Let’s say you’re a responsible corporate citizen. You want to retain customers and attract new customers. Maybe you architect applications, maybe you design them, or maybe you code them. If you’ve every brought some aspect of application security — say, you point out it’s a really good idea to disallow cross site scripting (XSS) — I bet you’ve run into opposition like:
Those might have been legitimate questions sometime in the past. When, I don’t know, but I’m trying to be charitable here. The point is, those questions are invalid now. Why?
It’s not even accurate to say security isn’t optional. It’s more accurate to say that security is a requirement, just as important as any other business or technical requirement. Not taking security into account means increasing the risk of losing existing customers and decreasing the chance of obtaining new customers.
People who ask questions like the ones above simply don’t understand what they’re asking. We’ll talk about how to deal with them in the next post.