@RandomMrAdam – I completely disagree.
I understand password storage, encryption, and the options available. I understand SQL injection, how it works, how to execute it, and how to stop it.
It’s not lack of knowledge, it’s experience and an understanding that those problems probably came into play when either through one person (of a team of hundreds) not understanding, or due to outside requirements on the project.
Even though I understand both, I’ve been guilty of making both mistakes, a quick run through of how they’ve happened to me, even though I know better.
First, unencrypted passwords. One project I worked on had been got two early complaints from customers that the registration form wasn’t allowing them to register even though they had it filled out perfectly. I wasn’t able to recreate the problem, so wrote a quick piece of code that stored the entries from the registration form any time there was an error. That way we could go back and see what troubles people were having.
Only after going through the results did I realize we were storing passwords in plain text. Not because of a lack of understanding, but because we were trying to be proactive and fix a problem.
Second, SQL Injection. I’ve probably been guilty of this many times for quick internal tools that were never meant to see the public. Sony could have a tool internally, a developer’s tool, or even just a quick piece of code to run reports. You’re not thinking that Mary from accounting is going to try SQL injection on your code, so you put it together without cleaning the input on the one field she has access to. You’ve just introduced a security vulnerability if anyone ever gets access to that.
Network security is constantly evolving to combat new tricks, vulnerabilities, and hacks. You can’t always review all code each time one is found and unfortunately it leads to problems, especially when you have hundreds of online “properties” like Sony does. Once someone is “inside” any small lapse you’ve made ANYWHERE can expose the whole system.
@johnpowell mentions blog software specifically and I believe he’s using WordPress if I remember right. Even with a team of badasses and constant public review of the code by thousands of developers who make their money with the software, it still has security vulnerabilities from time to time.
They know people will try, they do their best to secure the system, they have constant review by thousands of knowledgeable users, and they STILL get hacked. In this case I’d argue they have better resources than Sony and it shows the scope of the problem.
WordPress actually has a very realistic look at security called Hardening WordPress, it goes through the number of concerns you look at when trying to secure your site.
The first line from that primer is
Security is an interesting topic, with a lot of shades of gray. WordPress developers take security very seriously, but as with any other system, there are potential security issues that may arise and there are always trade offs when balancing security and convenience.
Couldn’t say it any better.