With the semi-recent security breach on LinkedIn of emails and passwords I was pleasantly surprised to find when I logged into LinkedIn today that I was blocked and forced to confirm my identity, that I had just signed in "from an unfamiliar location (Rwanda)".
I had actually logged in from Rwanda (so they got it right) and this is the level of security I should expect from a publicly traded social network, but I was surprised nonetheless.
Surely there was meeting among LinkedIn PM's and engineers to decide to implement this security feature but not one that might have prevented the email/password leak in June 2012. It reminded me of the constant trade-offs faced when working on a software project, especially when it comes to security. Often times, making sure that your application is 100% secure falls way below making sure that your application is actually running, or that your flagship customer gets the features they want, or that your backups are working correctly, or that you patched the latest updates on your Amazon instances. Sometimes you just can't prepare for attacks because people are always looking for a backdoor or ways to get around it.
Security is a hard thing, especially with limited resources, and unless you are storing tons of personal information or handling sensitive credit card information I can't think of one startup team, founder or investor who would recommend you hire a person to focus on security before they would hire another full-stack contributor (although if they know a little bit about security that is definitely a plus.)
As more personal information moves online, it is becoming ever more important. Just as DevOps teams are now using Chaos Monkeys to expose holes in their cloud infrastructure there needs to be the implementation of some sort of security Chaos Monkey as well that tries to fuzz passwords, do SQL injections, exploit XSS vulnerabilities and check every other thing that could go wrong.
If every team had a Chaos Monkey for Security, the world *might* be a safer place.
Of course the developer community would need to give it a name, maybe based on those really smart crows all over YouTube. Maybe call it the Security Crow?
We already know we can't trust them.