no one can ever argue against ‘security’, so you always win if you bring it up
Doesn’t work for me. I am the guy saying “we should not be doing X, because when you google for X, the first three results are all telling you that you definitely shouldn’t be doing X”, and everyone else is “dude, you already spent the whole day trying to solve this issue, just do it the easy way and move on to the other urgent high-priority tasks”.
Probably depends on the type of a company, i.e. what is the trade-off between “doing the project faster” and “covering your ass” for your superiors. If they have little to lose by being late, but can potentially get sued for ignoring a security issue, then yes, this is really scary.
A possible solution is to tell the developer to just do it as fast as possible, but still in a perfectly secure way. Have daily meetups asking him ironically whether he is still working on that one simple task. But also make him sign a document that you can deduct his yearly salary if he knowingly ignores a security issue. -- Now he has an incentive to shut up about the security issues (to avoid giving a proof that he knew about them).
Doesn’t work for me. I am the guy saying “we should not be doing X, because when you google for X, the first three results are all telling you that you definitely shouldn’t be doing X”, and everyone else is “dude, you already spent the whole day trying to solve this issue, just do it the easy way and move on to the other urgent high-priority tasks”.
Probably depends on the type of a company, i.e. what is the trade-off between “doing the project faster” and “covering your ass” for your superiors. If they have little to lose by being late, but can potentially get sued for ignoring a security issue, then yes, this is really scary.
A possible solution is to tell the developer to just do it as fast as possible, but still in a perfectly secure way. Have daily meetups asking him ironically whether he is still working on that one simple task. But also make him sign a document that you can deduct his yearly salary if he knowingly ignores a security issue. -- Now he has an incentive to shut up about the security issues (to avoid giving a proof that he knew about them).
“A possible solution is to tell the developer to just do it as fast as possible, but still in a perfectly secure way. ”
Thanks, Satan!
Ain’t no such thing.