The main reason for this kind of thing is simple: the people setting the priorities and development schedules at most web sites don't even know what security is. They think security is a checkmark on an application server feature list, not an ongoing struggle requiring diligence from all programmers.
In my experience, when it comes to QA there will be 50 bug reports about that broken spacer GIF you forgot to copy over to the web server but zero mention of things like session hijacking, cross-site scripting, etc. The only exception to this was when I worked at a site that had been attacked before, and people took it seriously enough to hire an outside security consultant for an audit when a new system went on-line.
The other problem, of course, is programmers who don't know or don't care about security. There are lots of people employed building web sites who have a very rudimentary knowledge of what they're doing, and this is true on any of the popular development platforms. I often talk to Java programmers who don't actually understand the HTTP model or even the basics of how forms work. They've been working with toolkits that abstract it all for them.
Ultimately, I suspect most companies will not be secure until after they have been attacked. The majority of web sites out there are ripe for exploits to anyone who actually cares to break them. Of course a single PC on a good link could take down about 99% of them just by running http_load on the right URL...
Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
Read Where should I post X? if you're not absolutely sure you're posting in the right place.
Please read these before you post! —
Posts may use any of the Perl Monks Approved HTML tags:
You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
- a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
Link using PerlMonks shortcuts! What shortcuts can I use for linking?
See Writeup Formatting Tips and other pages linked from there for more info.
| & || & |
| < || < |
| > || > |
| [ || [ |
| ] || ] ||