You want security? You have to ask for it
I know at Freshleaf we’re a bit guilty of going on (and on) about website and application security, code quality, and the consequences of leaving online data protection to chance. We treat security as a default requirement. But I spotted this article recently that highlighted how often security is overlooked, even by professional developers.
In a study in 2018, researchers in Germany used Freelancer.com to hire 43 professional developers and tasked them with developing the user registration part of a fictitious social networking site. Storing and authenticating user credentials is a common task for developers. And storage of sensitive details such as passwords is just one area where – one might think - security would be considered essential. The research expanded on a similar study the previous year where students were asked to complete a similar task.
Somewhat depressingly, neither the students nor the professionals routinely implemented secure password storage unless explicitly requested; and even then, the attempts at securing the passwords were frequently inadequate. Interviews after the tasks confirmed that – at least for the developers in the study – security was a distant second to functionality in terms of priorities.
Now, grabbing the first 40-odd bids on Freelancer.com will not necessarily net you the most experienced or conscientious pool of developers. But it does highlight the fact that - even in areas where it is manifestly required - security is NOT necessarily a default. So if you're position of planning or commissioning any kind of development project – whether it’s the company website or the next Facebook – security needs to be right up there at the top of your requirements list.