Isn't security pretty cheap if you want to have it from the start?
Albeit you cannot include other companies code and APIs to add features really fast, long term the maintenance cost should be comparable.
Not really, security makes everything harder. I have worked on classified projects which I think are a good benchmark for continuous security and it is definitely expensive, and it was on the lowest levels of classification.
Costs come from everywhere, from the time it takes to transfer a simple file when USB ports are blocked and internet access is very limited. Regular audits, limited privileges and you can only run approved programs, maintaining software up to date but you have to actually look at the change logs (no automatic updates), physical security (alarms, safes, access control, etc...). Also, you can't work from home.
Your company may do security differently but there is always a cost. You may not notice a big "security" line in the budget but that's because the costs are everywhere, because everything can be a target. And unlike correctness, security is a moving target. For example, if the code you wrote for a specific task does the task correctly, as long as the task doesn't change, it will work forever (hence: "if it ain't broke, don't fix it"). But thing that were once secure may stop being secure as new attacks are found, even if nothing changes on your side.
Its cheap if you build it in from the ground up, and a well thought out security program shouldn't impact development velocity at all.
Retrofitting security later tends to be painful, expensive, and cause conflict.
In software companies security teams should enable the developers as opposed to being a hinderance.
Secure code is code that tends to be better written, better documented, more performant, and pass tests. All of which are good things.
I'm always amazed at how many YC/VC backed software startups seem to have no place in their team or board for security, which makes it a massive cost center later on when they try retrofit it.
> Isn't security pretty cheap if you want to have it from the start
Without trying to sound condescending (because it really is a complicated topic), this seems like a viewpoint that could _only_ be held by someone who has never had to actually deal with it.
> Albeit you cannot include other companies code and APIs
Costs come from everywhere, from the time it takes to transfer a simple file when USB ports are blocked and internet access is very limited. Regular audits, limited privileges and you can only run approved programs, maintaining software up to date but you have to actually look at the change logs (no automatic updates), physical security (alarms, safes, access control, etc...). Also, you can't work from home.
Your company may do security differently but there is always a cost. You may not notice a big "security" line in the budget but that's because the costs are everywhere, because everything can be a target. And unlike correctness, security is a moving target. For example, if the code you wrote for a specific task does the task correctly, as long as the task doesn't change, it will work forever (hence: "if it ain't broke, don't fix it"). But thing that were once secure may stop being secure as new attacks are found, even if nothing changes on your side.