I work in the education industry, which has been often lauded for its tough security stance (note the sarcasm), and you would be surprised how common, CRUD apps do not pass muster. Zoho Corp's founder recently fielded a lot of critical comments about his Salesforce CRM competitor product and other products of Zoho-esque mediocrity. [0][1] I stayed out of it, but let me give a shining turd example of such a product: their ticketing system: ManageEngine ServiceDesk Plus. [2] We could not afford to purchase or implement something larger, more garbage ticketing system, say like HP Service Manager (which has the worst interface of any web application I have ever seen mind you, but it is far more business-like for this enterprise-y world which the article is addressing). We do, at a minimum, a Nessus scan for anything that requires FW rules inbound and/or a SSL cert in our org. This did okay (other stories to follow). Not soon after, many XSS vulnerabilities were found, in two versions. [3] This is, mind you, an enterprise-y ticketing system geared for people who do ITIL. Not only could they not publicly manage the situation, they show a complete lack of change control/problem management their product and garbage webpage embue. Now we only allow access behind our VPN; lord knows what would happen if we exposed this garbage to public Internet.
I give this example as one of my such tales. Bottom-line: even some of the priciest web applications would fail even rudimentary testing. We see it again and again, and there is always, rest assured, some marketing ahole pedaling software to a non-IT manager, hooks them on it, and that guy refuses to accept how something so polished is dangerous to the bottom line.
Frankly, I wish SOX-like/HIPAA/bank/government regulations were imposed on all of us, and THEN fine any companies promising these standards for failure to comply. The amount of garbage is staggering, and politics dictates software marketing will always target the guys sitting above the technical people who refuse when they know their product has "rough edges" (I say that because every company we talk to about such things downplays sec vulnerabilities; not once have I heard of one of our vendors handle it graciously, even big dogs like Symantec brush us off).
I was going to say this kinda reads like an advertisement for your product.
But, after rereading, it is more advertisement than kinda advertisement :-)
My formal response to this is:
HAHAHAHAHHAHAHAHAHAHAH!
I work in the education industry, which has been often lauded for its tough security stance (note the sarcasm), and you would be surprised how common, CRUD apps do not pass muster. Zoho Corp's founder recently fielded a lot of critical comments about his Salesforce CRM competitor product and other products of Zoho-esque mediocrity. [0][1] I stayed out of it, but let me give a shining turd example of such a product: their ticketing system: ManageEngine ServiceDesk Plus. [2] We could not afford to purchase or implement something larger, more garbage ticketing system, say like HP Service Manager (which has the worst interface of any web application I have ever seen mind you, but it is far more business-like for this enterprise-y world which the article is addressing). We do, at a minimum, a Nessus scan for anything that requires FW rules inbound and/or a SSL cert in our org. This did okay (other stories to follow). Not soon after, many XSS vulnerabilities were found, in two versions. [3] This is, mind you, an enterprise-y ticketing system geared for people who do ITIL. Not only could they not publicly manage the situation, they show a complete lack of change control/problem management their product and garbage webpage embue. Now we only allow access behind our VPN; lord knows what would happen if we exposed this garbage to public Internet.
I give this example as one of my such tales. Bottom-line: even some of the priciest web applications would fail even rudimentary testing. We see it again and again, and there is always, rest assured, some marketing ahole pedaling software to a non-IT manager, hooks them on it, and that guy refuses to accept how something so polished is dangerous to the bottom line.
Frankly, I wish SOX-like/HIPAA/bank/government regulations were imposed on all of us, and THEN fine any companies promising these standards for failure to comply. The amount of garbage is staggering, and politics dictates software marketing will always target the guys sitting above the technical people who refuse when they know their product has "rough edges" (I say that because every company we talk to about such things downplays sec vulnerabilities; not once have I heard of one of our vendors handle it graciously, even big dogs like Symantec brush us off).
[0] https://news.ycombinator.com/threads?id=sridharvembu [1] https://news.ycombinator.com/item?id=5836569 [2] http://manageengine.com/ [3] https://www.google.com/search?q=servicedesk+plus+xss