
Ask HN: Developers, What annoys you about security within your company? - k4ch0w
I am curious about how security affects your team. Does it hinders you? Bugs aren&#x27;t well written? Lack of knowledge and can&#x27;t understand the challenges you face? I want to be more empathetic towards my developers and help make each other better.
======
davismwfl
The biggest thing you can do if you have developers that work on one of your
teams is actually care about security, listen to them when they say there is a
risk, understand it, challenge it and then address it. And if you or the
business choose not to address a specific concern now, which can happen, go
back to the team and explain the why of the decision to keep them in the loop
-- this is not optional if you want the teams trust. Personally, with my teams
I make sure they get feedback on decisions as quickly and clearly as I can
when the business makes a call on product etc. I always seemed to have
frustration with the lack of feedback as a developer and work hard to prevent
that on my teams. A lot of times as a developer on a team (especially larger
teams) it can feel like feedback is being given to the business but very
little is coming back on decisions that are made. If the devs understand the
concerns or limitations as to the why, many times they can come up with ways
to make mitigation still happen but within some constraints that benefits the
business still and doesn't let technical debt rack up. Taking the team out of
that loop means you will get frustrated developers that see/feel that the
company doesn't care, so in the end, why should they, bad cycle to get into.

And I don't think it can be said enough, do more than pay lip service to
security. Care about security and work with the team to identify and address
areas where there are problems. Especially in my experience startups always
have this as a failure point. I've yet to see a single startup get security
right early on, not saying some don't but almost always speed, getting
investor dollars and "well come back to it" outweigh the security items
raised. In the end this will always bite them, either in terms of cost to fix
it later, or in embarrassment when it leaks or is hacked by a bored 14 yr old.
Think of how many major startups/companies you can list that still had plain
text passwords someplace, it is insane? Good logging is not an excuse to
abandon good security practices.

I could ramble for a long time on this, but hopefully that gives some ideas.

