Interesting results. Many Freelancers in this study didn’t deliver on secure implementations when not explicitly told to do so.
Reflecting on my own. I think I’m reasonably security aware but I’ve made my mistakes as well. Recently I was asked to encrypt a confirmation token. I hadn’t thought about that, but there is of course an attack vector where a database is found, and the verification code is then used to complete the normal process. In general, when it comes to security, I try not to reinvent the wheel and use proven solutions.
I’m still kind of sceptical about the research because of the payment the developers got. Developers were hired for €100 or €200, which is not much, and doesn’t leave much time to reflect (when considering western Europe tariffs), on the other hand, the authors state that some developers saw it as a test for a real job.
Via: https://wdrl.info/archive/260