
Ask HN: Do you think security is part of a developers job? - karldyyna
With the growing cyberthreat and daily news articles about one attack or another the focus on application security is at an all time high. However there seems to be confusion about who should be responsible.<p>I&#x27;ve met a lot of developers who think that security should be left to the specialists and their job is to simply provide functionality according to specifications.<p>I feel that this is akin to building a car and saying that it is someone else&#x27;s job to prove it is safe.<p>What is your opinion on the matter? Should every developer be security-aware or is it a job for the specialists?
======
poof131
Yes and no depending upon seniority and context. Senior developers leading
teams should make sure the patterns being used are secure. Junior developers
should mostly worry about getting stuff built. Companies of even a modest size
should be having audits. Lessons from these audits should be taught to the
team. Everyone (on the web dev side) should be familiar with OWASP [1].

The reality, however, is most companies will disregard security because a
secure product with no revenue means no business. So revenue comes first, then
security. And usually this is only done in a reactive fashion, like when (true
story) a huge banking customer’s security audit finds a hardcode password
string in your code that allows admin access. Guess it’s time to remove the
back door for troubleshooting.

[1]
[https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet](https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet)

------
jonesb6
Developers should be held responsible for the applications that they build.
Management, and especially executives, should also be responsible for the work
of their employees and how they handle their customers very valuable data.

Personally, I love learning more about security. It means I can charge more
for consulting.

------
Piskvorrr
Security is not a magic paint that someone can just add on top of the finished
product, it needs to be a part of it from the beginning, starting with
analysis.

Which means it _is_ the developers' job, but _not only_ theirs - the
specification should _also_ be aware of security.

------
venomsnake
It is developer's job if someone pays them for it. Right now - it will take me
twice as long to deliver a secure product than semisecure just don't fly with
management.

