On Mon, Jan 21, 2013 at 11:23:16PM -0500, Jean-Francois Mezei wrote:
This article may be of interest:
http://arstechnica.com/security/2013/01/canadian-student-expelled-for-playin...
Basically, a Montreal student, developping mobile software to interface with schools system found a bug. Reported it. And when he tested to see if the bug had been fixed, got caugh and was expelled.
I the context of this thread, they found a vulnerability in the web site's archutecture that allowed the to access any student's records.
This is the perfect type of incident you can bring to your boss to justify proper architecture/security for your web site. "How would you react if it was your company's name in the headline ?"
That article doesn't justify security review, it justifies not being a complete knob when someone reports a security hole in your site. There are so many site vulnerabilities these days that they're not news. What *is* news is when the vulnerable organisation goes off the deep end and massively overreacts to the situation. See Also: First State Superannuation. - Matt