Clop seems to be on a roll, first with GoAnywhere and now with Moveit

  • argv_minus_one@beehaw.org
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    Yet another proprietary security solution turns out not to have been as secure as advertised, and it’s easy to see why: companies that sell software are motivated not to make it secure, but to develop it as quickly as possible with as few developers as possible and then add as many features as often as possible.

    • TribesmanJohn@beehaw.orgOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      https://community.progress.com/s/question/0D54Q0000AL2k8jSQB/moveit-transfer-critical-vulnerability-may-2023

      I agree there should perhaps have been better controls in place to check for SQL Injection vulnerabilities, and that yea some businesses try hard to maximise profits, but I would also say that developers are not infallible :)

      Without seeing anything standing out on their website, I think this does show the importance of getting your product regularly security audited by and external, third party :)

      • argv_minus_one@beehaw.org
        link
        fedilink
        English
        arrow-up
        6
        ·
        1 year ago

        SQL injection? Oh, good grief. Here I was assuming it was some subtle bug, like use-after-free or using a cryptographic primitive slightly wrong—an honest mistake made by a developer who’s working too hard. But SQL injection vulnerabilities are the result of doing something we’ve been taught for decades to never do, so I can’t imagine any excuse for this.