Siu Lun

I can almost garuntee you that most if not all, web development house do not perform security testing as part of the service to customers.

And

The reason being that this would drive the cost of the site up, and it is passed on to the customers. This means it would make their quote less attractive to potential customers.

But to be honest, unless you’re doing a simple html based website. You have to test for security. I know, a lot of it is actually down to the quality of developers to get it right first time.

The use of automated scanners are more and more common, but can they be relied upon? No. How would automated scanners be able to differentiate an unsuccessful $_POST / $_GET request? They can’t, they’re just programmed to do the testing based on most common methodologies. Therefore they’re not reliable.

Security scanners used in e-commerce sites like mcafee secure does help in detecting breaches of security, but does not prevent it from happening in the first place. It tries to by informing the administrators of potential security issues with software versions etc… used on the host, but if it happens, it happens.

Real security audit can only be done by the developers themselves having gone through or know of hacking methods. Even then, it is not 100% bullet proof. I guess that’s why there are companies out there that are basically formed by a group of hackers whom sole job is to attempt hacking everything.

These people unfortunately are far and few between.

The only thing that we web developers that cares can do is to quote like the nubins, then advice clients to take on security audits. There is so many security holes on the web. It’s practically a treasure trove for data theifs/pirates.

One common example: A member’s login/registration should always use SSL, but the number of websites that don’t do that is phenomenal. This means member’s passwords can be easily sniffed by intercepting network traffic.

Another example of the same problem: E-mails, e-mails are sent over the net in plain-text, unless you’ve encrypted it. Therefore they’re always interceptable. I have set up a PGP, but none of my clients know of it or would be able to handle using it, which means, I can’t use it.

Ok folks. I know each of us probably have a million or two mp3 files on our hard disk of our favourite music. We can say we’ve almost taken the mp3 format for granted all these years. A little known fact to those not in the business though is that mp3 is a proprietary format and they are actually charging a hefty sum for royalty payment!

Little do we know that when we do podcasting with mp3 files. While the sound that comes out of the file is copyrighted by us. The fact that you’re using a mp3 format to stream your podcast is enough for you to pay for a license before you use it!

Those in the business knows all about this. They also know about an open-source alternative codec that is truely free to use and distribute and free from royalty called ‘Ogg Vorbis’. But for one reason or another, major manufacturers of mp3 players (Apple) are not incoporating support for ogg files on their players!

Many smaller manufactuers of mp3 players such as iRiver have been incorporating such features for a while now! Guys, I believe it is time to re-encode all our files into ogg.

Come on, make some noise for ogg! (Flac is a lossless alternative format)

http://www.vorbis.com/

I’m officially switching alliegance to the ogg format. Though my iPod nano has no chance in playing ogg. I’ll have to just endure a slight delay when I use iTunes to re-encode ogg into aac for the iPod. No biggie, and at least I know that I’m not paying some tossers who’ve come up with the mp3 file format just to have some sort of patent on it and collecting royalties for something that should never have been.

I would like to pledge those who’re in the music ’scene’ to start releasing files in ogg format!

Later
/rant over

http://en.wikipedia.org/wiki/Phorm

If we don’t stop them, every web page we go on will be monitored by this advertising agency! We’ll get much more spam! AND the potential of eventually ISP and government agencies can spy on what sites we go on!

Keep the net free and anonomous! Sign the petition!

http://petitions.pm.gov.uk/ispphorm/