In the April issue of the PHPArch magazine (also published on her blog), Elizabeth Tucker Long wrote a really interesting editorial piece coining a concept she called Security-Driven-Development. She (quite correctly) identified a problem in the current development community where security has become an after-thought (if it's thought of at all). This isn't a new concept, in fact it's a concept that I and many others have been preaching for quite a while now. However I've been coming to realize that I've had it wrong the whole time. And I think the entire industry is getting it wrong today.

He talks some about the current state of web application development and how, even with more powerful technologies than ever, we still fall short in security testing. He suggests that the current way of doing things - treating security testing as a "throw it over the wall" or "someone else's job" problem - needs to stop. Security needs to be integrated with development and he suggests that managers and developers of open source projects should take the lead.

In reality, PCI is a set of security guidelines drawn up by a consortium of credit card companies and industry security experts to govern how applications should behave when handling credit or debit card information. The card companies impose these standards on the banks who then impose them on those of us who operate e-commerce sites and the like. In this article we will dispel a couple of persistent myths about PCI, take a 20,000-foot look at what PCI encompasses, and then zero in on those requirements that are most closely associated with coding in general and PHP specifically.

He starts with some common myths about PCI (Payment Card Industry) compliance, including that it only applies to "the big guys" taking payments on the web. He then goes through some of the major points of the PCI requirements and talks about a few of them that specifically relate to the backend code side of things.

Enovation was engaged by one of his long term clients in the Health education sector to aid and enable them in designing a solution for the management of curricular activities. The college had an immediate requirement to replace an existing expensive, commercial online database, with a bespoke system which could better manage their curriculum and student rotations within training hospitals. The project was quite large, and the clock was ticking; it was time to learn a new framework, and fast!

I thought it may be fun to do a PHP community building instead of real work this close to the holidays, so I set up PHP City. To participate, just click the link to PHP City and you are a resident. If you really want to get involved, pick yourself a title (I'm Mayor McCal) and post a proclamation as a news bulletin.

There's not much to it - each visit to the site increases the population by one and there's other links to help with other areas of the city (like Industry and Transportation and others down the line). So visit our city and check out how much its grown (top 10 in the first day!) and add your hits to the growing population of PHPCity.

Other people mentioning the city: Padraic Brady, Nick Halstead, Felix Geisendorfer