[gruez]

>These are game developers. Not backend developers. Not web guys. Not remotely trained in infosec. They make games. Not security software.

Why do game developers get a pass but not "backend developers" or "web guys"? Don't the latter only "make CRUD apps, not security software"?

[sbarre]

I think for web or "backend for network" people, you are always deploying into a hostile environment (the Internet) and so you really should be at least aware of basic security measures. If you consider yourself a professional in that field, it's table stakes.

If you're a game dev, you were taught to write optimized code that runs locally on a computer.

Not everything you do will run on the network, and networking/multiplayer might not be relevant every single time you ship a game. So it's less relevant (if still important)

[Sleaker]

This isn't really true, game devs have had to deal with client-server authenticity issues since the beginning of multiplayer gaming. There's a lot of lessons learned around and why there's whole sets of middleware designed to alleviate/lessen these issues. For as long as multiplayer games have been around this has been an issue.

The impact ie: RCE vs just ruining the game experience may be different but the concepts are all the same- adversarial clients.

The excuses you listed aren't any different for business apps.

[ryandrake]

There is nothing special about game development that justifies not knowing/caring about security. It's 2025. Everyone is deploying into a hostile environment (the world). Security is now a horizontal that cuts across all kinds of development: frontend, backend, web, mobile, PC, console. You can't just say "Oh, security is the job of a Security Developer. I am just a Xyz Developer."

[sbarre]

Hey I'm with you... I literally have a talk I give at my company about security being every developer's job (it's called "Developers are bad at security" and it's very popular).

I'm not arguing that it's "not their job", I'm saying they are less likely to have been trained in security because of the nature of their job...

[skeeter2020]

There are no triple A games today that doesn't run in a networked/internet environment, and your code lives on the hostile user; this seems like an even bigger risk than a web app.

[sbarre]

AAA game are a small fraction of the whole games market though (and there are still plenty that don't have multiplayer - Cyberpunk 2077 comes to mind, or the Horizon games, lots of mobile games, etc).

Like I said in the other reply, I am not arguing against the need for security, I am saying a lot of game developers don't get, or seek out, security training because single player local games don't have the same network-driven risks.