Siu Lun

I can almost garuntee you that most if not all, web development house do not perform security testing as part of the service to customers.

And

The reason being that this would drive the cost of the site up, and it is passed on to the customers. This means it would make their quote less attractive to potential customers.

But to be honest, unless you’re doing a simple html based website. You have to test for security. I know, a lot of it is actually down to the quality of developers to get it right first time.

The use of automated scanners are more and more common, but can they be relied upon? No. How would automated scanners be able to differentiate an unsuccessful $_POST / $_GET request? They can’t, they’re just programmed to do the testing based on most common methodologies. Therefore they’re not reliable.

Security scanners used in e-commerce sites like mcafee secure does help in detecting breaches of security, but does not prevent it from happening in the first place. It tries to by informing the administrators of potential security issues with software versions etc… used on the host, but if it happens, it happens.

Real security audit can only be done by the developers themselves having gone through or know of hacking methods. Even then, it is not 100% bullet proof. I guess that’s why there are companies out there that are basically formed by a group of hackers whom sole job is to attempt hacking everything.

These people unfortunately are far and few between.

The only thing that we web developers that cares can do is to quote like the nubins, then advice clients to take on security audits. There is so many security holes on the web. It’s practically a treasure trove for data theifs/pirates.

One common example: A member’s login/registration should always use SSL, but the number of websites that don’t do that is phenomenal. This means member’s passwords can be easily sniffed by intercepting network traffic.

Another example of the same problem: E-mails, e-mails are sent over the net in plain-text, unless you’ve encrypted it. Therefore they’re always interceptable. I have set up a PGP, but none of my clients know of it or would be able to handle using it, which means, I can’t use it.

Direct from Heist online… or actually within the wordpress news as well

WordPress themes must be GPL

A reason not to use wordpress for commercial projects.

Yes.. the artwork does not need to be GPLed, but all your HTML layouts along with custom PHP stuff will need to be GPLed.

I’m sure a lot of people have broken this license already, but hey… when it comes down to it. You’re still in breach.

oh actually: just read you can license your CSS under othe license… well I guess at least your layout should be safe then. But not your PHP codes =]

So now I can ask some big names who uses wordpress to give me their themes?

http://www.sourcewire.com/releases/rel_display.php?relid=LEmmQ

Clearly, they didn’t thought about the chinese particularly within the mainland who simply wants to cut and paste code into their own apps.

What was that news recently…?

Quick Search on Google: http://government.zdnet.com/?p=4961