[tptacek]

That's nice. In reality, the security quality of a typical web application is quite low, especially compared to F500 enterprise standards --- few would survive a pentest. And yet most of them are not hacked in that manner.

Indie developers need to get better at writing software that is secure by default, but they do not need the whole process-driven juggernaut that Microsoft runs internally with things like SWI.

So, I asked because it sounded strange to me that a two-person news-recommendation startup would be spending serious time on security, as opposed to figuring out ways to make money on their property.

[Haskell]

>>And yet most of them are not hacked in that manner

The guys at Wordpress and Jommla beg to disagree.

It depends on how popular it is. If the open source version of Reddit becames as popular as Wordpress, then it certainly would get hacked in that manner.

[tptacek]

Do we have to spend time pointing out the differences between WordPress and indie startups like Backtype, Songkick, and Adpinion? Microsoft spends a lot of time on security too, and I'm not saying they're dumb for doing it.

[Haskell]

You used the word indie at the first comment, but I interpreted it as startup, because this discussion is about startups.

Most startups aren't indies.

For instance, Plentyoffish.com was a ONE person startup not so long ago with revenues of 1MM and 1B pageviews. Just imagine what a news recomendation site with TWO persons would be able to do. :)