Developers Don’t Care About Security

Before getting into Software Engineering, I started with Cyber security. So when I began working on software projects, I was always concerned about the application’s security. Will it be vulnerable to attacks? Are there any unknown vulnerabilities, etc.?

Because of these concerns, I didn’t even try to build any projects during my freshman year. I thought that once I learned how to prevent all vulnerabilities, I would start building projects. But guess what? I eventually started building with Next.js instead of using PHP and pure JavaScript, which I initially thought was the most secure way to develop something.

However, switching tech stacks doesn’t automatically make an app super secure. While Next.js and Prisma can reduce the risks of XSS and SQL injection, other vulnerabilities can still occur.

What really changed my thinking about security was a recent incident involving the indie developer Marc Lou, who builds small SaaS applications to earn money. He mentioned in his videos that he usually doesn’t test his software, and this led to problems. People started pentesting his applications and reporting vulnerabilities. (Check out his Twitter feed to see the number of reports he received.)

As an indie developer or a small development team, it’s really hard to dedicate time specifically for penetration testing because there are always bugs to fix, features to add, and deadlines to meet. A better approach might be outsourcing security testing.

However, here’s another idea: after building and deploying a project, wait a couple of days before moving on to the next one, and take some time to test the previous application for vulnerabilities. If you don’t know how to do that yourself, you can outsource the task to someone on a freelance platform. This way, you can reduce the headache of constantly worrying about security.

I’ll see you with my next blog. Until then, cheers 🍻.