Ask HN: Developers, What annoys you about security within your company?

2 points by k4ch0w ↗ HN
I am curious about how security affects your team. Does it hinders you? Bugs aren't well written? Lack of knowledge and can't understand the challenges you face? I want to be more empathetic towards my developers and help make each other better.

1 comment

[ 3.5 ms ] story [ 12.8 ms ] thread
The biggest thing you can do if you have developers that work on one of your teams is actually care about security, listen to them when they say there is a risk, understand it, challenge it and then address it. And if you or the business choose not to address a specific concern now, which can happen, go back to the team and explain the why of the decision to keep them in the loop -- this is not optional if you want the teams trust. Personally, with my teams I make sure they get feedback on decisions as quickly and clearly as I can when the business makes a call on product etc. I always seemed to have frustration with the lack of feedback as a developer and work hard to prevent that on my teams. A lot of times as a developer on a team (especially larger teams) it can feel like feedback is being given to the business but very little is coming back on decisions that are made. If the devs understand the concerns or limitations as to the why, many times they can come up with ways to make mitigation still happen but within some constraints that benefits the business still and doesn't let technical debt rack up. Taking the team out of that loop means you will get frustrated developers that see/feel that the company doesn't care, so in the end, why should they, bad cycle to get into.

And I don't think it can be said enough, do more than pay lip service to security. Care about security and work with the team to identify and address areas where there are problems. Especially in my experience startups always have this as a failure point. I've yet to see a single startup get security right early on, not saying some don't but almost always speed, getting investor dollars and "well come back to it" outweigh the security items raised. In the end this will always bite them, either in terms of cost to fix it later, or in embarrassment when it leaks or is hacked by a bored 14 yr old. Think of how many major startups/companies you can list that still had plain text passwords someplace, it is insane? Good logging is not an excuse to abandon good security practices.

I could ramble for a long time on this, but hopefully that gives some ideas.