December 14, 2001

Roll your own nightmare
Do-it-yourself works for minor home repairs, but not for ecommerce security. Even if you have a huge brand, lots of money, cool software, and hire some "smart people" you're still likely to make the same stupid-as-heck mistakes everyone else makes.
Tip 1: Good hackers know way more about security than all your "smart people".
Tip 2: SSL is not security.
Tip 3: Your systems have tons of holes in them.

Security audits, usability tests, heuristic evaluations, and eXtreme Programming (XP) are all based on the principle that a second set of eyes sees many things. Sometimes you need experts or hired guns to sleep comfortably at night. My own experience with security audits of transactional systems is that they help you find all kinds of potential problems. Just the process of walking someone through the application architecture and design is very valuable.

No comments: