Quote:
Originally Posted by infinitylimit
I'm not trying pidgin-hole the argument into two category's of either for or against security. I work with a variety of clients some that are concerned with price over any other aspect. Why charge them for time to write secure code when they really don't care?
|
Well, there are a couple of ways I would respond to this:
1) I'm pretty sure that most clients DO care that their data is secure, whether or not they explicitly say so or not. Do you really have clients who don't care about the security of their site, or of the code you write for them? I bet if you asked them they'd all say that they do care.
2) Writing secure code takes about the same amount of time as writing insecure code if it's done correctly. Seriously, baking security into the application should
not require a lot more code or time. Mine doesn't, but then I use some standard libraries and methods that I've developed over time. Security should not be an option or an add-on.
3) Let's say you have a site that's very, very secure- that is, it's nicely locked down with no real security holes. You're asked to write a simple app, like a contact form. If the contact form is insecure, you've just opened the entire site to being exploited, having its data stolen, etc. It's the "weakest link" principle in action, like having a very well secured home but leaving the back door unlocked.
4) If you write exploitable apps, you leave yourself open to liability if (when) it's exploited. If a client's site is cracked and it's due to your code being insecure, guess who's at the top of the list to be sued (or at least blamed)? You are. If you knowingly deliver insecure code, you're liable should something happen as a result.
Quote:
Originally Posted by infinitylimit
Just as I said and am repeating on the other hand the I have clients that has something to protect and wants you to spend that extra time then those are the people that you do it for. This is efficient and I would expect this out someone I hire.
|
If you would knowingly hire someone that delivers insecure code to you, then I'd say we have very different standards in terms of employees. (Seriously, are you saying that you would willingly accept insecure code to run on your site, or that of a client?) As I said above, if done properly good security should not require a lot more code or time.
Quote:
Originally Posted by infinitylimit
Aside from that argument it's a debate over pride in one's work and well I think that is more a philosophical debate, I can tell we might be missing the topic entirely.
|
Pride in one's work is indeed another subject, but for me it's irrevocably linked to quality of the end product.
I've worked for big companies (Boeing, Microsoft, AT&T, Westinghouse Hanford, Lockheed, etc) as well as small ones (mom and pop places) and I've never had a client tell me that security wasn't an issue. I've never had one who would knowingly accept insecure code. It's expected that the code would be as secure as it could reasonably be expected to be.
Linear Mode
