In healthcare, you have HIPAA and if you mess up patient records you can lose your license, be subject to legal actions. e.g: leaking 1 patient record.
If a pharmaceutical company releases a drug that causes negative side effects, lawyers are happy to sue the company on your behalf for free.
But software engineering is a discipline where no license is required, and now thanks to informal educational institutions like coding camps, not even a degree is required. You can ruin the lives of millions of people but always hop around and get another job.
Companies maximize their margin saving money on security (and other non-functional requirements), and expose customer sensitive information to significant risks with no accountability. A statement like "Sorry! we got hacked, your SSN and credit card information is now being sold by the bulk in an .onion site!" would do. We as consumers should punish those incidents more aggressively and demand a reasonable cause.
The product-driven minimum-viable-product lean-agile full-stack get-it-done culture of spaghetti code bases without security needs to die now. It's highly profitable and the preferred business model for many, yes. Is it ethical? hell no. Stop doing it. In those cultures, security is treated as "tin-foil hat paranoia" and laughed upon, and put into some "nice to have"/"maybe some day" list, with the lowest priority.
A security bug can make it into any software. But if you assembled a team of coding camp guys or fresh graduates to work on a banking platform or making an IoT pacemaker you deserve to be sued for neglicence.
Unfortunately because software is a relatively new activity compared to others, there is no established legal framework around it and that needs fixing.
If a pharmaceutical company releases a drug that causes negative side effects, lawyers are happy to sue the company on your behalf for free.
But software engineering is a discipline where no license is required, and now thanks to informal educational institutions like coding camps, not even a degree is required. You can ruin the lives of millions of people but always hop around and get another job.
Companies maximize their margin saving money on security (and other non-functional requirements), and expose customer sensitive information to significant risks with no accountability. A statement like "Sorry! we got hacked, your SSN and credit card information is now being sold by the bulk in an .onion site!" would do. We as consumers should punish those incidents more aggressively and demand a reasonable cause.
The product-driven minimum-viable-product lean-agile full-stack get-it-done culture of spaghetti code bases without security needs to die now. It's highly profitable and the preferred business model for many, yes. Is it ethical? hell no. Stop doing it. In those cultures, security is treated as "tin-foil hat paranoia" and laughed upon, and put into some "nice to have"/"maybe some day" list, with the lowest priority.
A security bug can make it into any software. But if you assembled a team of coding camp guys or fresh graduates to work on a banking platform or making an IoT pacemaker you deserve to be sued for neglicence.
Unfortunately because software is a relatively new activity compared to others, there is no established legal framework around it and that needs fixing.