See this recent study:
“When we refer to vendors, we are usually referring to talented programmers who have developed tools and solutions that, along with HTML and CSS, make up the backbone of the web,” he said. “Like with all plugins and solutions, organizations need to ensure that what they use is safe, up-to-date and falling under the same controls as their traditional patch management strategy.”
My mantra is that if is simply enough I may code it myself or copy the code to my project.
For more complex things I just audit the code and if I am happy I will require the exact version, thus it is locked and not vulnerable to the introduction of malware in subsequent versions. Yes you read well, malware, unfortunately it happens. I then subscribe to notifications for new releases and every time a new security update comes along I will need to repeat the audit process and lock the new version.
I am also off the same option, but Chris needs to go the route of de Developer convenience, otherwise Phoenix would never gained so much traction.
Unfortunately in Software Development convenience is in the majority of the cases above security, and this is a very hard mental model to change in peoples mind. Even the ones that had been bitten by security incidents, still resist the change… I have seen this in the past with my own eyes.
That’s exactly one of the reasons the internet is so broken, and so many security incidents occur every day… Security is not in the core of the software life cycle from day zero, it’s an afterthought, when is not completely ignored
Has uncle Bob says, the day that developers will be legally responsible for the code they write is coming, and I have no doubt about it. It can take one or two decades, but If the ecosystem continues downhill in terms of security, then the day you can be charged in court by that line of code you wrote that killed someone, made damages, caused a security incident, etc. will be a reality, and then I will not want to be a developer, but I am curious to see if developers will continue to do as they do now:
Well don’t get me wrong. I absolutely believe we should invest much more in security upfront. And I am looking forward to companies being sued for security incidents.
The system being as broken as it is though, likely some poor schmuck that has a family to feed and is not sure if they can land another job if they get fired, will likely be sued, and not the manager who gave the order.
Don’t forget that most of the programmers simply obey management’s orders.