@warrengroom
Yeah I agree any good site cant have just 1, they have to have both IMO.
@mrleesimpson
I would check it out Mr lee, and thanks for posting, but TBH it goes against my ethics of being independent and not relying on someone else's code.
Gmail had a vulnerability the other month, floating around the hacker network, so the argument that the best programmers in the world is quite a mute point, some of the best programmers in the world are hackers and thus why big companies give 6 figure salaries to their security programmers, more than their standard programmers I may add.
I mean in 2000 Amazon, Yahoo! and one other big 1 was brought down by a 16 year old Canadian for almost 2 hours one Monday morning.
Bare in mind if Amazon goes down for an hour they lose around $10,000 US.
I would say that all 3 had the best programmers at the time, but where brought down by the worst Denial of Service (DOS) attack ever. Carried out by 1 teenager because his friend dared him.
Granted security is a lot more tighter now, but a serious DOS attack carried out by a dedicated attacker is still really hard to protect against, not impossible but it takes some one to really know their security coding to be 100% protected, which most people don't.
I have 4 security books, just on PHP, all of which go into different areas of security, and very rarely do they overlap in any major way.
I then have a nice 800 page book on securing Apache.
A programmers what 3 years at UNI, with what 6 languages?
I would say Ning has pretty good programmers but I've reported 2 major, and when I say major I mean forget DOS attacks, any one who knows any decent level of code can exploit it, one got fixed to an alright standard, not great, the other which is a 5min job and then an upgrade hasn't.
So by relying on the fact that some one else is going to secure the code is to be honest a bit nieve IMO.
I've been hacked about 2 years ago when I first started, hence my large knowledge on security protocols and penetration testing. The hack took my home age down for 3 days, pretty simple attack in the end meant that the malicious hacker put a white div up covering all the page.
Security is only briefly touched on at UNI, according to PCPro I think, you can actual get a security degree covering 3 years. Now as most people are not tought to code properly, security wise, or not at least tought the benefits of coding securely, then it's an area I would not trust to Open source.
Take Ning for example, even though I have reported to the site owner who has reported it to them, and I also went to Ning about it myself, but it still hasn't been fixed, and that was 4 months ago. You would be seriously scared if you know what could be achieved via that exploit.
I'm going to stop at giving details, then it would be obvious and I'm a white hat hacker/penetration tester so ethics stop me, but it does reinforce my point that you shouldn't trust security matters just because they may have half decent coders.
Also that means that argument is going on the fact that the site owner patches to the latest version. If they don't then they are fair game to any malicious hacker TBH, and most people don't update, why? time consuming and a lack of understanding of the security reasons behind updating, that and the it wont happen to me mentality.
A lack of knowledge of financial services and the fact that the banks apparently knew what they were doing got the whole world in this financial mess. Coding should be done by hand IMO to avoid any issues.
But that is just my opinion, and I do respect yours.
Jaz