Teach a Man to Fish

10 Oct 2005

A recent comment by Jeremy Chin (replying to my article The Truth about Sessions) likens my writing to teaching a man to fish:

Give a man a fish and he'll eat for a day. Teach a man how to fish and he'll eat for a lifetime. I definitely think your article belongs in the latter as you did a marvelous job of explaining the mechanics of how servers handle requests, and how security holes can be, and are, exploited.

I want to thank Jeremy for his kind words, and I also want to highlight the reasoning behind my writing style and why I am particularly happy to see someone make this analogy.

Web application security is a young and evolving discipline. There are very few "right answers" in this field, and many security professionals are hesitant to offer advice for fear of being misunderstood or wrong. If a safeguard is misapplied or offers insufficient protection, the author's reputation is at stake.

I enjoy my role in the community largely because I'm not too concerned with reputation. I believe that by genuinely trying to help people, a certain amount of forgiveness is afforded. However, I take my role very seriously, and I think it's important to offer sound advice, particularly regarding security. This is why my writing style is to explain a problem as thoroughly as possible before offering a solution. By explaining the reasoning behind a particular solution, I think readers can better understand and appreciate the protection it offers. In addition, there are many smart people in the PHP community, and the more people who understand a particular problem, the better the solution(s). (I'd love to see a really good non-SSL solution to session hijacking.)

This is why readers can comment on any of my articles. If you think you spot an error or want to share a particularly creative solution to the problem being discussed, just leave a comment. I read them all, and I plan to keep all of my articles updated.