Quantcast

Sage Live – Serious SaaS Security Issues

Sage SecuritySeeing as my wife is spending most of the evening on Facebook complaining about being kicked from the inside by our unborn second daughter, I thought I’d spend the evening online poking around Sages new online offering – Sage Live. I’ve already had a play with the functionality and reported my thoughts on that. This time I was interested in the technology and security side of things.

A couple of years ago selling web-based software to SMEs was hard. Everyone was concerned about security. Over the years, it’s been accepted that us SaaS providers seem to know what we’re doing. We’ve built up a lot of trust.

Sage seems to be aware that securty is important. They have a few pages about security that all say the right things. But in reality they fail on the most basic security measures. There’s no point in sticking your servers with Rackspace and shouting about how great the security is if the end-users password isn’t protected. After all, that’s all that is needed to get into a Sage Live account.

Defaults to “Remember me”
The default option on the Sage Live homepage is for it to remember your username and password. You can untick it if you like, but you’ll have to remember to untick it every time you log in. Other wise, all someone needs to do is fire up your computer, put in the url and click the Login button. Your password is already there!

Password shown in clear text
I really had to struggle to stop myself adding 3 exclamation marks to that sub-heading. Almost unbelievably, they show your password on-screen when you log-in – in plain text.

It’s sent to their central “passport” servce using a GET rather than a POST – so your password is actually in the requested URL which is displayed in the status bar. See the circled red area in my screen grab below. (click to enlarge)

password2

Make sure noone is looking at your screen when you log in.

Obsolete technology
A little bit of paying around on the web site indicates that the whole thing is powered by a product called BEA Aqualogic. BEA were acquired by Oracle in April last year and the BEA Aqualogic range of products have been discontinued. So before the product even made it in to public beta, the underlying technology was obsolete. This is why the pure-play SaaS companies develop their own stuff from the ground up.

[Edit: Whoops, factual error. As pointed out by a reader below; the link above doesn't actually say that this product is being discontinued]

Waiting for the Feds!
I’m allowing myself the luxury of an exclamation mark for this sub-heading. A little bit of prodding around the site and I found myself looking at these two pages (click to enlarge)

Screenshot 1 Screenshot 2

I know one of them says I only have read-only access. But these are undoubtedly pages that only authorised people should be seeing.

It’s at this point I realised that if I went any further then I could possibly fall foul of all sorts of laws about unauthorised access to remote computer systems. I started to worry that the FBI would be knocking on the door any minute (only half-joking – some of the Sage servers are in the US) and decided I’d better leave well alone.

The security blurb on their site says they have some sort of intrusion detection system that should have locked me out. I think someone might have forgot to put the batteries in it.

Conclusion
Myself and the head honchos at other SaaS accounting firms have been waiting a while for Sage to make a play in the SaaS market. We were pleased when they did. Even the fact that their product was pants didn’t matter. By just getting involved in SaaS, Sage have added credibility to the whole concept.

Now I’m wondering if we’ve all been a bit short sighted. A high-profile security cock-up could set us back years. By the looks of things, Sage are more likley to have a security problem than any of the proper SaaS players. That makes sense. Programming for the internet is a totally different thing to programmig for the desktop. Whilst Sage undoubtedly have years of experience building robust desktop apps, how much experience do they have in building for the web?

UPDATE: Sage took Sage Live offline on 28Tth Jan ’09 due to these security issues.

Duane Jackson - Founder

As Founder of KashFlow, Duane writes primarily about the trials and tribulations of starting and growing a successful business. Having handled KashFlow’s PR internally for so many years he can’t resist writing a bit about that too.

Share this article

  • http://www.adsetsbusinessinfo.blogspot.com Hazel Edmunds

    I’d say that the answer to your final question is “zilch”, “nil”, or anything other polite way of saying “b**** r all”. But surely if you don’t know how to do something then you find out, or hire someone or does.
    So what it boils down to is that someone, by the sounds of it probably lots of someones working in a committee, don’t know what they don’t know.

  • Vuk

    Interesting stuff. No ax to grind, just two factual points that may help staighten the story further:

    a) Not that beta releases should have flaws in them, but this was a Sage Live free public beta, no? Perhaps being more explicit on that point will add further clarity.

    b) Did not check BEA AquaLogic stuff, but the link you provide points to the old BEA website, which talks about the website being discontinued and points to “Learn more about the role of BEA AquaLogic Products in the Oracle Fusion Middleware strategy.”.

    I stand to be corrected, from what you say in the post, it’s not quite clear which AL product or products you imply Sage Live is powered by therefore what is its status in the Oracle strategy.

    Admittedly, bit of nitpicking, I guess the thrust of the article is clear. Just my 2p!

  • http://www.dpixelblog.com Sam Law

    Terrifying is probably the correct word to use after reading your blog, I’m not in the UK and I found this through twitter – http://twitter.com/benkepes/status/1137634227 – but I would strongly advise that no-one uses Sage at least in the current form until these are all resolved.

  • http://www.KashFlow.co.uk Duane Jackson

    Vuk,

    Thanks for the comments. I’m the first to admit I struggle to be objective when it comes to Sage.

    I almost did include comments about it being in beta. But decided it’s not relevant. They’re encouraging real businesses to put real business data in there.

    I’ve just re-read my link regarding BEA, and you’re spot on. I’d mis-read it. I’ll add a correction note to the main blog piece.

  • http://www.proworkflow.com Alan Barlow

    Hi Duane

    Clearly Sage has security issues which need resolving and thats a huge worry as data-security and data-integrity are the two top priorities in this game and something which I personally highlight to any new hires a number of times during their initial few weeks… yes i DRUM it into them ;-)

    I think Sage management should firstly re-evaluate their development plan (if they have one) and ensure security is at the top of the list. Secondly they should check the experience and technical savy of the development team and make changes if necessary as the system will only be as good as the people building it.

    Something else I had to laugh at in your screen grabs was the obvious carrying of permissions and credentials within URL strings… really smart, NOT!

    Kind regards
    Alan Barlow
    CTO & Chief Software Architect
    ProWorkflow.com

  • http://www.newszealand.co.nz Peter Hodge

    I have been waiting for Sage to do this for a few years now and like you I thought it would add great credibility to the market.

    I investigated Sage’s desktop version last year for a company wide deployment for a client. I found it to be a fantastic product, well over priced but still a good service. While it was first choice out of the services investigated it fell short because of cost. Even then Sage were already offering a hosted version through a company here in NZ.
    http://www.appserv.co.nz

    What i can’t understand is how Sage could screw up their own offering so badly when others were offering their product as a hosted version already.

    Seems the term “proper SaaS player” won’t be attributed to Sage any time soon, especially when some one else is beating them at their own game with their own product.

  • http://cloudave.com Ben Kepes

    I’ve just about got to the point where I’d advise Sage, Intuit and MYOB to all develop by acquisition – it’s probably the only feasible option open to them given the abortion of products that SageLive, BBO and QBOE have generally seemed to be (beta or otherwise)

  • http://www.easypcscotland.co.uk Stuart Gilbertson

    Sage wont be feeling the credit crunch as they’re still living in 1997.

  • http://www.mattchedit.com/ Matt Chatterley

    We are building up a pretty serious investment in SaaS with a few products due to launch this year (all going well) – and I have to say – some of the things pointed out above are nothing short of scary.

    Once you consider the reputation Sage have amongst ‘laymen’, and the sort of data that they are ‘protecting’ – it’s even scarier.

  • http://www.streetslocal.co.uk Dan

    Im almost tempted to build a system myself to show how it should be done.

    To the drawing board now…

  • http://www.mattchedit.com/ Matt Chatterley

    @Stuart – No they won’t feel the credit crunch. Because if they use their own online system – someone will have nicked their password and locked them out by now!

  • Pingback: Is SageLive ready for the SaaS Market?

  • Pingback: CODA 2go - Latest blog entries and comments

  • Pingback: Sage take SaaS product offline due to security concerns

  • Pingback: David and Goliath Part Two – Sometimes the Little Guys Can Be Cruel | CloudAve

  • Hawkeye

    No matter how good your developers are, any web-based system holding sensitive data should be tested by external security consultants – “penetration testers” in the jargon. The ways to hack into a web system are many and varied and are often highly detailed – you really need experts who know what they are doing.

    Bottom line: I wouldn’t go near any sensitive web-based system if it hasn’t been penetration tested by specialists. Regardless of whether this was a beta system it clearly was not penetration tested. It should have been before it made it even half-as-far as been available for semi-public testing.

    That alone says to me that Sage don’t know what they are doing.

  • http://www.vandijl.com OnSeaside

    I have never liked Sage. Every company I have dealt with had it (bar one) and every accountant I had loved it – they simply did not know better. Having your accounting system on line is fantastic, especially for smaller companies if the team is not all in one place.
    In two companies I introduced Netsuite. The advantage Netsuite offered is that it integrates a CRM system with an accounting system. You can even build in an online ordering system, an e-marketing system and lots of other goodies. Yes it is expensive, but then it also offers a lot and I always felt it was very secure.
    As a business manager and not an accountant it has always been important to keep track of what my business was doing. Netsuite offers that. I have no connection with them at all, and whilst I constantly fought the costs, I loved the product.

  • SecurityPlease

    Admittedly I only read to the part about plain text password exposed in GET request. In addition to it being plainly visible, this data would be exposed through browser history, router logs and web server logs.

  • Pingback: Sage Multiple Anticlimax

  • Mandar

    Good article. FYI..BEA Aqualogic is now Oracle WebCenter. :-)

  • Pingback: SaaS gets heated. Needlessly. | Sanity with Sage

Try KashFlow free for 14 days and you'll never look back. Promise.