[nycphp-talk] talk Digest, Vol 40, Issue 20
Anirudh Zala
arzala at gmail.com
Fri Sep 15 01:01:12 EDT 2006
On Fri, 15 Sep 2006 02:26:23 +0530, inforequest <1j0lkq002 at sneakemail.com>
wrote:
> David Krings ramons-at-gmx.net |nyphp dev/internal group use| wrote:
>
>> What freaks me outis when I can simply dismantle a page for a for
>> profit business by entering "O'Neill"
>> into some text box.
>>
> Haha great example (for me anyway).
>
> That's not a developer problem in many cases, though. It's a management
> problem (or, if the budget and time frame are from Mars, a specificatons
> problem). Somebody has to be watching the code for functionality,
> especially when inexperienced coders are used or coders who are
> inexperienced at the niche area. That can be a QA team or a manager or a
> test group... but it needs a codified process. Hoping the programmer is
> smart enough to handle most situations is a mistake IMHO. How could you
> ever put pressure on that coder to increase production? Whatever is in
> the shadows will get skipped due to 9unsupervised) prioritization.
Yes. team made of experienced developers can solve most of problems
related to security that other developers could not solve or were didn't
paid attention towards (might be because of their level of knowledge).
>
> As for this bigger issue (thanks Michael for bringing it to the list)
> has anybody considered how competition enforces the rules of play? Not
> too many people... yet in sectors where it matters, these issues are
> addressed. In other sectors where it is ignored, the issue of security
> is addressed when it appears to be a problem. It's fine to address
> professional PHP coders about a broken web (they have an interest in
> building a system of professional development and integrity for PHP in
> the world... a commercial interest ;-) but don't bother preaching it to
> businesses until their is a financial incentive or reward. And that
> financial reward has to be not only big enough to cover the added costs,
> but to earn a profit on it as well.
>
> Plenty of people point a finger at "stupid clients" for not
> accommodating the security issues. I disagree. This one is squarely in
> PHP developer land. If you want PHP to survive and deliver, you need (as
> a community) to find a way to get it secure without the client paying a
> line-item premium for it.
Yes, true. It is also a sign of good developer.
>
> -=john andrews
>
--
-----------------------------------------------
Anirudh Zala (Project Manager)
ASPL, http://www.aspl.in
arzala@@gmail.com
-----------------------------------------------
More information about the talk
mailing list