[lcw]

Why do you think this is controversial? Whether a company works with another software company that is bonded and/or a person uses OSS if something bad happens to the customer it still is reflective on the company using the software in a negative way. No company would refute that.

I rarely have seen court cases in regard to customer damage try to quantify negligence, because the court system is missing a lot of nuance in our industry. Pragmatically speaking the courts are ruling on the severity of the customer impact. There can and will always be an argument that is subjective about negligence in regard to how much you protect yourself from a malicious event vs the severity of said event. This isn't specific to software engineering either like concert venues that are mishandled and result in accidental death.

Your comments around npm dependencies not being reviewed and shows an engineering team is negligent seem contextually correct depending on the damage of said system the engineers are managing. If it's a bank system that leads to fraud then I agree. If it's a start up that runs a website; I hardly categorize this as negligent. Every company I have worked for has understood this trade off. If you are trying to be over zealous about the definition of negligence then I could understand how that would be controversial.

[edgyquant]

Do you think CTOs should be held criminally negligent if they lose data that is of national security concern?

Because that’s the only way I see us getting audited dependencies as a commonality.

[lrvick]

I would agree fintech companies, or any company managing a lot of PII, must take supply chain security much more seriously than say a fashion blog or a video game. The level of negligence is anchored to the potential for harm, but it is IMO a rare case where a successful company manages without a lot of PII or payment details. Even Deezer, who /only/ sells booze, was sued for a data breach and had to give out thousands of $10 checks in a class action. Their negligence hurt them and their users.

For context, most of my clients are high risk with large PII footprints or various forms of fintech. Even in fintech and banking, dependency code review is unheard of, and supply chain attacks are happening in the wild targeting those orgs.

I kind of do intend to come off alarmist about this, because it is very alarming and is likely going to get a lot more people harmed than it already has.

[lcw]

I think you meant to refer to drizly. I would say this is an example of a company that put their priorities on growth rather than security and it worked out for them. It sounds like Drizly didn't think about security at all, and in the end it cost them 0.6% (worst case they settled for $7M and were aquired for over $1.1B) of their value. Looks like their executive team prioritized the right things to me.

Making a decision for or against more security is more about risk mitigation. If the courts are just going to slap companies on the wrists for data breaches I don't see a strong argument for intense security protocols for your run of the mill e-commerce business.

[lrvick]

Ha ha. Yes. Drizly is what I meant to say. Too late to edit now.

I would say it caused them reputational harm as well. It would have likely been a lot less trouble to just hire a capable security engineer or two and do some basics.

To your point, we need these things to hurt a lot more, but it is a start.

[thunky]

People have been conditioned to ignore security. Too many big public incidents, too many emails telling them their data was exposed. They don't care anymore.

I think you're fighting an uphill battle here.

[lrvick]

It took something like 100 years to normalize washing hands in the medical industry. I am in this for the long game.