Ask HN: How unethical is it to develop insecure applications?

4 points by awebdev ↗ HN
I've never once worked on a web project where the client was adequately concerned about security and willing to pay for it. Almost invariably it's an afterthought. In some cases a client flat out refuses to pay to make an application secure, even in the case of clear evidence of dangerous insecurities.

So should I refuse to work for people who don't care about security? If I did so, I'd quickly be out of this business.

4 comments

[ 4.8 ms ] story [ 21.1 ms ] thread
If the company isn't complying with Data Protection laws and sensible security measures with access then I would feel it was my duty as a professional to contest their decisions. I wouldn't become a whistleblower but I would escalate the problem until some one listened. Security breaches hurt the reputation of a business. There will always be some one who will care about this. Maybe not always in the tech teams but at least in one of the business function teams.
Security shouldn't be offered as an ad-on. Most clients expect you as developer to know what's best practice.

It is also your responsibility to comply with local/country and international laws.

I reckon the only time it might be allowed to allow certain exploits/unwanted behavior is in a restricted controlled environment.

I wish it were that simple. Insecure code is often inherited, not created ourselves. If the client has a limited budget and only wants to add X, how do you propose upselling them on security for their whole infrastructure?
I've worked on a lot of these projects. The best you can do is a gratis quick audit (I found SQL injections in these files, XSS in these files, and you really need to stop storing passwords in plaintext). I'd consider it gratis because being a consultant is one part programmer and ten parts professionalism.