[pixel_popping]

Cybersecurity is taken too lightly and it mostly boils down to recklessness of developers, they are just "praying" that no-one act on the issues they already know and it's something we must start talking about.

Common recklessness obviously include devs running binaries on their work machine, not using basic isolation (why?), sticky IP addresses that straight-up identify them, even worse, using same browsers to access admin panels and some random memes, obviously, hundred more like those that are ALREADY solved and KNOWN by the developers themselves. You literally have developers that still use cleartext DNS (apparently they are ok with their history accessible by random employees outsourced)

[snovymgodym]

> it mostly boils down to recklessness of developers

I disagree. I think in big tech and the corporate world, it boils down to the organization fundamentally not valuing security and punishing developers if they "move slow", which is often the outcome when you maintain a highly security-oriented process while developing software and infrastructure.

When big leaks happen, the worst that occurs is that some trivial financial penalty is applied to the company so the incentive to ignore security problems until you're forced to acknowledge them is high.

[specialist]

Last gig I had that took QA/Test seriously was late '90s. I have no hopes the situation will improve, for quality or security, until something fundamental changes.

[causal]

Totally agree, though I'd argue that it's still a software failure if preventing exploits requires every user memorize and follow an onerous list of best practices.

[pixel_popping]

This is where security is actually heavily intertwined with Privacy, by following good privacy principles, you automatically cover a lot of security issues.

[LunaSea]

Highly disagree.

It's most of the time a question of management not caring about security or disliking the inconvenience that security can bring.

[pixel_popping]

I agree as well, however for example for FOSS projects, it's exactly as you say, an inconvenience to secure and we comeback to the "I pray that no one exploit X".

[LunaSea]

FOSS projects are a different beast since contributors are working for free and no contributors might have the time to fix a security bug or review a PR fixing one.

I might add however that most companies use FOSS projects without paying for or contributing to them.

The onus is still on the final user to make sure that the code they use is safe.

[giantg2]

"Cybersecurity is taken too lightly and it mostly boils down to recklessness of developers, they are just "praying" that no-one act on the issues they already know and it's something we must start talking about."

I agree that cyber security is taken too lightly. However, I think that many developers don't actually know about vulnerabilities. In many companies those reports get filter through other teams and prioritized by PMs. The devs tend to do their best at meeting the afressive schedules the penny pinching business people set.

[nradov]

Business managers sometimes make bad decisions (at least in retrospect) around budgets and priorities. But the reality is that there are a limited number of pennies, and if someone doesn't pinch them then there are no pennies left to pay developers.

[pixel_popping]

I frankly believe that many know what they are doing, take the average freelancer, developing for multiple clients on the same workspace (suicidal and ethically wrong on top of it) without even disk encryption enabled or straight up syncing everything in cleartext to dropbox.

[giantg2]

Or they're a freelancer because they arent good enough for a big salary job

[matheusmoreira]

> recklessness of developers

Nah. It's the corporations that could not care less and therefore do not reward careful work. They care about nothing but time to market. Start stacking legal and financial liability and I guarantee they are suddenly going to start caring a lot.

[sdwr]

Recklessness is based on effort, likelihood, and consequence. If you live in a small town, you might not lock your front door. No matter where you live, you probably don't lock your second floor windows.

[pixel_popping]

Are we doing enough effort tho, AI era invites us to get our shit together as well, we are all guilty of it, but we must also understand that if you live in an area with a high crime rate, you adapt and lock your door, the same must be applied online now that we will have 24/7 rogue agents with sole purpose of doing ransoms and attacks of all kind.

[MrDarcy]

I read your list and all of that is normal computer use. How can it be reckless to use a computer normally?

[kilpikaarna]

Didn't you know running binaries on your own machine is dAnGeRoUs? Better sign up for our subscription based cloud service!

[pixel_popping]

normal doesn't mean "right", we have piled-up a ton of bad decisions and users that are aware should now better than default settings.

[jacquesm]

You missed the management factor. And even if managers don't explicitly ask you to build insecure stuff they will up to the pressure to the point that you have no choice or leave the company for someone who will do just that. So the end result is the same. Rarely will individual push back with some force and then they will eventually be let go because they're 'troublemakers'.