Thursday, 25 October 2012

'About' page broken due to ClickJacking protection

We're just about to release TeamMentor 3.2 when a final round of QA noticed that the About page was not working:


As you can see by the screenshot and the issue opened (Fix about page which was broken due to ClickJacking protection) this was caused by the fixed applied to the ClickJacking vulnerability reported in TeamMentor.

So here is another nice example the TAX we developers have to pay due to security changes (the app was working great before the fix).

Also, note how the 'security vulnerability' information that I received made no reference to the problems that would be caused by applying the fixes!  

Saying 'Enable the X-Frame-Options' is much easier than saying 'Enable the X-Frame-Options and here are the site effects on YOUR app of that change' 

And this is the key message that I try to give to security professionals in my "Making Security Invisible by Becoming the Developer's Best Friends" presentations. 

Providing information about a security vulnerability and some pointers on how to fix it, is not good enough!!!! Since that is JUST a small part of what is needed to fix that issue. 

Usually more important is 'What are the side effects of applying that fix'

For another similar example see the Couple XSS issues and XSS-By-Design (in TeamMentor) post.