Security cost of dev productivity

I think there is a huge penalty for overworking developers. Long hours, no breaks, no working from home.

Correcting features late into the night and also putting in quick hotfixes creates more bugs, issues and exponentially opens teams up to very preventable security flaws.

When I hear about security vulnerabilities like at Equifax, you be made assure that there was not a culture of pull requests and peer review.

Many software teams do not have a peer review system as they do not see the value of programmers doing peer review.

To speed things up, some of the most criminal things I have seen:

  • Using SFTP to upload code (Very slow and prone to fail)
  • SSHing into production to update code
  • Running applications on root e.g. running a node.js applet as root.

Benefits of peer review

In my career, I've worked with many teams who hire contractors top of their game.

  • Programmers can get better by looking at solutions their peers have made.
  • Team members can point out issues with code standards and cleaner ways to implement features
  • Solve avoidable security flaws by having team member point out XSS, memory leaks, problems with scaling etc.