Security vs. Usability

A problem that all web developers people in the computer field face is security. When creating your application, website, server, you have to take into account what kind of security measures you must take to protect yourself and your users. However, you have to make sure that these measures don’t horribly inhibit the users. Twice over the last couple of months I have ran into server trouble where I felt the server disallowing certain actions strongly inhibited my ability to create a good website.

The first occurred in October, while I was creating a website for a client. They wanted to be able to upload images to the server, to add them to the site. This required me to set the permissions on sections of the site to 777 (all can execute). There are numerous web apps out there that do this, and if the programmer does it right, security is not a huge issue. However, the server I was working decided (after years of me using it), they were going to reset the permissions every 6 hours for ‘security’ measures without notifying it’s customers. Never mind that I spent hours debugging a script I knew was working. How can one make a sophisticated web app without being able to change the permissions for more than 6 hours at a time?

More recently, I am working on a website that would send emails through a php script using the standard mail() function. Only, due to ‘security reasons,’ the mail() function is disabled. Now I cannot report bugs automatically, nor can the user use the current contact form. Sure, the mail() function could be exploited, but so can almost anything when dealing with a scripting language. Are they going to disable SQL in fear of SQL injection statements?

The point is that if these servers are going to disable certain, very useful functions, what are they providing as an alternative for their users? They are choosing a little bit more security in exchange for strongly inhibiting their users from creating more user driven web applications.