The guys at Sony might disagree with you. How to secure a network or a mainframe was known in the 1970s, but who needs to know all that legacy systems crap, right? OO look new JS framework!!
I think the Sony issues illustrate platz's point "There is very little all programmers should be required to have in common. The field is just that big now." In a company like Sony you need some guys that specialise in security and prevention of hacking, and some that specialise in other stuff.
Umm, no, not really, it has to be baked into everything you do, even the most junior programmer working on a website has to know e.g. about SQL injection.
No, you can't just have "some guys that specialize in security". That's exactly what 99%+ of software is full of obvious security holes. 99%+ of developers don't know anything about or care anything about security. Security is a process not a product remember? Everyone has to be actively part of it all the time. You don't churn out buggy exploitable software and then expect some "security experts" to somehow magically make it secure.
I see your point but if 99%+ of developers are rubbish at security what are you going to do about it?
a) Hope they suddenly improve, which is probably not going to happen
b) Accept they have limits and encourage them to use systems and frameworks that are hard to screw up on, written people who are good at security?
I note in the Sony hack the only computers that survived basically intact were Macs, not I guess because their owners understood security but because they were well designed and idiot friendly.
They don't have to suddenly improve, they can learn and improve at a normal pace. Yes, of course they should not use PHP. But simply having them use languages, libraries and frameworks that are written by people who get security won't stop them from writing insecure applications to put into production. They still need to learn to write secure code too.
Wow, this is utterly worthless, if not harmful, advice. There is no correlation between choosing PHP for an application with the security of said application. PHP apps are so widely deployed that securing them is a pretty well-known process at this point.
Yeah, the constant stream of security holes in PHP because the developers are so bad they actually chased away the only person they had who cared about security is nothing to worry about. You can just dip your app in some magic security sauce and everything will be fine.
