http://msmvps.com/blogs/vcsjones/archive/tags/Security/default.aspxTags: SecurityenCommunityServer 2008.5 SP2 (Build: 40407.4157)http://msmvps.com/blogs/vcsjones/archive/2008/04/08/i-d-like-to-report-a-negligence.aspxWed, 09 Apr 2008 02:50:58 GMTd67277c4-116b-43f1-b688-e9ef184ea916:1578799vcsjones0http://msmvps.com/blogs/vcsjones/rsscomments.aspx?PostID=1578799http://msmvps.com/blogs/vcsjones/commentapi.aspx?PostID=1578799http://msmvps.com/blogs/vcsjones/archive/2008/04/08/i-d-like-to-report-a-negligence.aspx#comments<p></p> <p><a href="http://msmvps.com/blogs/vcsjones/WindowsLiveWriter/Idliketoopenanegligence_1A32/Safe_4.jpg"><img style="margin:0px 0px 10px 10px;" border="0" alt="Safe" align="right" src="http://msmvps.com/blogs/vcsjones/WindowsLiveWriter/Idliketoopenanegligence_1A32/Safe_thumb_1.jpg" width="240" height="181" /></a> I&#39;ve always been interested in software security, and it&#39;s always been a number one priority for me. Software security is really honoring the trust of the people that use your software. I&#39;ve also been fortunate to be the lead developer of a security product. I myself also tend to keep an eye on the security of other products.</p> <p>We use a few applications in house that we really like. I decided poke around at the security of some of these products. I won&#39;t say any of the product names because they really are, good products sans some poor security. If I find a security bug in a piece of software, I will report it to support or the development team. I feel like I&#39;ve done all that I can, and I&#39;ll leave it to them to fix it.</p> <p>Though the one thing that there really is no excuse for is storing a password in clear text. While doing my digging, I found that two products we use stored passwords in clear text. One of them was attempting to hash a login password using String.GetHashCode, which isn&#39;t a good idea, but much better than a clear text. However, this product also stored some other passwords in clear text. They needed to be two way, so a hash wouldn&#39;t work; rather a symmetric encryption would be better off. The other system just used clear text for all passwords. This is really just neglecting security, it&#39;s not even a bug. It&#39;s just not caring.</p> <p>It&#39;s not too hard to encrypt data in .NET, it&#39;s pretty easy and there are a lot of tutorials on it, and there are a few usergroups around that talk about it as well, too.</p> <p>Seeing this makes me think a couple of things. The first being, are my standards too high? I don&#39;t think so honestly. I don&#39;t see any reason for storing a password in plain text other than reducing developer effort. The second thing is, how common is this? If two applications that we use have this issue, should I lose trust in all of the applications I use? It&#39;s not a comfortable thought; knowing that some software abuse the trust that we give them. The third thing is, I know one of these products is extremely popular. I&#39;m surprised no one has caught this before. Am I really the only one that tinkers around with other software&#39;s security?</p> <p><em>Off topic, but I am trying to get back into the swing of blogging again. I&#39;ve set a goal of trying to blog every other day or more often. We&#39;ll see how it goes.</em></p><div style="clear:both;"></div><img src="http://msmvps.com/aggbug.aspx?PostID=1578799" width="1" height="1">Security