Let's talk about the "other side" of security.
From what I've seen on these very forums, most companies shouldn't be allowed to be in business never mind write even a single line of code. How many times have we seen people with query requests where the SSN, TIN, Credit Card numbers, and other personal information are stored in clear text? Even storing the "last 4 digits" and someone's birthdate in clear text is a violation, in my eyes. You can do a whole lot of damage with just those two pieces of information if you're dedicated to the art of invasion.
As for "allow
shoddy code", that's totally wrong. They INSIST on shoddy code because "it takes too long to do it right".
Enforcement is stupid, as well. I worked for one company that repeatedly failed PCI compliance but they were still allowed 2 whole years to get their act together. My feeling is that such compliance should be achieved and certified by proper authority BEFORE anything hits production. But, NO, that would slow things down too much.
Don't get me started on all of the information, like SSN's, etc, that we have to give up just to get the lights turned on in the house or to procure other simple services. It's ridiculous and so is the way a whole lot of supposed reputable companies/hospitals, etc handle the data.
I guess that qualifies as a "rant", huh?
is pronounced ree-bar and is a Modenism for R
First step towards the paradigm shift of writing Set Based code: Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column.
If you think its expensive to hire a professional to do the job, wait until you hire an amateur. -- Red Adair
How to post code problemsHow to post performance problemsForum FAQs