

Ask HN: How unethical is it to develop insecure applications? - awebdev

I've never once worked on a web project where the client was adequately concerned about security and willing to pay for it. Almost invariably it's an afterthought. In some cases a client flat out refuses to pay to make an application secure, even in the case of clear evidence of dangerous insecurities.<p>So should I refuse to work for people who don't care about security? If I did so, I'd quickly be out of this business.
======
DevAccount
If the company isn't complying with Data Protection laws and sensible security
measures with access then I would feel it was my duty as a professional to
contest their decisions. I wouldn't become a whistleblower but I would
escalate the problem until some one listened. Security breaches hurt the
reputation of a business. There will always be some one who will care about
this. Maybe not always in the tech teams but at least in one of the business
function teams.

------
kellros
Security shouldn't be offered as an ad-on. Most clients expect you as
developer to know what's best practice.

It is also your responsibility to comply with local/country and international
laws.

I reckon the only time it might be allowed to allow certain exploits/unwanted
behavior is in a restricted controlled environment.

~~~
awebdev
I wish it were that simple. Insecure code is often inherited, not created
ourselves. If the client has a limited budget and only wants to add X, how do
you propose upselling them on security for their whole infrastructure?

~~~
debacle
I've worked on a lot of these projects. The best you can do is a gratis quick
audit (I found SQL injections in these files, XSS in these files, and you
really need to stop storing passwords in plaintext). I'd consider it gratis
because being a consultant is one part programmer and ten parts
professionalism.

