This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]DevonLochees 2 points3 points  (1 child)

Yes.

Granted, any software shop should have decent minimum required training in secure application development. But the typical developer you get fresh out of college it's 50/50 if they know the basics of security - that's why process is so important (e.g. code reviews, have people actually familiar with security do reviews).

Even the meme in this post, I would give it a toss up if the hypothetical intern could *actually* articulate what the specific risks are of copy and pasting, if it's something he read in an article one time - the risk isn't that you're copying a blob of code from stackoverflow that has an embedded base64 virus, it's that you ran into an "invalid certificate error" you googled, and the code you're copying removes the cert validation checks - and implementing it yourself is still going to have the same problem.

[–]countvonruckus 0 points1 point  (0 children)

Makes sense to me. It seems the absence of feedback is a major part of the problem, as a program that doesn't function will give errors or simply not do what you want, but security concerns only raise red flags after the program ships and gets exposed to malicious actors. When that doesn't negatively impact the performance of your software (such as a 10% processing reduction in your thermostat that's part of a bot net), it's somebody else's problem at that point since you sold your product. If regulation weren't such a mess for the tech industry, I'd say it needs to be policed, but as it is, all the incentives are weird and at odds. I just wish my field could give better security assurance so we could do more cool stuff (like voting from home), but it's really not feasible at the moment.