Every project in life makes us weigh pros and cons.  Do we take the easy path at the risk of shoddy workmanship to only have to redo something later?  Do we skimp out on some of the elements involved in order to save a few dollars?  Should we get the job done the quickest way possible and forget about some of the risks and holes we may be leaving ourselves vulnerable to?  Almost every project we do in life contains these types of questions.  Whether it be building something around the house or getting new tires on the car.  But what I’m focusing on is risk in software development.

Earlier today I mentioned I found a vulnerability in a popular, albeit niche, website.  After carefully balancing on the fine, exhilarating, line that is my nerdy curiosity and an ethical reverse engineering I stopped my quest and reported what I saw to the site owners.  Today I got a very polite response back.

Hello Dan,

We were definitely aware of the possibility of SQL injection during the development of the game.  We have a number of safeguards built into the system, so even if you were able to successfully get a few SQL queries slipped through, there really isn’t a whole lot you could have done to compromise the data.  You are correct though, in that we shouldn’t be inviting people to test that by sending the error data back.  That has been corrected since, so thanks for pointing it out.  I’m glad you’re enjoying the game, and good luck the rest of the way!

I was very appreciative of their email and actually more impressed they were able to fix the hole so quickly.  (I have tested it and what he says is true).  But the email addresses something we all struggle with from time to time.  No matter what type of work we do. How much are we willing to let slide in order to finish a project.  What are the factors that make us over look the risks.  Is it time? Budget?  The perceived idea that the risk is small?  How do these factors very from project to project, or decision to decision?

This may be a topic I visit again in the future as I try to make sense out of my own questions.  Maybe I should call on Lambert Associates Risk Management Group for some answers.