After the acquisition by a much larger company, security became a top priority. Our company occupied three tall buildings, each at least 13 stories high. Key card readers were installed next to every entrance, every elevator car, and even at the parking lot entrance, which itself was eight stories tall.
The parking lot system was activated first. If you wanted to park your car, you needed to scan your pass. It didn't take long for lines to start forming, but they were still manageable.
Then the doors were activated. I would often forget my key card on my desk and get stuck in the stairwell. After lunch, I'd climb the stairs all the way to the 11th floor, only to find myself locked out at the door. Fortunately, the buildings were full of people, and there was always someone to open the door for me. I'd slip in suspiciously while they contemplated the email that clearly said not to let anyone in with your own card.
While we were battling to get used to the key cards, the company was installing turnstiles on the ground floor of every building. They looked futuristic, but I was already anticipating a problem the designers hadn't considered. Each building had 13 floors. Each floor was full of employees. Hundreds of employees per building would each have to scan their card to get in.
I'm a software engineer. I understand that security isn't an optional feature you build on top of your application. Instead, you need to implement safeguards at the foundation. In fact, one of the most important applications I was working on was a tool to manage how different teams retrieved their tasks from Jira. If you've read this blog before, you know I always complain about Jira.
Anyway, the original designer of this application must have been pressed for time. Each action in the app required a call to the Jira endpoint, which needed authentication. He never saved the auth token returned by the API. Instead, each call had to re-authenticate and then perform its task.
Did he ask the user to reenter the password every single time? No, he was smarter than that. Did he save the credentials in the database in plain text? He might have been an intern, but he wasn't crazy. No! Instead, he saved the username and password in the cookies. But for good measures, it was base64 encoded.
Eventually, we received the email. All turnstiles were going to be activated. The following Monday, they would run in mock mode, where the turnstiles would remain open, but we'd have to scan and wait for the beep and green light before entering.
I arrived at 8:30am. I met my colleagues and hundreds of other employees in the lobby. When the first person scanned their card, the machine beeped and turned green. We all clapped in celebration. We took turns making our way to the machine. Beep, turn green, next. But it grumbled for some employees and turned red. That was fine though, it was mock day. We all went about our day.
The next day, when I came to work, I remained in my car, stuck in line for the parking lot for at least 10 minutes. Looking outside, I saw long lines of people circling each building.
... continue reading