Not only is security not layered in from the start, and it's not taught to folks, I think there is a set of developers who don't think it's as important as it is. This is probably due to lack of training, because I don't think folks want to do a bad job, if they KNOW they are doing a bad job.

I view CGI security like nutrition education related to health care in the US. If everyone were taught it and understood it, from the very beginning, many problems would be avoided.

I did a code review for a woman who built a formmail.pl like script. She accepted "to" addresses straight from submitted form elements with no "validity" checking (like making sure only certain addresses could be mailed to, or better yet, taking email addresses right off the page and integrating them into her app), making her script (which she distributes on her website, BTW) ripe for hijacking by spammers. When I pointed this out to her, her response was "No one is going to bother to figure it out. Besides, I want my scripts to be usable by average humans."

Her point being that security by obscurity was enough, and that "security" ne "usability". My reply back was if you're doing something, you should do it RIGHT, and not protecting your users is a BAD THING. At least give them the option to have a secure script. If someone is going to install a freakin' script, they can make a list of valid email addresses (or maybe they shouldn't be using CGI scripts. . .) Anyway, she wanted to work collaboratively on a project with me. . .I think I'll pass on this one.

-Any sufficiently advanced technology is
indistinguishable from doubletalk.