Why does nobody talk about security, even as basal on user accounts?

Its rare when i find a a framework/tool/talk/library/spec where the docs give an explanation, and more important an example of doing it the right way, and i mean without going into the history of ancient Greece and their scytale stick

I have the impression that most devs don't care or "don't have time for that". But I could be wrong...
Make it run first, make it secure later, if we have time. Fuck this mentality.

Because management.
Make it run, fuck security... until it fucks management.

@C0D4 Well, on the bright side, that's how we security peeps earn our pay :P

Seriously though, security is an afterthought for many devs. Especially those who are sucked in the "patch it later" mentality.

Because it doesn't get taught enough?

If you're new to programming you only care to learn to code and create stuff. That's where the gratification is, isn't it? You don't get praise for a secure app. You get praise for a fast done app. It's a incentive problem.

@bladedemon true that.
Except @heyheni got a point, securing a project is not taught, it's not something people care about in the least, until it becomes a problem knocking down your door.

I quite like spring security's approach.

"Hah, you've added me to the classpath? No access for you suckers until you configure me properly..."

@heyheni @COD4 Well, to my defense, security is an advanced skill; understanding WHY something is secure (or not) requires deep understanding of the code, the language and the platform. Still, some general guidelines are readily available, just as there are guidelines for writing clean code.

When security problems arise, it is a nasty affair; more often than not, trying to patch software that is insecure by design is a nightmare. One patch can break something else (if you draw parallels to certain software companies, my disclaimer is that I mention or imply nothing).

Nevermind the true horror, if said software is popular, and then they realize that it is full'o'holes. This can escalate to full (kernel) panic, lawsuits etc...

To be short, yes, security is a thankless and boring sector, but it has become an essential one. I think I'll write a rant about it later; I haven't posted since forever.

if they give you an example of doing it the right way, and it gets compromised, it's their fault.

if you do it by yourself because they gave no example, either the right way, or the wrong way, and it gets compromised, that's your fault.

Because to these people, it's not about security. It's about getting their tool popular for that sweet sweet moolah.

Haven't seen a framework yet that is as secure as it claims, if it claims it at all.

This especially includes the big ones (sorry not sorry laravel users).

Security, if done right and beginning at the design stage is not a big problem.

On the contrary it can make the code simpler as many common problems are solved by the same solutions.

Unfortunately its very very rate that security is included at that stage :/ so very few developers get the chance to experience it.

@bladedemon Boring? I've been a security amateur for about 10 years and am a professional now and I can't get enough of this!