Hey folks! Sloan, DEV Moderator and mascot. I'm back with another question submitted by a DEV community member. 🦥
For those unfamiliar with the se...
For further actions, you may consider blocking this person and/or reporting abuse
I don't think this is cut-and-dry in any way.
When people are saying that security is an afterthought, it might be worth asking "compared to what?".
I would say that that statement is true a lot of the time, but security is still a huge growth industry, and maybe the most secure one I can think of, to be honest.
If people's direct experience is that security is an afterthought, it certainly does not mean that it isn't a huge deal, and very much not an afterthought for many.
I'll note that security company stocks in general have been tremendous performers, which is a vote in favor of the importance here.
It depends on the projects, company culture, and requirements, but often many important aspects are only afterthoughts, including security, accessibility, quality, maintainability, energetic and ecological efficiency.
Judging by experience, it’s always the business value first and only then, at some place defined by some board meeting, come non-blocking-at-the-current-stage things like security. Unless the product is already publicly proved to be vulnerable. Security is often an afterthought even for security companies.
Unfortunately, that is sometimes true. I worked on a project where they had a contractor write the entire application--tens of thousands of lines of code--and then after the contractor was gone they ran HP Fortify against the project and found hundreds of vulnerabilities.
I work for a much healthier organization now and security is a part of every step and scanning statically for code vulnerabilities is part of the CI/CD process, as it should be, and I think that's the direction most organizations are heading.
Good question. Thank you!
If you're a new developer, security may initially seem like an afterthought. As you learn and practice different aspects of development, security may not be your primary focus. However, at some point, you will need to understand how to secure your code—for example, understanding what SQL injection is.
The importance of security also depends on the size of the company you work for. If your company has a skilled security team, they or specific tools may handle the security of your code.
In conclusion, we shouldn't say that security is an afterthought. Instead, we should consider how we, as developers, can incorporate it into our workflow. In my opinion, web developers don't need to understand every detail of a software product's security layer.
Security is an attribute of quality, and I do think that quality is all-too-often a secondary concern.
Security basics are really easy to implement even during PoC. That's what I do. At least everything has to be secured, even if the security itself isn't perfect.
Basic are usually enough, but there are always some nice to haves, that usually come up during security audits. That's my preferred way.