Sage Live – Serious SaaS Security Issues
On January 21st, 2009 by Duane Jackson
Seeing as my wife is spending most of the evening on Facebook complaining about being kicked from the inside by our unborn second daughter, I thought I’d spend the evening online poking around Sages new online offering – Sage Live. I’ve already had a play with the functionality and reported my thoughts on that. This time I was interested in the technology and security side of things.
A couple of years ago selling web-based software to SMEs was hard. Everyone was concerned about security. Over the years, it’s been accepted that us SaaS providers seem to know what we’re doing. We’ve built up a lot of trust.
Sage seems to be aware that securty is important. They have a few pages about security that all say the right things. But in reality they fail on the most basic security measures. There’s no point in sticking your servers with Rackspace and shouting about how great the security is if the end-users password isn’t protected. After all, that’s all that is needed to get into a Sage Live account.
Defaults to “Remember me”
The default option on the Sage Live homepage is for it to remember your username and password. You can untick it if you like, but you’ll have to remember to untick it every time you log in. Other wise, all someone needs to do is fire up your computer, put in the url and click the Login button. Your password is already there!
Password shown in clear text
I really had to struggle to stop myself adding 3 exclamation marks to that sub-heading. Almost unbelievably, they show your password on-screen when you log-in – in plain text.
It’s sent to their central “passport” servce using a GET rather than a POST – so your password is actually in the requested URL which is displayed in the status bar. See the circled red area in my screen grab below. (click to enlarge)
Make sure noone is looking at your screen when you log in.
Obsolete technology
A little bit of paying around on the web site indicates that the whole thing is powered by a product called BEA Aqualogic. BEA were acquired by Oracle in April last year and the BEA Aqualogic range of products have been discontinued. So before the product even made it in to public beta, the underlying technology was obsolete. This is why the pure-play SaaS companies develop their own stuff from the ground up.
[Edit: Whoops, factual error. As pointed out by a reader below; the link above doesn't actually say that this product is being discontinued]
Waiting for the Feds!
I’m allowing myself the luxury of an exclamation mark for this sub-heading. A little bit of prodding around the site and I found myself looking at these two pages (click to enlarge)
I know one of them says I only have read-only access. But these are undoubtedly pages that only authorised people should be seeing.
It’s at this point I realised that if I went any further then I could possibly fall foul of all sorts of laws about unauthorised access to remote computer systems. I started to worry that the FBI would be knocking on the door any minute (only half-joking – some of the Sage servers are in the US) and decided I’d better leave well alone.
The security blurb on their site says they have some sort of intrusion detection system that should have locked me out. I think someone might have forgot to put the batteries in it.
Conclusion
Myself and the head honchos at other SaaS accounting firms have been waiting a while for Sage to make a play in the SaaS market. We were pleased when they did. Even the fact that their product was pants didn’t matter. By just getting involved in SaaS, Sage have added credibility to the whole concept.
Now I’m wondering if we’ve all been a bit short sighted. A high-profile security cock-up could set us back years. By the looks of things, Sage are more likley to have a security problem than any of the proper SaaS players. That makes sense. Programming for the internet is a totally different thing to programmig for the desktop. Whilst Sage undoubtedly have years of experience building robust desktop apps, how much experience do they have in building for the web?
UPDATE: Sage took Sage Live offline on 28Tth Jan ‘09 due to these security issues.
![[Post to Twitter]](http://blog.kashflow.com/wp-content/plugins/tweet-this/icons/tt-twitter-micro3.png){kind=icon}
![[Post to Delicious]](http://blog.kashflow.com/wp-content/plugins/tweet-this/icons/tt-delicious-micro3.png){kind=icon}
![[Post to Digg]](http://blog.kashflow.com/wp-content/plugins/tweet-this/icons/tt-digg-micro3.png){kind=icon}
![[Post to StumbleUpon]](http://blog.kashflow.com/wp-content/plugins/tweet-this/icons/tt-su-micro3.png){kind=icon}
Tags: SaaS, Sage, SageLive, Security
January 21st, 2009 at 11:27 pm
I’d say that the answer to your final question is “zilch”, “nil”, or anything other polite way of saying “b**** r all”. But surely if you don’t know how to do something then you find out, or hire someone or does.
So what it boils down to is that someone, by the sounds of it probably lots of someones working in a committee, don’t know what they don’t know.
January 22nd, 2009 at 12:01 am
Interesting stuff. No ax to grind, just two factual points that may help staighten the story further:
a) Not that beta releases should have flaws in them, but this was a Sage Live free public beta, no? Perhaps being more explicit on that point will add further clarity.
b) Did not check BEA AquaLogic stuff, but the link you provide points to the old BEA website, which talks about the website being discontinued and points to “Learn more about the role of BEA AquaLogic Products in the Oracle Fusion Middleware strategy.”.
I stand to be corrected, from what you say in the post, it’s not quite clear which AL product or products you imply Sage Live is powered by therefore what is its status in the Oracle strategy.
Admittedly, bit of nitpicking, I guess the thrust of the article is clear. Just my 2p!
January 22nd, 2009 at 12:30 am
Terrifying is probably the correct word to use after reading your blog, I’m not in the UK and I found this through twitter – http://twitter.com/benkepes/status/1137634227 – but I would strongly advise that no-one uses Sage at least in the current form until these are all resolved.
January 22nd, 2009 at 12:39 am
Vuk,
Thanks for the comments. I’m the first to admit I struggle to be objective when it comes to Sage.
I almost did include comments about it being in beta. But decided it’s not relevant. They’re encouraging real businesses to put real business data in there.
I’ve just re-read my link regarding BEA, and you’re spot on. I’d mis-read it. I’ll add a correction note to the main blog piece.
January 22nd, 2009 at 1:41 am
Hi Duane
Clearly Sage has security issues which need resolving and thats a huge worry as data-security and data-integrity are the two top priorities in this game and something which I personally highlight to any new hires a number of times during their initial few weeks… yes i DRUM it into them ;-)
I think Sage management should firstly re-evaluate their development plan (if they have one) and ensure security is at the top of the list. Secondly they should check the experience and technical savy of the development team and make changes if necessary as the system will only be as good as the people building it.
Something else I had to laugh at in your screen grabs was the obvious carrying of permissions and credentials within URL strings… really smart, NOT!
Kind regards
Alan Barlow
CTO & Chief Software Architect
ProWorkflow.com
January 22nd, 2009 at 2:32 am
I have been waiting for Sage to do this for a few years now and like you I thought it would add great credibility to the market.
I investigated Sage’s desktop version last year for a company wide deployment for a client. I found it to be a fantastic product, well over priced but still a good service. While it was first choice out of the services investigated it fell short because of cost. Even then Sage were already offering a hosted version through a company here in NZ.
http://www.appserv.co.nz
What i can’t understand is how Sage could screw up their own offering so badly when others were offering their product as a hosted version already.
Seems the term “proper SaaS player” won’t be attributed to Sage any time soon, especially when some one else is beating them at their own game with their own product.
January 22nd, 2009 at 8:16 am
I’ve just about got to the point where I’d advise Sage, Intuit and MYOB to all develop by acquisition – it’s probably the only feasible option open to them given the abortion of products that SageLive, BBO and QBOE have generally seemed to be (beta or otherwise)
January 22nd, 2009 at 8:34 am
Sage wont be feeling the credit crunch as they’re still living in 1997.
January 22nd, 2009 at 9:11 am
We are building up a pretty serious investment in SaaS with a few products due to launch this year (all going well) – and I have to say – some of the things pointed out above are nothing short of scary.
Once you consider the reputation Sage have amongst ‘laymen’, and the sort of data that they are ‘protecting’ – it’s even scarier.
January 22nd, 2009 at 9:23 am
Im almost tempted to build a system myself to show how it should be done.
To the drawing board now…
January 22nd, 2009 at 10:36 am
@Stuart – No they won’t feel the credit crunch. Because if they use their own online system – someone will have nicked their password and locked them out by now!
January 22nd, 2009 at 10:47 am
[...] Granted this software is still a beta but it seems the concerns that he, and others commenting on his blog, are not unfounded [...]
January 22nd, 2009 at 3:32 pm
A flurry of excitement and schadenfreude has flown around the SaaS community as apparently serious security flaws were highlighted in the beta version of SageLive [...]
January 28th, 2009 at 7:18 pm
[...] it was crap anyway (which other more independent people then agreed with), then we pointed out serious security concerns with [...]
January 29th, 2009 at 1:06 pm
[...] the KashFlow blog had a post outing some potential security concerns for the new SageLive SaaS product. The substance of the claims are not overly important – I did [...]
February 5th, 2009 at 3:22 pm
No matter how good your developers are, any web-based system holding sensitive data should be tested by external security consultants – “penetration testers” in the jargon. The ways to hack into a web system are many and varied and are often highly detailed – you really need experts who know what they are doing.
Bottom line: I wouldn’t go near any sensitive web-based system if it hasn’t been penetration tested by specialists. Regardless of whether this was a beta system it clearly was not penetration tested. It should have been before it made it even half-as-far as been available for semi-public testing.
That alone says to me that Sage don’t know what they are doing.
February 20th, 2009 at 5:23 pm
I have never liked Sage. Every company I have dealt with had it (bar one) and every accountant I had loved it – they simply did not know better. Having your accounting system on line is fantastic, especially for smaller companies if the team is not all in one place.
In two companies I introduced Netsuite. The advantage Netsuite offered is that it integrates a CRM system with an accounting system. You can even build in an online ordering system, an e-marketing system and lots of other goodies. Yes it is expensive, but then it also offers a lot and I always felt it was very secure.
As a business manager and not an accountant it has always been important to keep track of what my business was doing. Netsuite offers that. I have no connection with them at all, and whilst I constantly fought the costs, I loved the product.
April 9th, 2009 at 9:33 pm
Admittedly I only read to the part about plain text password exposed in GET request. In addition to it being plainly visible, this data would be exposed through browser history, router logs and web server logs.
April 29th, 2009 at 12:42 pm
[...] approach towards us, when I then found security holes in their attempt at SaaS, Sage Live, I blogged about it instead of quietly telling [...]
June 15th, 2009 at 10:22 am
Good article. FYI..BEA Aqualogic is now Oracle WebCenter. :-)
August 22nd, 2009 at 8:52 am
[...] would be easy to join in with some cheap shots at Duane Jackson, who after all has previously used security issues with Sage’s entry level Sage Live product to generate free publicity. [...] Dennis Howlett’s invective is entertaining, but ultimately empty. [...]