Do you really care about security?

A $25,000-scale pro­ject is or­dered by a large multi­na­tion­al cor­po­ra­tion. They claim they should be and are se­cure, since se­cu­ri­ty is cru­cial for them. Ask them how much of the bud­get of the pro­ject is al­lo­cat­ed to se­cu­ri­ty. They won't an­swer, be­cause they can't.

The im­por­tance of an as­pect of a pro­ject is usu­al­ly de­ter­mined by the in­vest­ment. If half of the mon­ey of a web ap­pli­ca­tion goes to UX, the over­all ex­pe­ri­ence has all rea­sons to be good, un­less, of course, there is waste of mon­ey some­where. No mon­ey for UX means no de­sign­ers, which means that the in­ter­face is done by de­vel­op­ers them­selves. Re­sult: un­us­able (in­clud­ing by de­vel­op­ers them­selves) app.

When the only men­tion of se­cu­ri­ty is made dur­ing meet­ings un­der the form: “We should care about se­cu­ri­ty”, or un­der the form of dif­fer­ent peo­ple who have no ex­pe­ri­ence in se­cu­ri­ty in­vent­ing ways to over­ly com­pli­cate the ar­chi­tec­ture of the ap­pli­ca­tion, se­cu­ri­ty is ob­vi­ous­ly not a pri­or­i­ty.

There are at least three ways to break the cur­rent app. One doesn't do any­thing dan­ger­ous. One may break SMTP servers of the com­pa­ny. One al­lows ac­cess­ing any cus­tomer ID as well as their com­plete cred­it card in­for­ma­tion. Re­al­ly.

They claim that se­cu­ri­ty mat­ters for them, and at the same time the prod­uct is de­vel­oped un­der tight sched­ules, with no test­ing, no CI and “no time for refac­tor­ing”.

If se­cu­ri­ty mat­ters, those three points shouldn't eval­u­ate to zero:

• Mon­ey ded­i­cat­ed to se­cu­ri­ty,

• Se­cu­ri­ty-aware per­sons in the team,

• Man-hours ded­i­cat­ed to se­cu­ri­ty.

When those three are equal to zero, don't claim that se­cu­ri­ty is an im­por­tant as­pect of the pro­ject. In­stead, change some­thing to ac­tu­al­ly show it.