One of the things I’ve discussed before is that it can be hard to get developers - or really engineers in general - to care much about the security of the products they work on. In some cases, this results directly from issues discussed in Eugene’s Law, that is where an engineer thinks that they know better than you that their product is secure. But there’s another unfortunate case that I’ve seen a lot, at especially amongst many of the students I’ve met at UAH - the assumption that security won’t ever matter on their product. Now this too technically falls under Eugene’s Law, since somebody can ALWAYS find a way to abuse a product, but I’d like to focus on the motivation for securing your product in such a case.
Pride. Yes pride, pride in the product that you are creating or helping to create. Many times this will be something you have dedicated months or years of your life to, and you hopefully you find yourself with some degree of pride in the end result.
Got an idea of a project you’ve worked on that left you with a feeling of pride? Good. Now imagine some attacker stomping all over your product, looking for ways to hurt its users - your customers, your boss, maybe even your family and friends. Even some trivial little application might offer some way that it can be perverted to serve another master, if in no other way than opening a security hole into the OS hosting it.
So next time you find yourself doubting the need for security, think about what will happen to your product once it is in the wild. Don’t wait until someone takes your kitten and transforms it into a vicious mountain lion.
Ok, maybe I’ve overdone the kitten analogy, but you get the point.