[agoodusername63]

Is it particularly surprising though?

These are game developers. Not backend developers. Not web guys. Not remotely trained in infosec. They make games. Not security software. And for the longest time this was acceptable.

I think for a GaaS in 2025 it's unacceptable to not have security minded engineers on staff for the backend stuff. Too much money is involved not to. Especially for studios very familiar with shipping online games.

But I'm also kind of disappointed in how much we're forgetting that these people are not infosec nerds. Last year there was a cute fishing game made by a single dude messing around making things. It got popular and a kid found an RCE bug with the multiplayer. The dude got a TON of shit for the flaw, which feels deeply unfair. I don't expect my mom to configure a router correctly. I don't expect video game developers to understand defensive network programming without training.

Maybe I'm just a little frustrated at the Internet largely unable to understand that defensive programming is something that isn't in a game devs trained skills. I would expect better of Netease however

[phoronixrly]

Hey, I feel there's some predisposition in infosec-minded people that insecure software must not exist regardless of its purpose or threat model. And also that people who can't write secure code must not write code...

[Hackbraten]

People who can't write secure code yet can learn how to write secure code.

[chefandy]

For some little indie setup, sure. But AAA studios are like any other software companies— the folks putting their network stack together aren’t the same people that are making the gameplay logic, many of whom probably went to art school and learned how to script and write some less-complex C++, and they’re different from the people working with the low-level graphics programming in the game engine, many of whom probably have PhDs in computer science or other related math disciplines. Having a connection low-latency enough and reliable enough to have fighting game tournaments on servers with many thousands of players isn’t a job for a general purpose game developer.

[supermatt]

They generally make software that runs with (at least) unrestricted user level access on client devices, as opposed to backend guys who have no client access, and web guys whose code runs in a sandbox.

If anything these devs should be more cautious than the others as the risk to the end user is extreme.

[gruez]

>These are game developers. Not backend developers. Not web guys. Not remotely trained in infosec. They make games. Not security software.

Why do game developers get a pass but not "backend developers" or "web guys"? Don't the latter only "make CRUD apps, not security software"?

[sbarre]

I think for web or "backend for network" people, you are always deploying into a hostile environment (the Internet) and so you really should be at least aware of basic security measures. If you consider yourself a professional in that field, it's table stakes.

If you're a game dev, you were taught to write optimized code that runs locally on a computer.

Not everything you do will run on the network, and networking/multiplayer might not be relevant every single time you ship a game. So it's less relevant (if still important)

[Sleaker]

This isn't really true, game devs have had to deal with client-server authenticity issues since the beginning of multiplayer gaming. There's a lot of lessons learned around and why there's whole sets of middleware designed to alleviate/lessen these issues. For as long as multiplayer games have been around this has been an issue.

The impact ie: RCE vs just ruining the game experience may be different but the concepts are all the same- adversarial clients.

The excuses you listed aren't any different for business apps.

[ryandrake]

There is nothing special about game development that justifies not knowing/caring about security. It's 2025. Everyone is deploying into a hostile environment (the world). Security is now a horizontal that cuts across all kinds of development: frontend, backend, web, mobile, PC, console. You can't just say "Oh, security is the job of a Security Developer. I am just a Xyz Developer."

[sbarre]

Hey I'm with you... I literally have a talk I give at my company about security being every developer's job (it's called "Developers are bad at security" and it's very popular).

I'm not arguing that it's "not their job", I'm saying they are less likely to have been trained in security because of the nature of their job...

[skeeter2020]

There are no triple A games today that doesn't run in a networked/internet environment, and your code lives on the hostile user; this seems like an even bigger risk than a web app.

[sbarre]

AAA game are a small fraction of the whole games market though (and there are still plenty that don't have multiplayer - Cyberpunk 2077 comes to mind, or the Horizon games, lots of mobile games, etc).

Like I said in the other reply, I am not arguing against the need for security, I am saying a lot of game developers don't get, or seek out, security training because single player local games don't have the same network-driven risks.