A plea to my fellow developers and our employers [Harm]

water waveRevelations today about a security breach at Sony Pictures. If the claims are true, the company failed to take even minimal steps to protect the identities of their users. Passwords were stored in plain text.

There are many reasons why this happens: naive business sponsors, inexperienced or pliable developers, poorly thought out or narrowly defined requirements, lack of regard for user privacy, and simple schedule pressure that leads to mistakes and cut corners.

It is unacceptable to assume stored user information is not sensitive simply because your site doesn’t do anything sensitive with it.

People re-use passwords. They shouldn’t but they do. They may only be signing up with you for access to white papers but that username and password may crack facebook, paypal, capital one, or any number of other websites.

We can’t treat websites as something less than software, cram as many front facing features into them with as little time and investment as possible and expect a serviceable, safe, and usable consumer experience.

We can’t treat developers as disposable widgets that are there to “work hard” and “do what they’re told” and expect them to watch our back by behaving as ethical professionals and crafts people.

We can’t expose customers to this kind of risk and expect to retain them as customers.

The best way to encourage new and onerous legal obligations is to act irresponsibly because there is no current legal obligation to do otherwise.

There is a historical pattern. A new field starts generating significant wealth and the resulting products and services become widely adopted by society. As a result of that success, failure becomes more visible, more frequent, destroys more wealth and harms more people.

The industry, practitioners and the government step in to reduce the failure rate. The typical result is government licensing of practitioners and regulation of businesses, accreditation of training organizations, and professional bodies with codes of practice and certifications.

I’m not against any one of these things if they evolve gradually.

But if we create another “software crisis.” This time one that affects the safety of large swaths of society or the wealth creation their trust of the internet represents. Then these things will happen too rapidly, too thoughtlessly.

So, here’s my plea to product people and executive sponsors:

  • Realize software is complex and websites are software.
  • Hire experienced, thoughtful developers, encourage them to tell you the truth and LISTEN TO THEM.
  • If you take risks to get something to market, take the time later to circle back and invest to bring that risk down.
  • Don’t take risks that can harm your end users.
  • Realize a website is not a onetime upfront spend but an ongoing commitment of time attention and resources.
  • Realize if you intend to use a website for a short time or an experiment, follow through and dispose of it — or be prepared to invest significantly more in turning it into a long-term asset.

Here’s the plea to my fellow developers:

  • Take the quality of our work seriously.
  • Learn, learn, learn how to write good code.
  • Take our end users seriously. DO NO HARM.
  • Band together and demand the best of each other
This entry was posted in software development and tagged , , , , by Ken Judy. Bookmark the permalink.

About Ken Judy

I am an executive manager, software developer, father and husband trying to do more good than harm. I am an agile practitioner. I say this fully aware I say nothing. Sold as a tool to solve problems, agile is more a set of principles that encourage us to confront problems. Broad adoption of the jargon has not resulted in wide embrace of these principles. I strive to create material and human good by respecting co-workers, telling truth to employers, improving my skills, and caring for the people affected by the software I help build.