As a journalistic organisation, it’s safe to assume that the NZ Herald places utmost importance on the security of their sources, content and intellectual property. So when embarking upon the implementation of an online pay-wall solution to deliver content to viewers, it’s fair to assume the task would be led with a security first approach. One might also assume that a rigorous quality assurance (QA) program, involving dynamic and static code testing might ensue with perhaps the addition of a penetration test for good measure to prove requirement goals.

Unfortunately for the NZ Herald, it appears this may not have been the case.
As I write this article, visitors to the NZ Herald website are able to highlight text to choose inspect and are rewarded with full access to html code, whereupon a simple change of class activation from ‘premium-content’ to ‘full-content’ provides them with unhindered access through the paywall.

Anyone spot the problem? If the NZ Herald is serious about content driven revenue, then this certainly is not helping achieve those revenue goals and seriously impacts their ability to grow as an organisation.

Why is this an important case study for NZ businesses? It emphasises the importance of ‘security requirement specification’ prior to embarking upon IT projects. Web development specifically requires security considerations to be mapped out before a project commences. Had the NZ Herald fully mapped the project to include QA, the programming oversight would never have made it through to ‘go-live.’

If an organisation like the NZ Herald fails to protect its content, then we must all potentially question the safety of our own content and how a security failure may impact our own businesses.