On picking my battles...

I used to work for a software company. Part of the reason I left was that I had serious reservations about the quality of the product. Part of what drove home those reservations was the fact that the company that hired me away hired me to fix their installation of that product.

Today I was dealing with the support department, and I noticed a small gap in the program. Passwords for an outside service were stored in plaintext in the database. Since the module isn't even in general release yet I didn't think it was a big deal. I reported it, and got this answer:

Afternoon Iain, as you're aware there already multiple levels of security needed to access the tables within SQL. Once there a user would have to know what they were looking for to find this information. In most cases anyone who was able to find the password would probably already have access to it. In speaking with our product developer she does not feel this is a security gap to a proportion that would warrant a change. If there is anything else I can do for you on this issue please just let me know.

This irritated me. The guy is fairly new, so I don't know if he's lying on purpose, or if he's repeating lies someone else told him. I especially like the implication I should already know what he's about to tell me. He's half right.

There is one poor level of security, not multiple levels. The username and password for access to the DB are stored in plaintext file (the .ini file). Even if they use Windows authentication, it requires all users to have db_owner access, so as long as you have shop floor level access, you have access to the table. Finally, a simple glance through the table names can suggest 'BusinessRules' is valuable.

I agree it isn't a huge gap, SMTP isn't very secure to begin with, but I will point out that user passwords are stored more securely in the SFSUsers table, and they have exactly the same level of access as sys_BusinessRuleSettings.

I understand you will not be resolving the issue soon, but I would like it put on the list. The reasoning for not including it doesn't hold up.

I'm not too fussed about the gap in general. We have a good firewall, strict group policy, all that sort of stuff. It would be easier to hijack another SMTP account on the network than that one, but the message just annoyed me. I'm fine with it not being a high priority. I agree. But don't try and BS me that a program with a 25 year code legacy has "multiple layers of security". The only layer of security it has besides a password is that it's so opaque to anybody who hasn't been trained on it.