Disclaimer, I haven't read your whole piece yet...
The principle problem I see is commercial development is done with too much time pressure and not enough focus on security. In my experience, security is always considered last when building new software, as in "we'll come back and add security after we get the product working." And then, business is always eager to deprioritize security. It takes too long, is too finicky, and too restrictive, and doesn't "add value". I recently patched a bug in my employer's auth that had been in place for at least two years and shipped in several versions. It wasn't a priority because our customers never actually enable auth....
The bottom line is, despite all the words to the contrary, business only cares about security to the level it impacts the bottom line. We, as employees, just don't have much impact on that. Thus, this problem will continue despite software developers' best intentions.
I'm a small business programmer. I love solving tough problems with Python and PHP. If you like what you're seeing, you should probably follow me here on dev.to and then checkout my blog.
No, I think you have a valid point of view and your experience matches mine (and that of many others).
However, the way you've framed the problem takes most/all the responsibility off your shoulders as a software developer. But you are far from helpless. You can:
recommend safer languages over less-safe languages for new projects
use frameworks and other tools and libraries to "go faster" and not talk about the security benefits
educate yourself and your team about security and follow best practices for new code
report ineffective or non-existent data validation as a defect in your bug tracker (not a security issue)
fail code reviews for defects (including security related defects)
use a static analysis tool to increase your team's productivity and reduce mistakes (but don't mention the security benefits to management)
make sure you keep your software up to date
For example, we sold our product owner on https everywhere for the bump we'll get in our search engine rankings, not the security benefits.
Quality and speed are not opposites. That's based by research, which I wrote about that near the end of this post. That's why most companies that try automated testing, design reviews, code reviews, etc. get so many benefits that they can't imagine producing software any other way.
You can go a long way with the strategies I've described above without ever having to have explicit permission to work on "security". You can appeal to management's desire for improved quality or productivity or efficiency and get the security benefits for free on the side.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Disclaimer, I haven't read your whole piece yet...
The principle problem I see is commercial development is done with too much time pressure and not enough focus on security. In my experience, security is always considered last when building new software, as in "we'll come back and add security after we get the product working." And then, business is always eager to deprioritize security. It takes too long, is too finicky, and too restrictive, and doesn't "add value". I recently patched a bug in my employer's auth that had been in place for at least two years and shipped in several versions. It wasn't a priority because our customers never actually enable auth....
The bottom line is, despite all the words to the contrary, business only cares about security to the level it impacts the bottom line. We, as employees, just don't have much impact on that. Thus, this problem will continue despite software developers' best intentions.
Or maybe I'm cynical.
No, I think you have a valid point of view and your experience matches mine (and that of many others).
However, the way you've framed the problem takes most/all the responsibility off your shoulders as a software developer. But you are far from helpless. You can:
For example, we sold our product owner on https everywhere for the bump we'll get in our search engine rankings, not the security benefits.
Quality and speed are not opposites. That's based by research, which I wrote about that near the end of this post. That's why most companies that try automated testing, design reviews, code reviews, etc. get so many benefits that they can't imagine producing software any other way.
You can go a long way with the strategies I've described above without ever having to have explicit permission to work on "security". You can appeal to management's desire for improved quality or productivity or efficiency and get the security benefits for free on the side.