Until security is built-in to all layers of software from the app down to the operating system, DIY IT is at the mercy of the I

Amen! Security and social interface design are (and should be) the number one issues in software design today.

From Handwriting on the Sky - Who Is You? Not Them, That's Who (via Doc Searls' IT Garage):

QUOTE

Back to the issue at hand, though. In "Do It Yourself" IT, who is "Yourself"? The implied "Me" shifts back and forth between IT companies and vendors, but the "You", the "real people" who need to do their work with computers, are hamstrung by mistakes "We" have made. It seems to me that the most serious among these mistakes, the really limiting ones, are related to security. The limiting factor isn't one particular aspect, but both problems and solutions, both perceptions and misconceptions about security and real security issues.

Business technologists need to get serious about security, and start considering attacks against their software in a real way. That means getting security where it counts: in the applications and in the operating system. IT management needs to take drastic action and hold vendors responsible for even potential security problems. There is a tendency to whitewash these things or to put them on the back burner, since when security is not an emergency, it's not a visible problem at all.

Until that climate changes, the user's computer will be a prisoner of IT's fear that it will cause security problems. I don't have any illusions that suddenly everyone will start getting better at security auditing, but the fundamental technologies underlying our infrastructure need to be cleaned up significantly. I'll call out a few by name by way of example - Perl, PHP, and ASP. Every compromised site I've ever seen was using one of those three technologies, and it was a problem at that level or a very bad, but very common idiom that made the sorts of mistakes I've seen easy to make for developers.

I know I plug high level languages a lot, but I don't want to end on a glum note of "and that's how things are". You can improve your code's foundation today, if you just pay attention to security. If you're starting a new project, Lisp, Smalltalk and Python may not be perfect, but applications written with them (and with an eye to security) can set you free, to be You, or Me, and let you define who Yourself is.

UNQUOTE

Leave a comment on github