JMH Moderator, News & Information, BSOD Kernel Dump Analyst, Contributor Joined Apr 2, 2012 Posts 7,197 Jan 18, 2013 #1 I write a lot about website security. Sometimes I’ll publicly point out flaws in software but there are many, many other times where it remains a private conversation for various reasons. The one common thread across most of these incidents is that as developers, we often make bad security design decisions. It’s us – the organic matter in the software development process – that despite the best of intentions make bad choices that introduce serious risks. My belief – and one of the key reasons I so frequently write publicly about security – is that the best way to combat risks in software is to educate developers. All the security scans and penetration tests in the world won’t help when it can take just a single line of bad code or a solitary configuration setting made by the developer to bring everything undone. Of course it’s frequently much more than just one mistake too, ultimately, dear developer friends, it’s “us” that build mechanisms such as the one behind Tesco’s password recovery system: Passwords are stored in a secure way. They’re only copied into plain text when pasted automatically into a password reminder mail. Click to expand... Troy Hunt: The problem with website security is us!