A few months ago, I was attending the National Hack The Government event. I was showing off some of the work I had been doing on “The Unsecured State” – looking at *.gov.uk website security.
I was chatting to an envoy from the Food Standards Agency who was eager to hear more about what I’d discovered.
“Oh,” I said, “It’s pretty easy. Let’s take a look at your website. If I were to type some HTML into your search box, you would expect that the site would recognise it as dangerous content and refuse to display it.”
A few clicks later…
“Ah,” the FSA lady said, “Let me just make a quick phone call….”
A little while later, it was fixed.
This is not about minor councils and tiny departments. The FSA has a multi-million pound budget and, no doubt, an extensive tender process for its expensive website. How do security flaws like this continue to sneak through?
Is it enough to assume that a large, experienced web designer will be competent?
Should there be standardised products and services used to ensure a bare-minimum level of security?
Does the Government need to produce a thousand page “Compliance And Best Practice” document to ensure every i is crossed and t is dotted?
I honestly don’t know the answers to these questions.
Security is like usability – it’s not one of those things which can be tacked on at the end of a project once the “real work” is done. It has to permeate every aspect of design and creation.