[Spearchucker]

Because security is not easy. Often when I ask these questions the responses range from not being worth bothering with because we still shop at Target, even though they've been hit, to just dealing with a breach after the fact, rather than being a little more proactive about it.

E.g. https://news.ycombinator.com/item?id=7920558

Like I said, security is hard. Microsoft is the only large corporate I know of with a published security development lifecycle, and while it's starting to benefit their products they're still not getting it 100% either. Security is also contentious, because doing it right means forsaking the idea of an MVP. It also requires design up front. And experience. These sorts of things are not exactly aligned with the hacker mindset, nor with startup culture.

[thegeomaster]

Of course real, rock-hard security is hard to get right.

But it seems to me that the issue here is that some common sense security measure wasn't employed. The author didn't even think about what APIs he/she exposed. That's very different (and more irresponsible) than not designing a competitive and solid security system up front.

[0xeeeeeeee]

Absolutely security is hard...and it's also not what `Yo' is really worried about. If they have to worry about security, then they already hit it big and they can just fix the issue ex post leako.

[krapp]

On the one hand, 'Yo' was created in a day. Though maybe the author should've spent say a week on it.

On the other, it's been proven possible to ignore or botch security until you have to make a minor show of apologizing for it, without fear of consequence, if you've already gotten enough traction. Unfortunately, this only seems to prove to businesses that security is a fruitless endeavor, and a waste of effort better spent making sure the UI is shinier. On the third, i've had to explain to people and their startups that SQL injection and XSS even exists, much less that it's a problem worth dealing with now so there might also be an education issue.

I think the answer would probably be more things which are secure out of the box. In particular, frameworks and the languages themselves (I'm looking at you PHP) which interface with the web should default to secure as much as possible.