On day one of the project, Kenneth was given a single rule that was to be followed under all circumstances. You do not talk to the SAP contractors. Theyre too busy, and their time is too valuable. They do not have time for front-end developers.

As a front-end dev, Kenneth was used to being told to take his crayons and get back to work. A front-end dev forbidden from talking to the developers behind the back-end? What could go wrong.

Whats in the box? And why does it smell so bad?
The product was a redeem points for cool products system. A customer could purchase a gift-box. The outside of the box was labeled with a public code, and the inside was labeled with a private code. A user could enter both codes into the system to redeem points. Those points could then be used to buy tchotchkes from their web store.

There were all sorts of ironies in the project. While Kenneth was forbidden from talking to half the team, the project managers kept chanting agile. They used the word, not because it meant anything, but because it was a mantra to ward of project slippage. Of course, slippage looked almost inevitable, since every project milestone date was chosen through the toss a dart at the calendar method. It also didnt help that Kenneth and the SAP guys were working from entirely different specifications.

Kenneth went to his bosss office to attempt to explain the latest problem. The spec says that we need to validate a customers code before we let them create an account, Kenneth said to Jack.

Yes.

But this is just an HTML/JavaScript front end. So that validation should happen on the back end.

Yes…, Jack said, with less confidence.

But theres no back-end method for us to do that.

Yes…? So whats the problem?

That is the problem. We need a method on SAP to let us check if the code is valid.

Jack nodded. So… this means changing the SAP specification. I dont know that we can do that… Jack called his boss, who called her boss, who called the SAP teams boss. A meeting was scheduled between the management levels, which meant Jack and Kenneth needed to have a pre-meeting with Jacks boss, which meant Jack and Kenneth needed to have a pre-pre-meeting. After roughly 85-person-hours of meetings, an agreement was reached: the SAP team would expose their validation logic as a web service, so that the web team could validate gift codes.

Since everyone was collaborating so well, the management team pushed the deadline up four more weeks, because Agile means thinking on your feet. After pulling a month of 6070 hour weeks, Kenneth had a sense that Agile actually meant being dead on your feet.

After too many late nights, the project launched, on time and over budget. It was loaded with bugs, mostly minor, and too few test plans to actually identify or help triage the bugs. Over the next six months, Kenneth and his front-end team handled their bugs, and it looked like the project was on the downhill slope.

At least, it was until TrudyHeart1971 created an account. Within minutes of joining the site, TrudyHeart1971 was redeeming a suspicious number of points. The management chant of agile was replaced by screams of hackers!!!111!!!. All-hands meetings started. For the first time, Kenneth and his team sat down in a conference room with the SAP guys: Sven and Lars.

Kenneths screen was mirrored on the projector as he scraped the logs. This doesnt look like a hacking attempt. These requests all look valid.

You would think that, Lars said. He pointed at one of the entries. These public and private codes dont match.

In fact, Sven said, these private codes look completely fabricated . 12345678? Not a code.

Okay, so that probably has something to do with the validation on your side, right? Kenneth said.

Lars and Sven glanced at each other before turning to Kenneth and laughing at him. We dont validate the codes. There is a CheckCodes method we gave you. You are to do the validation.

You dont validate the codes. Kenneth said.

No, of course not. We gave you a method.

Youre relying on the client-side JavaScript code to do all of the validation before requests hit your public-facing web service? Kenneth clarified, hoping someone else in the room would see how insane this sounded.

Alright, then. The Big Boss rapped his knuckles on the table to get everyones attention. It sounds like we know what the problem is- the front-end is insecure. And Kenneth, it sounds like you know how to fix it.

In the end, technical ignorance and the contractors hourly rate guaranteed that Kenneth was forced to fix the front-end. Their cobbled together solution was to implement a web-service proxy that performed validation on the server-side, while making the existing public-facing (and utterly insecure) SAP services private.

Their hacker, TrudyHeart1971 had discovered the bug when she accidentally entered her code incorrectly and saw she received points anyway. She did this a few more times, before the guilt set in. The company briefly considered pressing charges, but someone realized that publicizing this sort of security mistake wasnt in their best interests. They settled for removing Trudys points and a letter of apology.

http://thedailywtf.com/articles/what-a-sap