[c2h5oh]

The time spend on hardening software is always zero or very close to that unless the company makes that hardening a selling point of the product they make.

In the world of VC powered growth race to bigger and bigger chunk of market seems to be the only thing that matters. You don't optimize your software, you throw money at the problem and get more VMs from your cloud provider. You don't work on fault tolerance, you add a retry on FE. You don't carefully plan and implement security, you create a bug bounty.

It sucks and I hate it.

[esafak]

Then you'll get hacked or have an outage, and unless you're a monopoly it will cost you. But will the people who made poor decisions be held accountable?

You can do a decent hardening job without too much effort, if follow some basic guidelines. You just have to be conscientious enough.

[c2h5oh]

I was once told to stop wasting time submitting PRs adding null checks on data submitted via a public API. You know, the kind of checks that prevented said API from crashing if a part of payload was missing. I was told to stop again with my concerns dismissed when I pointed similar things out during code review. I left that company not long after, but it's still around with over a quarter of a billion in funding.

I would love to say that this was an exception during almost 20 years of my professional career, but it wasn't. It was certainly the worst, but also much closer to average experience than it should have been.

[1over137]

c2h5oh: that does sound sucky. Perhaps it mostly describes web development though? Other software fields take this stuff more seriously.

[c2h5oh]

Unless you equate web development and SaaS then no. It's the same in education, finance and SaaS targeting Fortune 500 companies.

Source: most of the companies I worked or consulted for in the past 20 years.

[jmclnx]

Depends upon the software.

I find valgrind easy on Linux and ktrace(1) on OpenBSD easy to use. I do not spend much time, plus I find testing my items on Linux, OpenBSD and NetBSD tends to find most issues without a lot of work and time.

[c2h5oh]

This is not a "companies don't spend enough time with static and dynamic analysis of their software" problem, it's "less than a third of companies I worked or consulted for in the past 20 years mandated having input validation of any kind" problem.