[orenlindsey]

So crazy that things like this still happen in production. I mean, maybe I have survivorship bias (we never hear about the companies that don't have security flaws, or the hundreds of APIs that are completely secure), but it should be super easy to make a site that is secure. Even I know how to do it. It shouldn't be that hard to find people who know how to make secure sites.

[spaceheater]

You are either young or don't know any better. All major companies have bug bounties program and consistently, every few weeks, payout CRITICAL level bounties, as in attacker managed to get full server/access to any account etc. Security breaches are just a matter of time. Who is to blame is debatable, since being a criminal and breaking and stealing (into digital or physical business) is against the law.

[cnewey]

The sad fact is that the law in most countries is so toothless (and the law enforcement agencies so far behind) that the legal penalties are mostly just academic.

Bug bounties (and proper education + screening processes for developers) are the most effective way for businesses to prevent security breaches - relying on legal recourse is more of a “shutting the stable door after the horse has bolted” sort of approach.

[ClumsyPilot]

> Who is to blame is debatable, since being a criminal and breaking and stealing

Not debatable at all - if you get mugged, it’s the criminals fault.

But if you trust your money to a bank, they leave the safe unlocked, and your money is gone, it’s their fault. That literally the whole point of a bank.

Same with your data - when it stolen, it usually the company’s fault - after all if there is no security, sooner or later it will happen.

[pavel_lishin]

> it should be super easy to make a site that is secure.

A "site" that's a static webpage? Sure.

A full application that just happens to use HTTP as one of its interfaces? More difficult than you'd think.

[incangold]

I am so with you. I should be the lowest common denominator when it comes to security- I am what in my head qualifies as a novice. But I notice basic flaws at almost every company I work for. Absolutely baffled how this keeps happening.