Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple APILearn More
I have the impression that most devs don't care or "don't have time for that". But I could be wrong...
Make it run first, make it secure later, if we have time. Fuck this mentality.
Make it run, fuck security... until it fucks management.
Because it doesn't get taught enough?
If you're new to programming you only care to learn to code and create stuff. That's where the gratification is, isn't it? You don't get praise for a secure app. You get praise for a fast done app. It's a incentive problem.
I quite like spring security's approach.
"Hah, you've added me to the classpath? No access for you suckers until you configure me properly..."
@heyheni @COD4 Well, to my defense, security is an advanced skill; understanding WHY something is secure (or not) requires deep understanding of the code, the language and the platform. Still, some general guidelines are readily available, just as there are guidelines for writing clean code.
When security problems arise, it is a nasty affair; more often than not, trying to patch software that is insecure by design is a nightmare. One patch can break something else (if you draw parallels to certain software companies, my disclaimer is that I mention or imply nothing).
Nevermind the true horror, if said software is popular, and then they realize that it is full'o'holes. This can escalate to full (kernel) panic, lawsuits etc...
To be short, yes, security is a thankless and boring sector, but it has become an essential one. I think I'll write a rant about it later; I haven't posted since forever.
if they give you an example of doing it the right way, and it gets compromised, it's their fault.
if you do it by yourself because they gave no example, either the right way, or the wrong way, and it gets compromised, that's your fault.
Because to these people, it's not about security. It's about getting their tool popular for that sweet sweet moolah.
Haven't seen a framework yet that is as secure as it claims, if it claims it at all.
This especially includes the big ones (sorry not sorry laravel users).
Voxera99502ySecurity, if done right and beginning at the design stage is not a big problem.
On the contrary it can make the code simpler as many common problems are solved by the same solutions.
Unfortunately its very very rate that security is included at that stage :/ so very few developers get the chance to experience it.