I would be for my readers indulgence, but here is an other philosophical post. Recently I had the chance to try to teach somebody
make dynamic websites and I realized that you must know an awful lot to do this. Just to enumerate a couple of things:
- CSS – which is by no means an easy task by itself, but you must also know the different browser quircks
- Some server side programming language (PHP for example)
- Databases and SQL
- Webservers (like Apache) and at least some knowledge on how to configure them
- HTTP (including headers, encoding, cookies and how they can be used to create the illusion of a session)
So there you have eight different technologies, including two different programming languages. And I didn’t even include things like a graphics editor, Flash, Silverlight or knowing how licenses work (what you can and can’t take, where you must give credit and so on).
To give all this a security angle: it is not hard to see that you must be somewhat of a fanatic to know all this, yet alone know them at a level where you’ve wrapped your head around all the security implications (RFI, XSS, SQL injection, CSRF, …). An other aspect of the problem is that clients don’t necessarily know how to judge the quality of work (other than
it looks good and
how much does it costs), which first of all makes it possible for a group of people to do this who don’t know the security best practices. (You can hear a good discussion about a similar problem on the Scope Creep and Other Villains talk from the 2008 SXSW conference, where the presenter talks towards the about how you must educate your clients about the difference between you and your competitors, to avoid turning it into a price war.)
With all this circumstances, it is very plausible that Mass Hacks Likely to Hang Around for a While. I wish I could say something encouraging, but this just has to be a depressing post I guess.