Ask HN: Do developers care about security?

2 pointscaloique3y ago6 comments

With Shift Left, the importance of moving security earlier in the development cycle is clear. But do developers really care about building secure software? Or is this just something boring?

Also, curious to learn how do developers face security in their day-to-day? Any specific checklist, methodology, or good practice? What developer-first security tools are being used out there?

6 comments

raxxorraxor3y ago

I don't think it boring. Most of the time developers need to justify security so that would be a good change. Security needs to be part of planning and architecture considerations. Depending on the project this can be extensive or not.

This is also an all around topic for the company offering software services (not only software companies). Especially if the cloud becomes part of your infrastructure, you also might want to have subnets, server certificates and sharpened firewall rules in your internal network if you have fairly open routes to infrastructure not hosted on premise. Formerly these things are neglected for internal networks, although this would also be helpful to defend against some attacks like ransomware. It is of course a cost factor and becomes almost impossible task if you exclusively rely on external IT.

The latter part can be annoying for developers, because they often have to work their way around MITM-firewalls, download rules and other security mechanisms for development. This often creates conflict between developers and security. But not really when they have to implement security mechanisms themselves.

caloiqueOP3y ago

Thanks for the insights, have you seen any good practice (tips) on how 'security mechanisms for development' could actually help security teams and developers work smoothly? Instead of being the reason for conflict.

raxxorraxor3y ago

I think the most trivial mechanism is to have your own subnet for developers that maybe has fewer restrictions. Not really a DMZ, but perhaps skip deep package inspections. Most tools can be configured to allow self-signed certs, but it is still a lot of hassle, especially for test systems. In exchange the dev subnet should only have restricted access to the rest of the internal network. But lacking convenience here is preferable to not being able to download some dependencies.

bananarchist3y ago

Most developers care. Most product managers don’t.

caloiqueOP3y ago

Interesting point, and why do you think is that?

bananarchist3y ago

Incentives.

Ensuring the security of a product doesn't have as tangible bragging points as shipping new features. Failing the former is unlikely to be blamed on product, but achieving the latter will almost certainly be credited to them. Responsibility for an insecure endpoint or poorly configured service falls to the engineers, despite the managerial influences that will often lead engineers to cut corners on things like security in the first place.

j / k navigate · click thread line to collapse

6 comments

raxxorraxor3y ago

caloiqueOP3y ago

raxxorraxor3y ago

bananarchist3y ago

Most developers care. Most product managers don’t.

caloiqueOP3y ago

Interesting point, and why do you think is that?

bananarchist3y ago

Incentives.

j / k navigate · click thread line to collapse