Software developers, manager, and teams tend to dislike analogies to traditional manufacturing, because we’re “special”. And many will argue that we’re special in soooo many ways!
When one purchases an automobile, what concern do you have for the safety design reviews? What about their costs? Clearly it takes time to conduct such. The crash-worthiness tests are similarly expensive both for the time & the capital expenditures. Yet, as purchasers, we don’t give a wit.
When it comes to software development, adding software security to the analysis, design, coding, testing, and reviews is often strongly resisted. After all, it takes time to perform this work. And additional time means less features. (If a customer doesn’t have feature X, he’s not going to miss it’s non-delivery. There already is a work-around.)
However, as with automobiles, customers have a certain expectation that the software is safe to use. (I’m not speaking of medical, avionics, or nuclear power plant software; rather traditional office or home software.) If a vulnerability exposes all of your customers customer data to the internet, methinks an expectation of safe, secure software has been blown to pieces. It doesn’t take many reports for your brand to be tarnished beyond repair.
So then, why the resistance to secure software? One reason may be that many in the chain of command have put together well-crafted product plans and a successful delivery means great bonus compensation. The implementation of new, aggressive security testing, analysis, design, training… ugh. And after all, we’ve never had an issue before, right?
People are people and most people strongly dislike change. Even the vaunted “cutting-edge” programmer title we like to bestow upon ourselves doesn’t mean we like change. Many programmers don’t like change. And for a variety of reasons. However, safe software and the associated culpability preclude dawdling; we, as a group, have to demand the time to do the job right.
Consider asking an architect for an estimate to build a bridge. When it comes back at $10M USD and 1 year to build, one impulse is to say: “Cut the cost & time by 1/2!” Professional architects will simply bid you “Good day.” Programmers, on the other hand, will say: “Sure.”
Unfortunately, they often do just that.