And what about the security side, where lazy firewall rules, ignored IDS monitors and 10 year old draconian-yet-ineffective security policies leave almost every organization wide open for any script-kiddie to exploit? What? You don't have an infinite budget to upgrade to the latest and greatest every year? Information Security is not the only department in an organization that does not have infinite resources. In all of my years of development I have yet to meet any manager with the type of mentality you describe. In reality, we are all the same victims of "better, faster, cheaper" (really cheaper, cheaper, cheaper.) I guarantee that almost all companies and their development managers would be more than happy to implement real secure coding practices if the customer would be willing to pay for them, just like I am sure the Info Sec departments would be happy to implement additional security measures as soon as they are funded.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/476/35140#35140