At the risk of being presumptuous... When is security ever not a concern?
> small little one-off apps that might need _some_ backend functionality
The security implications of serving a static website vs. a dynamic application that processes payment and queries the database are two different beasts
If security is taught at the student level, by the time they get to junior developer they'll have an understanding of it / do it automatically.
When I was a hiring manager and scoped out juniors from bootcamps I had a conversation with some candidates and they would say, "I built user registration and login". When I asked them to talk more about it they said, "well I installed auth0"... Any student project which doesn't teach them how something works is not really teaching anything of value, is it?
Programming is not academic. It has more in common with plumbing and carpentry and electrician work: you learn only by doing, and you learn how to do it well by doing with critical supervision from a mentor.
Software development (and a lot of hardware development, to be fair) is unique in that doing it well requires functioning as both an engineer and a tradesperson. One's skill has to cover a wide section of the spectrum.
All joking aside, programming should be treated a lot more like engineering and a lot less like craft. Yes, it does have aspects of both, but neglecting the engineering aspects of it is proving to be increasingly harmful to our end users.
I think the curve of diminishing returns plays an important role. A near hack job will often get you 90% there, in terms of fulfilling what was exactly requested. I don't think this is true for any other skillset. It's so easy to make something featureful and fragile in software. The time and cost above that can be very difficult to justify to customers/management.
In the words of a previous boss, after I pointed out we need more testing, "Everything is working, we'll fix the bugs as they come".
Not everything runs online connected to the internet.
Internal applications where the entirety of the userbase are trusted employees. (Preferably, the userbase is small, too.)
Nobody’s going to bother finding vulnerabilities in an application where, if they break it, their own job gets harder.
Your sort of thinking is how you end up with Yahoo levels of account leaks.
Security always matters.
> Your sort of thinking is how you end up with Yahoo levels of account leaks.
I wouldn’t store any of my customers’ data on an insecure internal service! I know that’s mad!
> Security always matters.
The first part of securing a system is to come up with your threat model, isn’t it?
I'm completely sure that you're right. You know that would be irresponsible and reckless with lots of very sensitive data.
With that said, how sure can you be of every other person writing a simple, small, business app for just a handful of their coworkers? I've encountered some people doing exactly what you've described without the same level of cool-headed risk-weighing as you.
Famous last words.