Katie Paxton-Fear (InsiderPhD)Nov 25, 2022
Security issues broadly can be boiled down into 2 categories
- Seriously mindblowing 0 days no one even considered that shock and amaze you with the hackers thinking
- Developers that took shortcuts to meet some kind of deadline
Show threadKatie Paxton-Fear (InsiderPhD)Nov 25, 2022
Btw that second category isn't the fault of developers but more the external pressure on devs from project stakeholders that place shipping functionality over considering security impacts
Show threadA. Adair B. A. 

@insiderphd

As a developer...

That second category is our fault in many cases.

Communication is one thing, and informing project stakeholders of the severity of their decisions is something we might not be able to perform... (And yes, that's not all our fault. To say it is, is to take a victim blaming attitude.)

But...

Well, there's Therac-25.

I've heard people say that software can't harm hardware.

Nah, software can kill. And if given the opportunity, it can kill easily and quickly. (As well as slowly and painfully, as in the case of acute radiation poisoning.)

We need to be held to a higher standard (and empowered to enforce that standard.).

Nov 25, 2022 at 9:14amWeb
Show threadjohnaldisNov 25, 2022
@adorkable @insiderphd The critical part of this is in your last bracketed clause. It’s no use holding your programmers to a higher standard if you don’t give them the power to meet that standard.