Many software developers care even less about security than the people who use the software. Their attitude is that it’s just more work to do things in a secure manner. It’s only after a major security breach that they fix their security holes.
Most individuals care about security, but most companies’ reward structure does not reward proactive security measures. Alice will get a much bigger bonus if she spends 20 hours straight fixing a zero-day exploit in the wild than if she had spent a week implementing proper safeguards in the first place.
It’s not that they don’t care, not at all. But when you have a road map and hard deadlines you don’t have the option. And it’s hard to sell security as a priority to leadership when the other option is features that can increase revenue.
Same thing in distribution. They promote “safety, safety, safety,” but as soon as productivity dips, “you guys aren’t hitting your numbers, you need to do better.”
Many software developers care even less about security than the people who use the software. Their attitude is that it’s just more work to do things in a secure manner. It’s only after a major security breach that they fix their security holes.
I had a feeling based on constant news of data breaches.
Most individuals care about security, but most companies’ reward structure does not reward proactive security measures. Alice will get a much bigger bonus if she spends 20 hours straight fixing a zero-day exploit in the wild than if she had spent a week implementing proper safeguards in the first place.
Worth pointing out this isn’t usually down to developers choosing not to do it. But management either via direct decision making or deadlines.
It’s not that they don’t care, not at all. But when you have a road map and hard deadlines you don’t have the option. And it’s hard to sell security as a priority to leadership when the other option is features that can increase revenue.
Same thing in distribution. They promote “safety, safety, safety,” but as soon as productivity dips, “you guys aren’t hitting your numbers, you need to do better.”