Pixafy staff listen to the introduction to the security lesson.
An oft-repeated statement is “trust no one.” When it comes to securing something in the world of IT, it’s especially important, and has been the subject of much discussion.
That was the subject of a session on security of web applications led by President Uri Foox. Two-thirds of the company’s staff attended the voluntary session and broke into teams to learn how one simple decision can lead to a complete breakdown in a website’s efforts to keep people out.
The lesson came from a recent example Foox discovered while on a photography site. The site’s photos were hidden behind a password protection system, but the way it implemented a sample photo in the front end left clues as to how the photos were protected.
With a couple of simple steps, done in a standard, off-the-shelf web browser with no hacking or intrusion needed, all the protected photos could be discovered. Among the other mistakes made was no effort to randomize the picture names, which were numbered sequentially, making it easy to find the other pictures once a way to access one was determined.
Foox said the goal was to encourage people to understand why certain decisions are bad, and to think critically when they’re using other sites, as understanding why something’s not secure will help to develop something that is more secure.
Pixafy President Uri Foox leads the security discussion.
The lesson was especially timely; an Australian Magento developer found itself in trouble after a site it developed was not configured with certain standard security practices in place.
Employees self-selected themselves into two categories. Those who were less aware of how web security was implemented attended an informational session led by Foox.
“Even without understanding every piece of code, Uri was able to explain and show the problem every step of the way,” Account Manager Raechel Boston said. “This inspired me to dig in the future and question the work we do and the sites I use.”
“I now have a basic understanding of how some sites that you think are secure are actually not,” said Account Manager Alan Gagnon. “The most important concept was, ‘Look for what is different and not what is the same.’ As soon as I got home I began to look at sites to see what was unique.”
Those heavier into code, including programmers and developers on the staff, along with some of the PMs, broke into teams and attempted to find the flaw using a set of instructions from Foox.
“It helped me to understand how people can easily exploit the code by small development mistakes,” front-end developer Khalid Saleem said.
Engineer Tariq Chaudhry liked the lesson, but also liked the teamwork it fostered. “I especially enjoyed breaking up into teams to solve the problem; this provided relationship building with fellow coworkers.”
Pixafy holds such sessions from time to time to challenge employees in a way that engages them, while teaching valuable lessons on developing for the web. It is part of our way of educating staff in ways that are more engaging and participatory. Foox previously was a trainer for EMC, where he employed similar methods.