Whoa, is there a devil’s advocate flying around here today?

Is it easier to accept user input and then consume it (either plug it into a SQL query or echo back to screen somehow…), or to accept user input, validate it securely, and then consume it? The difference in effort/time/knowledge is a reason why we’re still seeing massively insecure systems.

That effort/time/knowledge cost is something far too many businesses don’t really value. It increases budgets and pushes deadlines. Why spend extra resources and then get your product out…versus just getting your product out? You’re going to have egg on your face if you have a security breach, but you’re going to have egg on your face if you spent cost*2 for something that ended up not working out (as a product, process, etc).

This is the conundrum… And you can see it any time a technical person is appraised based not on the quality of their work, but on their delivery times and customer satisfaction. Both of which are helped by cutting corners, bending rules, or taking shortcuts.

This is why all of this is a balancing act. We just need to keep adding security where we can, adding input when asked, and pooping out as much quality (real value) as we can without sacrificing ourselves on the business profit altars.