[icanblogshitz]

There was a submission briefly on the front page here where someone was proclaiming security by not using c/c++ for projects, yet, they left their blog comments and site wide open for some idiots who have already tried to post silly comments with JS popups.

I guess maybe we need people to use static sites, like trainer wheels on bikes, until they become more security concious.

[chriswarbo]

Security is additive: the more precautions you take, the more secure you'll be. Avoiding C/C++ when safer, higher-level languages could be used is one example. Escaping Web site comments is another. Doing both is best, but either on its own is still better than neither.

Becoming "security concious"[sic] doesn't mean outgrowing best practices. If Bruce Schneier used "password" as his password, he wouldn't avoid getting attacked just because he knew it was a bad practice. Likewise, understanding the tradeoffs between static and dynamic Web sites doesn't make someone's dynamic site secure.

As the article points out, even a locked-down, well-tuned dynamic site with CAPTCHA-protected registration forms is orders of magnitude easier to bring down with DDoS attacks, since dynamic sites must perform more work per request, eg. to render "Hello CaptchaFarmUser99999" at the top of the page. If they don't need to perform more work per request, since all pages are always fully cached, then you've just re-invented static sites :)