High security does not involve wizardry - it's grounded in straightforward principles and diligent practices

Imagine a ticket sales portal offering daily, weekly, and monthly tickets priced at €50, €200, and €500, respectively. At first glance, the process is straightforward: click on a ticket, proceed to the payment page, and complete your purchase. However, if the implementation lacks a basic understanding of online security principles, vulnerabilities can arise from seemingly harmless practices.

"It's not merely the ability to write code that defines a software engineer. A great developer must be versed in numerous disciplines beyond coding, including user experience, accessibility, elements of psychology and marketing, and crucially, security. Regrettably, many developers hesitate to venture beyond their comfort zones to acquire new skills. This is where the importance of knowledge management shines in every IT services company. Educating our junior staff on writing secure code is vital because, as illustrated in this article, writing secure code isn't more costly than writing poor quality code - it's about having the right knowledge."

For instance, a programmer with limited experience in security might attach the price directly in the URL, like so:

• For a daily ticket: https://tickets.example.com/ticketsales.php?price=50
• For a weekly ticket: https://tickets.example.com/ticketsales.php?price=200
• For a monthly ticket: https://tickets.example.com/ticketsales.php?price=500

Clicking on one of these links takes the user to a payment page that reflects the selected price. However, this setup invites a glaring security risk: price manipulation. A user could simply edit the URL's price parameter to a lower value, like €1, and the payment page would obediently adjust to this new "price."

• For a daily ticket: https://tickets.example.com/ticketsales.php?price=1

This is precisely what happened in one of the cases: a youngster simply altered the price tag, resulting in the acquisition of a very inexpensive product. The aftermath was a massive media scandal characterized by extensive finger-pointing and misinformation, significantly damaging the platform's reputation. While some may find humor in the situation, the root cause was likely a simple oversight by a junior coder that went unchecked, highlighting the critical importance of education and proper processes.

To avoid such pitfalls, experienced programmers employ a technique known as the "separation of business logic and presentation." Instead of placing a mutable value like price in the URL, they would use a fixed ticket type identifier. The server, not the user, then determines the price based on this identifier. Here's how the improved URLs might look:

• Daily ticket: https://tickets.example.com/ticketsales.php?type=daily
• Weekly ticket: https://tickets.example.com/ticketsales.php?type=weekly
• Monthly ticket: https://tickets.example.com/ticketsales.php?type=monthly

With this approach, the server controls the pricing logic, removing the user's ability to manipulate ticket prices through URL edits. Attempting to bypass this by changing the URL to an invalid parameter would result in a warning message, and the system could log the user's IP address for security purposes.

This solution is not black magic, it is neither complex nor time-consuming to implement. The code for the imaginary scenario in this post would take no more than five minutes to code, even an AI can do it. The essence of IT security often lies in such simple yet effective practices, underscoring the importance of having skilled programmers or, proper processes, and ideally, high-performing agile teams that can identify and correct potential vulnerabilities efficiently.

Most of the time, IT security is much simpler than it appears, and understanding its basics can go a long way in protecting your business from unnecessary losses. By ensuring that your IT team adheres to fundamental security principles, you can avoid becoming the next cautionary tale in the digital age.