Hey folks! Sloan, DEV Moderator and mascot. I'm back with another question submitted by a DEV community member. 🦥
For those unfamiliar with the series, this is another installment of Sloan's Inbox. You all send in your questions, I ask them on your behalf anonymously, and the community leaves comments to offer advice. Whether it's career development, office politics, industry trends, or improving technical skills, we cover all sorts of topics here. If you want to send in a question or talking point to be shared anonymously via Sloan, that'd be great; just scroll down to the bottom of the post for details on how.
Let's see what's up this week...
Today's question is:
Hey DEV Community!
I'm pretty new to development and something that I've heard come up a few times is the line "security is an afterthought" meaning that it's not necessarily something developers are incorporating early on during the design phase of an application. That's my understanding!
As I look to expand my skills and hone my focus, I've considered security as something that might be cool to get into. I just wonder does "security is an afterthought" mean that in a practical sense, a security professional is likely to be brought on later during the app development to solve some particular security problem? Is there generally refactoring involved to account for security?
Grateful for any advice, thanks! 🙂
Share your thoughts and let's help a fellow DEV member out! Remember to keep kind and stay classy. 💚
Want to submit a question for discussion or ask for advice? Visit Sloan's Inbox! You can choose to remain anonymous.
Top comments (7)
I don't think this is cut-and-dry in any way.
When people are saying that security is an afterthought, it might be worth asking "compared to what?".
I would say that that statement is true a lot of the time, but security is still a huge growth industry, and maybe the most secure one I can think of, to be honest.
If people's direct experience is that security is an afterthought, it certainly does not mean that it isn't a huge deal, and very much not an afterthought for many.
I'll note that security company stocks in general have been tremendous performers, which is a vote in favor of the importance here.
It depends on the projects, company culture, and requirements, but often many important aspects are only afterthoughts, including security, accessibility, quality, maintainability, energetic and ecological efficiency.
Judging by experience, it’s always the business value first and only then, at some place defined by some board meeting, come non-blocking-at-the-current-stage things like security. Unless the product is already publicly proved to be vulnerable. Security is often an afterthought even for security companies.
Unfortunately, that is sometimes true. I worked on a project where they had a contractor write the entire application--tens of thousands of lines of code--and then after the contractor was gone they ran HP Fortify against the project and found hundreds of vulnerabilities.
I work for a much healthier organization now and security is a part of every step and scanning statically for code vulnerabilities is part of the CI/CD process, as it should be, and I think that's the direction most organizations are heading.
Good question. Thank you!
If you're a new developer, security may initially seem like an afterthought. As you learn and practice different aspects of development, security may not be your primary focus. However, at some point, you will need to understand how to secure your code—for example, understanding what SQL injection is.
The importance of security also depends on the size of the company you work for. If your company has a skilled security team, they or specific tools may handle the security of your code.
In conclusion, we shouldn't say that security is an afterthought. Instead, we should consider how we, as developers, can incorporate it into our workflow. In my opinion, web developers don't need to understand every detail of a software product's security layer.
Security is an attribute of quality, and I do think that quality is all-too-often a secondary concern.
Security basics are really easy to implement even during PoC. That's what I do. At least everything has to be secured, even if the security itself isn't perfect.
Basic are usually enough, but there are always some nice to haves, that usually come up during security audits. That's my preferred way.