Revelations today about a security breach at Sony Pictures. If the claims are true, the company failed to take even minimal steps to protect the identities of their users. Passwords were stored in plain text.
There are many reasons why this happens: naive business sponsors, inexperienced or pliable developers, poorly thought out or narrowly defined requirements, lack of regard for user privacy, and simple schedule pressure that leads to mistakes and cut corners.
It is unacceptable to assume stored user information is not sensitive simply because your site doesn’t do anything sensitive with it.
People re-use passwords. They shouldn’t but they do. They may only be signing up with you for access to white papers but that username and password may crack facebook, paypal, capital one, or any number of other websites.
We can’t treat websites as something less than software, cram as many front facing features into them with as little time and investment as possible and expect a serviceable, safe, and usable consumer experience.
We can’t treat developers as disposable widgets that are there to “work hard” and “do what they’re told” and expect them to watch our back by behaving as ethical professionals and crafts people.
We can’t expose customers to this kind of risk and expect to retain them as customers.
The best way to encourage new and onerous legal obligations is to act irresponsibly because there is no current legal obligation to do otherwise.
There is a historical pattern. A new field starts generating significant wealth and the resulting products and services become widely adopted by society. As a result of that success, failure becomes more visible, more frequent, destroys more wealth and harms more people.
The industry, practitioners and the government step in to reduce the failure rate. The typical result is government licensing of practitioners and regulation of businesses, accreditation of training organizations, and professional bodies with codes of practice and certifications.
I’m not against any one of these things if they evolve gradually.
But if we create another “software crisis.” This time one that affects the safety of large swaths of society or the wealth creation their trust of the internet represents. Then these things will happen too rapidly, too thoughtlessly.
So, here’s my plea to product people and executive sponsors:
- Realize software is complex and websites are software.
- Hire experienced, thoughtful developers, encourage them to tell you the truth and LISTEN TO THEM.
- If you take risks to get something to market, take the time later to circle back and invest to bring that risk down.
- Don’t take risks that can harm your end users.
- Realize a website is not a onetime upfront spend but an ongoing commitment of time attention and resources.
- Realize if you intend to use a website for a short time or an experiment, follow through and dispose of it — or be prepared to invest significantly more in turning it into a long-term asset.
Here’s the plea to my fellow developers:
- Take the quality of our work seriously.
- Learn, learn, learn how to write good code.
- Take our end users seriously. DO NO HARM.
- Band together and demand the best of each other