Why attackers love your developers!

Kind Sir

My name is Developer A. I am having a problem with database connectivity to Oracle. I think I am doing everything right, but I am getting an HTTP 500 error with the following details:
(Full Stack trace follows)
The sample of the source code is given here.
(Source Code follows)
The error where it is occurring is at this URL (Organization's url follows)
Please help me out with this as soon as possible. I reeeallly need help!!!
Email me at developerA@organization.com

Yes. This was one of the messages I found sifting through my Google hacking results while I was pen-testing a web application the other day. Needless to say that, the page with the stack trace was open for me to go and gain a complete understanding of the application and penetrate. The organization which I was pentesting had gone great distances to get secure. They had spent a lot of time, money and resources in getting secure and staying that way. They had gotten a few things wrong, but mostly they were on target. Unfortunately, they had forgotten to explain to their developers that dirty laundry (or in this case confidential laundry) should not be washed in public. I have seen this with several organizations (mostly in Software development) where developers post their queries in Internet forums and get some other professionals to look at it and give them some insight into the matter. While there is nothing wrong with this practice, the way it is followed is quite shocking. Developers dont even go through the trouble of hiding the name of the organization they are working for. They advertise their email address and in several cases the URL of the page which is problematic and buggy. When posting code snippets or source code, they mostly never remove sensitive details like certain class references or database drivers (sometimes, even usernames and passwords to dbs) and last but not the least, they use words like "Kind Sir" on an Internet forum (although the last one is not a vulnerability, it is bloody irritating). I am sure all of you would realize that such information can be extremely useful to anyone looking to break into an application or a site. It would be worth its weight in gold. And, of course, as usual the only thing you really have to do is "Google it" or "Bing it" (my vendor agnostic comment for the day).

My advice to organizations to prevent against such ignominious disclosures are these:

• Instruct developers never to post in internet forums under their own name or with their company credentials like emails, etc.
• Encourage developers to first find help within the organization. I have seen that several greenhorns tend to be afraid of asking their seniors or project managers any doubts regarding the code, fearing a nasty remark or backlash. Build an environment of openness and encourage questions. Not doing so, would result in these juniors asking questions anyway, but to someone you are totally not aware of, not bound by confidentiality agreements, etc.
• If someone really has to post queries on the Internet, make sure that these are approved. Source code should not be posted. Stack trace should not be posted. Questions should be based on peripheral details and no sensitive information should be posted. Words like "Kind sir" should definitely be filtered out of posts ;)
  
• Have your risk folks scour the internet regularly checking for violations and take action against people violating these instructions.