This month we dedicate our issue to security. This is a topic I find developers either love or hate; there are few who can take a neutral stance on it. As the security editor of this publication, you can probably guess which side I come down on for the question of my feelings about security. I am standing in for Derek this week in the editorial department. I think about security all the time and find it is a very interesting subject, and it's a challenge to stay up to date about it. If you are like me then this is the issue for you! We have picked subjects that try to push past the norms where possible, but that also offer the security haters out there some basics to take the edge off.

The title for this editorial is somewhat of a personal motto of mine as I think it sums up how imperative our situation has become in the last 18 months or so. Hacking is on the rise, laws have been enacted such as Sarbanes-Oxley, HIPPA, and others that attach real liability (sometimes criminal liability) to falling down on the job when it comes to security. We are still hearing daily of large companies and popular brands that are admitting as never before to losses caused by lapses in computer-related security. To fend off these attacks you need sober and oftentimes painful facts about what is possible. A common mistake that I see over and over again in my consulting travels is when a client decides to ignore internal threats and just plan for external attacks. This flies in the face of the facts that show employees with long standing are the most likely to betray you. Internal attacks, when focused on destruction, cause an order of magnitude more damaging than external attackers with the same intention. "Knowing is half the battle," as the old saying goes, and so we bring you articles like the one written by Joe Stagner of Microsoft and myself on how to make your applications defend themselves from those who would engage in password guessing attacks, especially against your Web applications. Robert Hurlbut's piece on SQL Injection shows us that even though the subject has been bandied about for years, it is still a near epidemic in corporate Intranets and Extranets. For a more arcane view, Duane Laflotte, who heads up the security practice at CriticalSites, steps us through Cryptography based on the tools that .NET provides. All of these and more are aimed at the purpose of getting you ready for the day that someone decides to try and get at your data in ways that are not authorized. The bad news is that day is today and yesterday and every single day this year whether we admit it or not.

I hope you read the articles in this special security edition and use them as a springboard to defending and reinforcing your walls of protection. I hope something in these pages makes you jump out of your seat and run to the development staff, server room, or Web farm and make a change for the better. Consider this something of our off-season Halloween edition, as it is meant to scare you straight with the facts. When we are done maybe together we can turn the tables on a bad guy or two and make them regret their choice of target and profession. Because as I said right in the beginning: Security is a war! Don't fight fair!