Insecurity

by Curtis Poe

In my career, I've been paid to program at ten different companies. Of those companies, only two of them have taken computer related security very seriously and three have had serious security breaches. There is no overlap between these two groups.

Of the three security breaches, two of them were known security issues that had been brought to the attention of management but management chose to ignore them. One of these caused serious financial harm¹. Due to the nature of the problem and management's reluctance to discuss it, we couldn't determine the exact amount of damage, but between known financial losses and the cost of responding to the incident, I would conservatively estimate that we lost at least $100,000 and possibly up to a quarter million. Had we fixed this problem before it occurred, it only would have taken two or three days of developer time. Given the relatively small cost of fixing the problem, why didn't it get fixed?