Internet security has been getting a lot of attention lately, and I think it’s a positive development.

For far too long, managers were taking a dangerous path and assuming that their information systems staff was aware of the issue, and was always taking appropriate steps to address it. Often, nothing was further from the truth.

Web developers, who are often under tight time deadlines and pressure to perform, take shortcuts all the time — more anxious to get applications up and running than making security the top priority.

“I’ll get the application up and running, then build in the security features later,” is a common way of thinking. However, that time sometimes never materializes: the developer is off doing a new project, or consulting for a completely different firm, and the threads are left dangling, never to be sewn up.

Sometimes managers tend to think that by buying a large-scale commercial application, these issues are bypassed, and they feel safer. This is far from the truth.

The recent case of PDG Software Inc. brings this issue to the forefront. If you haven’t heard about this case, here’s a brief synopsis: PDG has an e-commerce application that is widely used throughout a variety of industries, the so-called “shopping cart” where a Web user adds items to a virtual cart, the totals are automatically calculated including shipping, then the user can check out, and their order is put in the pipeline. The transaction includes gathering a user’s credit-card information, the most sensitive part of the process.

About six months ago it was revealed that by typing in a specific but simple URL, a random user could access this critical information about customers in their Web browser, viewing orders that had been placed and were awaiting fulfillment, including credit card data in unencrypted form.

Almost immediately, the company developed a repair patch that sealed the intrusion. PDG contacted the FBI and sent two e-mails describing the urgency of the problem to every customer who had purchased the software. The problem is, how do you go about notifying everybody who has bought the software package, since many people bought it through resellers, not directly from the company?

Messages were posted to many security sites, the FBI put a notice on their Web site, and still many, many system administrators never got the message. Small Web sites that do online commerce may not even employ a full-time system administrator; a consultant or freelancer may come in to set up the shopping cart system, and then never be contacted again.

In this case, people got hurt. We may never know the full extent of it, but MSNBC and others have extensively published stories of people who had their credit reports ruined and their cards charged to the max, specifically by this oversight in this one application. Who’s to blame? Surely, there’s plenty of that to go around, in this case. But it highlights the difficulty system administrators and managers face. Often they buy software from the giants thinking they are being smart and avoiding security issues, only to find that their 22-year-old cousin in his third year of college writes more secure code than the majors.

How many weeks go by without Microsoft releasing security patches for their Web servers and mail applications? I’m not picking on Microsoft. I use their products, and coming from that perspective, I can see how the problems develop. Products that are easy to administrate and manage are also more vulnerable, since to work together their architectures must be more flexible and extensible. Ergo, more holes are available to exploit. You like Excel because it can use macros? That’s great, but then you’d better be prepared for that automation to be exploited in the worst possible way, if you are used to double-clicking on that spreadsheet that Bill (or who you think is Bill!) from circulation just e-mailed you.

I think the PDG case opened some eyes, and that’s great. You, as a manager, should never assume security has been handled by someone else. Are you collecting data from your customers? If so, where is that information going, and how is it stored? Is it being stored on a separate database server, physically separated from your Web server, with its own security and authentication procedures? Or is it being stored in a simple folder on the Web server where it could be easily found?

Don’t think because you’re hosting with an external provider, that everything is being taken care of. Sometimes external hosts are better targets, because of their higher profiles and because they host many clients at the same time. Theoretically, they have the best security as well, but it never hurts to ask the hard questions when you’re signing up.

Don’t overlook the fact that stocks have fallen dramatically: the human angle of this is that motivation to excel can drop in the case of publicly-traded companies, and exodus of talent is hardly unheard of. A system administrator whose options are far under water and who is bitter may have a lot less motivation to keep up on the latest security updates than he or she did a year ago.

Human behavior, as much as computer professionals would like to divorce it from IS and pretend it doesn’t exist, is a profound influence in this business, and often a great deal in security, because the concept of security serves a great many masters.

Hays Goodman is the Webmaster for Newspapers & Technology and GMToday, a Milwaukee-area portal. He welcomes your comments, feedback and suggestions for future Tips & Tricks columns. Write to him at webmaster@conleynet.com and include your contact information.