[lincolnq]

Security is a high priority for us (2 people). We are careful to write secure code, and we discuss security specifically and do code reviews for any risky parts. This process isn't formalized, but we don't just trust ourselves -- we also expect each other to find any problems we've missed. This doesn't seem to fit into any of your responses.

(If you're going to make a poll, I would recommend choosing answers which don't presuppose so much)

[Haskell]

You can interpret formal process as systematic process.

The logic for each answer is this:

Answer 2. If you claim to care about security, you should understand the security implications of what you are doing and you are an expert. You can take care of it on your own.

A 1. If you care about security and you aren't an expert, then you don't really understand all security implications of what you are doing and should be basing your judgment on the recommendations of those that do using a systematic process created by experts. You don't need to hire a consultant to do it. You can just buy a few books or read it for free in the Internet.

A 3. If you care about secure software but aren't an expert nor use a systematic process created by experts, then you aren't checking all security implications of what you are doing, but instead checking only for a few generally know flaws.

A 4, 5, 6. You don't understand the security implications of what you are doing and refuses to take the recommendations of those that do.

[tptacek]

Why would you spend a lot of time writing secure code for a news recommendation site?

[Haskell]

That is why I have placed that introduction.

If this news recommendation site is being constantly hacked to the point in which it has more malware than a porn site, then the developer should consider making it more secure. Otherwise users would not visit it anymore, unless the owner starts to place some hot picures to serve together with the exploits.

[tptacek]

That's nice. In reality, the security quality of a typical web application is quite low, especially compared to F500 enterprise standards --- few would survive a pentest. And yet most of them are not hacked in that manner.

Indie developers need to get better at writing software that is secure by default, but they do not need the whole process-driven juggernaut that Microsoft runs internally with things like SWI.

So, I asked because it sounded strange to me that a two-person news-recommendation startup would be spending serious time on security, as opposed to figuring out ways to make money on their property.

[Haskell]

>>And yet most of them are not hacked in that manner

The guys at Wordpress and Jommla beg to disagree.

It depends on how popular it is. If the open source version of Reddit becames as popular as Wordpress, then it certainly would get hacked in that manner.

[tptacek]

Do we have to spend time pointing out the differences between WordPress and indie startups like Backtype, Songkick, and Adpinion? Microsoft spends a lot of time on security too, and I'm not saying they're dumb for doing it.

[Haskell]

You used the word indie at the first comment, but I interpreted it as startup, because this discussion is about startups.

Most startups aren't indies.

For instance, Plentyoffish.com was a ONE person startup not so long ago with revenues of 1MM and 1B pageviews. Just imagine what a news recomendation site with TWO persons would be able to do. :)