Password = '" & _
Password & "'", cn
do until rs.EOF
session("USERNAME") = rs("username")
session("COMPANY") = rs("company")
session("LOCATION") = rs("location")
session("ADDRESS1") = rs("address1")
session("ADDRESS2") = rs("address2")
session("ADDRESS3") = rs("address3")
session("ADDRESS4") = rs("address4")
session("HTML_BLOCK_1") = rs("html1")
…180 columns later…
session("YET_ANOTHER_FIELD") = _
Rs("yet_another_field")
Rs.MoveNext
loop
rs.close
cn.close
%>

"I can't help but notice that this is in ASP," Steve said to Dave. "I'm curious: why not .NET? Do you have a lot of ASP libraries that you're reusing?"

"It's 2006," Dave snapped back, "not 2015. Everyone knows that .NET hasn't really taken off yet. It's slow, difficult to code and very buggy. Maybe in a few years we'll consider it, but until then, ASP is far quicker and more powerful."

"For optimization," Steve commented, "wouldn't it have made sense to go with SQL Server? This portal is meant to be used by thousands of users across the country. Do you think Access is up to the job?"

"What's wrong with Access?" Dave defensively questioned. "When I was at Accenture, we used it all the time."

Steve had seen enough. "In light of the numerous performance, security and dataintegrity issues," his review read, "we do not approve GlobalComp's Web portal software for use in our production environments."

It was the first time anyone in the department had ever given a non-approval for vendor software. They felt relieved to have successfully acted as the gatekeeper of bad software.

Tell Us Your Tale

Each issue Alex Papadimoulis, publisher of the popular Web site The Daily WTF, recounts first-person tales of software development gone terribly wrong. Have you experienced the darker side of development? We want to publish your story. E-mail your tale to Executive Editor Kathleen Richards at [email protected] and use "DevDisasters" as the subject line.