Troy Hunt’s Billabong Breach Post-Mortem and Positive Externalities

If anything positive has come out of all the recent security breaches, it’s that the prolific security bloggers who have been posting interesting and helpful tips, tricks, and best practices for years are starting to get some of the attention they deserve.

Last week, Troy Hunt published an epic blog post recounting the Billabong breach in which he highlighted all of the anti-patterns and blatant security holes that could have led to the breach.

To recap, Billabong’s site had:

  • No transport layer security (TLS) on the sign-up form
  • 10+ year-old technology powering the sign-up process
  • Rampant cross-site scripting vulnerabilities (XSS)
  • Possible SQL injection vulnerabilities
  • No verification of old password on the password reset form

For those of you not familiar with web security, this is as bad as it gets.  Forget belt and suspenders, this is like forgetting to put on your pants altogether.

XKCD: Security Holes

But the point of the post wasn’t to embarrass Billabong or its web developers, it was to educate readers about the very basic things to be on the lookout for—the low-hanging fruit.

How many developers, managers, founders, and users will see Troy’s post and say, “Hey, can we make sure we’re doing this stuff right?” Every time one company gets hacked and there’s a thorough and public post-mortem detailing the lessons learned, it prompts many more companies strengthen their defenses.

By asking why and learning from our mistakes and the mistakes of others we can turn negatives like this into wide-reaching net positives.  But it does require real effort.   I can’t help but wonder if Billabong’s internal post-mortem was half as thorough as Troy’s.  Security isn’t easy, and securing your environment isn’t an event, it’s a process.

In a future post, I’ll talk about how a breach turned a really smart software developer into a self-proclaimed security nut.

Get the latest security news in your inbox.