Uncommunicated Concerns

As one might expect, communication is something that I generally take pretty seriously. When people are able to effectively share ideas and concerns, good things can happen in a short amount of time. When ideas and concerns are kept vague and imprecise, however, negative outcomes are generally the rule. This latter situation is something I’m seeing with regards to a pen test1 that has recently been performed on one of my newer projects. I was told that “there are some issues” with the software that must be resolved before it can be used in the EU, but I’m not being given the report from the vendor nor even a hint at what the issues might be. Given the complexity involved with most modern software, problems can exist anywhere in the stack, not just with the stuff I coded.

All in all, I like seeing the results of hack attempts against my software. As techniques continue to evolve, it’s hard to know how an entity might try to gain access to a system and/or database. There are the classic methods such as SQL injection and cross-site scripting, and there are more complex methods such as attacking the web server with carefully crafted URL strings. Seeing first hand where my software is weak provides an excellent opportunity to not only improve the software2, but to examine how exploits are changing with time. Sure, it’s a bit frustrating at times to see a list of X-many things that need to be fixed, but the end result is positive.

Unfortunately, I’m not getting that list. What I am getting is delays and vague statements, which does nothing to solve the underlying issues.

Hopefully this is something that will be resolved in the coming week.

  1. As per Wikipedia, a penetration test, colloquially known as a pen test, is an authorized simulated cyber attack on a computer system, performed to evaluate the security of the system. The test is performed to identify both weaknesses (also referred to as vulnerabilities), including the potential for unauthorized parties to gain access to the system's features and data, as well as strengths, enabling a full risk assessment to be completed.

  2. Given how many of my projects are all built around the same core, an improvement in one results in improvements in many.