Injection Rejection (2006)
10 months ago
- #software development
- #SQL injection
- #outsourcing
- Matthias Winkelmann's company outsourced development to an overseas team for a fixed-bid project due to lower hourly rates.
- In-house developers were restricted from assisting with coding, only helping testers communicate technical issues.
- A major SQL injection vulnerability was found, allowing logins with passwords like '' or 1=1 --.
- The overseas team struggled to fix the issue, leading to weeks of back-and-forth explanations.
- Testers encountered random 'Invalid text' errors, particularly with names like Seth, Amanda, and George.
- The in-house team discovered the overseas team had implemented a flawed SQL injection check that blocked certain names.
- Management eventually instructed the in-house team to fix all bugs after the overseas team exceeded estimated hours.